diff --git a/CVE-2024-4853.patch b/CVE-2024-4853.patch new file mode 100644 index 0000000000000000000000000000000000000000..fac29d96de0187c224611b3680c6d06ce26079e6 --- /dev/null +++ b/CVE-2024-4853.patch @@ -0,0 +1,33 @@ +From 3911c7b7d21b7708b9773d61e30b8b5507b62f65 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Fri, 29 Mar 2024 09:42:44 -0400 +Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer + +When moving from the begining with a beginning offset specified, +don't run off the end. Subtract the source memory area's full offset +from the beginning of the buffer from the capture length. + +Fix #19724 + + +(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282) +--- + editcap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editcap.c b/editcap.c +index ef99e507b9f..6ac325751db 100644 +--- a/editcap.c ++++ b/editcap.c +@@ -2594,7 +2594,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr, + if (chop.off_begin_pos > 0) { + memmove(*buf + chop.off_begin_pos, + *buf + chop.off_begin_pos + chop.len_begin, +- out_phdr->caplen - chop.len_begin); ++ out_phdr->caplen - (chop.off_begin_pos + chop.len_begin)); + } else { + *buf += chop.len_begin; + } +-- +GitLab + diff --git a/CVE-2024-4854.patch b/CVE-2024-4854.patch new file mode 100644 index 0000000000000000000000000000000000000000..acb688c81d078a174158324537474ca94d04500e --- /dev/null +++ b/CVE-2024-4854.patch @@ -0,0 +1,48 @@ +From e9965fe303422ee742ac98ea1da4f2fdeed67e4e Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 30 Mar 2024 08:07:26 -0400 +Subject: [PATCH] Mongo: Ensure the offset advances + +The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths. +dissect_bson_document checks for bogus values and ensures that a +non-negative (and at least 5) size is returned, but we need to make +sure to use that return value instead of trusting the value read +from the packet in dissect_op_msg_section. + +Fix #19726 + + +(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f) +--- + epan/dissectors/packet-mongo.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c +index db23a06312f..346b1324e12 100644 +--- a/epan/dissectors/packet-mongo.c ++++ b/epan/dissectors/packet-mongo.c +@@ -831,7 +831,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr + + switch (e_type) { + case KIND_BODY: +- dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); ++ section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); ++ /* If section_len is bogus (e.g., negative), dissect_bson_document sets ++ * an expert info and can return a different value than read above. ++ */ + break; + case KIND_DOCUMENT_SEQUENCE: { + gint32 dsi_length; +@@ -840,6 +843,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr + proto_tree *documents_tree; + + proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); ++ /* This is redundant with the lengths in the documents, we don't use this ++ * size at all. We could still report an expert info if it's bogus. ++ */ + offset += 4; + to_read -= 4; + +-- +GitLab + diff --git a/CVE-2024-4855.patch b/CVE-2024-4855.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b0bdb01efaba80f15c4d48b78c0f1a005c0425c --- /dev/null +++ b/CVE-2024-4855.patch @@ -0,0 +1,158 @@ +From 32bde22d9bfde5e0ad2700e3a6d6053d8fbae5b0 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 20 Apr 2024 13:04:27 +0000 +Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after + freeing + +wtap_dump_close frees the passed in GArray of initial DSBs, used +by editcap for injecting DSBs from a file or list of files. + +Add functions to increment and decrement the reference count of +an array of wtap blocks. Dereference the block of initial DSBs +in wtap_dump_close() instead of freeing it. In editcap, before +closing the dump file in cases where we intend to open a new +file (e.g., with a maximum time value or a maximum packet count), +reference the block. + +Fix #19782, #19783, #19784. + + +(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847) + +Co-authored-by: John Thacker +--- + editcap.c | 9 +++++++++ + wiretap/file_access.c | 2 +- + wiretap/wtap.h | 3 ++- + wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++ + wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++ + 5 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/editcap.c b/editcap.c +index 6ac325751db..8c03af3f847 100644 +--- a/editcap.c ++++ b/editcap.c +@@ -1943,6 +1943,10 @@ main(int argc, char *argv[]) + } + while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */ + ++ /* We presumably want to write the DSBs from files given ++ * on the command line to every file. ++ */ ++ wtap_block_array_ref(params.dsbs_initial); + if (!wtap_dump_close(pdh, NULL, &write_err, &write_err_info)) { + cfile_close_failure_message(filename, write_err, + write_err_info); +@@ -1978,6 +1982,11 @@ main(int argc, char *argv[]) + if (split_packet_count != 0) { + /* time for the next file? */ + if (written_count > 0 && (written_count % split_packet_count) == 0) { ++ ++ /* We presumably want to write the DSBs from files given ++ * on the command line to every file. ++ */ ++ wtap_block_array_ref(params.dsbs_initial); + if (!wtap_dump_close(pdh, NULL, &write_err, &write_err_info)) { + cfile_close_failure_message(filename, write_err, + write_err_info); +diff --git a/wiretap/file_access.c b/wiretap/file_access.c +index 01317da07b7..ca4d2f69de0 100644 +--- a/wiretap/file_access.c ++++ b/wiretap/file_access.c +@@ -2680,7 +2680,7 @@ wtap_dump_close(wtap_dumper *wdh, gboolean *needs_reload, + *needs_reload = wdh->needs_reload; + g_free(wdh->priv); + wtap_block_array_free(wdh->interface_data); +- wtap_block_array_free(wdh->dsbs_initial); ++ wtap_block_array_unref(wdh->dsbs_initial); + g_free(wdh); + return ret; + } +diff --git a/wiretap/wtap.h b/wiretap/wtap.h +index 93bcca42587..2b25c03f026 100644 +--- a/wiretap/wtap.h ++++ b/wiretap/wtap.h +@@ -1478,7 +1478,8 @@ typedef struct addrinfo_lists { + * @note The shb_hdr and idb_inf arguments will be used until + * wtap_dump_close() is called, but will not be free'd by the dumper. If + * you created them, you must free them yourself after wtap_dump_close(). +- * dsbs_initial will be freed by wtap_dump_close(), ++ * dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse ++ * them for another dump file, call wtap_block_array_ref() before closing. + * dsbs_growing typically refers to another wth->dsbs. + * nrbs_growing typically refers to another wth->nrbs. + * +diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c +index 7dfbf1a1885..98ffe4dd605 100644 +--- a/wiretap/wtap_opttypes.c ++++ b/wiretap/wtap_opttypes.c +@@ -466,6 +466,32 @@ void wtap_block_array_free(GArray* block_array) + g_array_free(block_array, TRUE); + } + ++void wtap_block_array_ref(GArray* block_array) ++{ ++ unsigned block; ++ ++ if (block_array == NULL) ++ return; ++ ++ for (block = 0; block < block_array->len; block++) { ++ wtap_block_ref(g_array_index(block_array, wtap_block_t, block)); ++ } ++ g_array_ref(block_array); ++} ++ ++void wtap_block_array_unref(GArray* block_array) ++{ ++ unsigned block; ++ ++ if (block_array == NULL) ++ return; ++ ++ for (block = 0; block < block_array->len; block++) { ++ wtap_block_unref(g_array_index(block_array, wtap_block_t, block)); ++ } ++ g_array_unref(block_array); ++} ++ + /* + * Make a copy of a block. + */ +diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h +index f3d9efbd846..91dafd6ca43 100644 +--- a/wiretap/wtap_opttypes.h ++++ b/wiretap/wtap_opttypes.h +@@ -615,6 +615,29 @@ wtap_block_unref(wtap_block_t block); + WS_DLL_PUBLIC void + wtap_block_array_free(GArray* block_array); + ++/** Decrement the reference count of an array of blocks ++ * ++ * Decrement the reference count of each block in the array ++ * and the GArray itself. Any element whose reference count ++ * drops to 0 will be freed. If the GArray and every block ++ * has a reference count of 1, this is the same as ++ * wtap_block_array_free(). ++ * ++ * @param[in] block_array Array of blocks to be dereferenced ++ */ ++WS_DLL_PUBLIC void ++wtap_block_array_unref(GArray* block_array); ++ ++/** Increment the reference count of an array of blocks ++ * ++ * Increment the reference count of each block in the array ++ * and the GArray itself. ++ * ++ * @param[in] block_array Array of blocks to be referenced ++ */ ++WS_DLL_PUBLIC void ++wtap_block_array_ref(GArray* block_array); ++ + /** Provide type of a block + * + * @param[in] block Block from which to retrieve mandatory data +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 2434cf24d7b7e31424fd5010b36695306572ff66..c53f944a3078124f223bf32ea8e11bf011a8c8c6 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 4.2.4 -Release: 1 +Release: 2 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -15,13 +15,16 @@ Source1: https://www.wireshark.org/download/src/all-versions/SIGNATURES-% Source2: 90-wireshark-usbmon.rules Source3: wireshark.sysusers -Patch2: wireshark-0002-Customize-permission-denied-error.patch -Patch3: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch -Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch -Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch -Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch -Patch7: wireshark-0007-cmakelists.patch -Patch8: wireshark-0008-pkgconfig.patch +Patch2: wireshark-0002-Customize-permission-denied-error.patch +Patch3: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch +Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch +Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch +Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch +Patch7: wireshark-0007-cmakelists.patch +Patch8: wireshark-0008-pkgconfig.patch +Patch9: CVE-2024-4853.patch +Patch10: CVE-2024-4854.patch +Patch11: CVE-2024-4855.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -200,6 +203,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Wed May 15 2024 yaoxin - 1:4.2.4-2 +- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855 + * Wed Apr 24 2024 yaoxin - 1:4.2.4-1 - Upgrade to 4.2.4