diff --git a/CVE-2023-0667.patch b/CVE-2023-0667.patch new file mode 100644 index 0000000000000000000000000000000000000000..aa4085e4b499f549c855c1a2e058b6e79099ff9c --- /dev/null +++ b/CVE-2023-0667.patch @@ -0,0 +1,129 @@ +From 4d9a459bdbdad90b21ff3931baa3bf399b79f70d Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Wed, 5 Jul 2023 15:08:39 +0800 +Subject: [PATCH] Use format_text_string() and fix backport-CVE-2023-0667 + +Link: https://gitlab.com/wireshark/wireshark/-/merge_requests/10667/commits + +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + epan/strutil.c | 23 +++++++++++++++++++++++ + epan/strutil.h | 28 ++++++++++++++++++++++++++++ + 3 files changed, 55 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index 741eb2b..41272f7 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -739,7 +739,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(wmem_packet_scope(), (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -836,7 +836,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(wmem_packet_scope(), (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -890,7 +890,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(wmem_packet_scope(), (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -965,7 +965,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(wmem_packet_scope(), (const guchar*)server_file)); + } + + /* Dissect media details from server */ +diff --git a/epan/strutil.c b/epan/strutil.c +index ff2a6c2..47960ab 100644 +--- a/epan/strutil.c ++++ b/epan/strutil.c +@@ -221,6 +221,29 @@ format_text(wmem_allocator_t* allocator, const guchar *string, size_t len) + return fmtbuf; + } + ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ */ ++gchar * ++format_text_string(wmem_allocator_t* allocator, const guchar *string) ++{ ++ return format_text(allocator, string, strlen(string)); ++} + + /* + * Given a string, generate a string from it that shows non-printable +diff --git a/epan/strutil.h b/epan/strutil.h +index 2046cb0..57f35dc 100644 +--- a/epan/strutil.h ++++ b/epan/strutil.h +@@ -59,6 +59,34 @@ int get_token_len(const guchar *linep, const guchar *lineend, + WS_DLL_PUBLIC + gchar* format_text(wmem_allocator_t* allocator, const guchar *line, size_t len); + ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ * ++ * @param allocator The wmem scope ++ * @param string A pointer to the input string ++ * @return A pointer to the formatted string ++ * ++ * @see tvb_format_text() ++ */ ++WS_DLL_PUBLIC ++gchar* format_text_string(wmem_allocator_t* allocator, const guchar *string); ++ ++ + /** + * Given a string, generate a string from it that shows non-printable + * characters as C-style escapes except a whitespace character +-- +2.27.0 + diff --git a/wireshark.spec b/wireshark.spec index a014b509d317931de2099001a8885d5426bcd580..12065513b6f9fada871520b971185ef61eb85913 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.14 -Release: 5 +Release: 6 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -30,6 +30,7 @@ Patch13: CVE-2023-4511.patch Patch14: CVE-2023-5371.patch # https://gitlab.com/wireshark/wireshark/-/commit/197e96f05303af0340b7e626f2b15c2edbf350b0 Patch15: CVE-2023-6175.patch +Patch16: CVE-2023-0667.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -204,6 +205,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Tue Dec 28 2023 zhangying - 1:3.6.14-6 +- Fix CVE-2023-0667 + * Tue Nov 21 2023 yaoxin - 1:3.6.14-5 - Fix CVE-2023-6175