From 6c18c607a00c83133f7084f0c0df7178f797fcfe Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Sat, 7 Oct 2023 14:52:45 +0800 Subject: [PATCH] Fix CVE-2023-5371 (cherry picked from commit 48ab59482a286d864c0e2e9f20cbc710281a4917) --- CVE-2023-5371.patch | 48 +++++++++++++++++++++++++++++++++++++++++++++ wireshark.spec | 6 +++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-5371.patch diff --git a/CVE-2023-5371.patch b/CVE-2023-5371.patch new file mode 100644 index 0000000..eef3bb8 --- /dev/null +++ b/CVE-2023-5371.patch @@ -0,0 +1,48 @@ +From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Wed, 6 Sep 2023 06:13:23 -0400 +Subject: [PATCH] RTPS: Check for signed overflow + +Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add + +The offset is a signed integer, and we use negative offsets +to mean "offset counting from the end of the tvb." That means +that we can still have an excessive loop without unsigned overflow +or running off the end of the tvb, if the result of adding a large +unsigned integer to the offset results in a small negative number. + +Just check if the result of the addition makes the offset move +backwards. + +Fix #19322 + +(backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4) +--- + epan/dissectors/packet-rtps.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c +index 82ac8f9436b..c152d50dfc6 100644 +--- a/epan/dissectors/packet-rtps.c ++++ b/epan/dissectors/packet-rtps.c +@@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = { + "RTPS fragments" + }; + +-static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb) ++static gint check_offset_addition(gint offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb) + { +- if (offset > G_MAXUINT32 - value) { ++ gint new_offset = offset + (gint)value; ++ if (new_offset < offset) { + proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value); + THROW(ReportedBoundsError); + } +- return offset + value; ++ return new_offset; + } + + static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset, +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 789068f..665aa54 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.14 -Release: 3 +Release: 4 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -27,6 +27,7 @@ Patch10: CVE-2023-2906.patch Patch11: CVE-2023-4513-1.patch Patch12: CVE-2023-4513-2.patch Patch13: CVE-2023-4511.patch +Patch14: CVE-2023-5371.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -201,6 +202,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Sat Oct 07 2023 wangkai <13474090681@163.com> - 1:3.6.14-4 +- Fix CVE-2023-5371 + * Wed Sep 06 2023 wangkai <13474090681@163.com> - 1:3.6.14-3 - Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513 -- Gitee