diff --git a/CVE-2024-4853.patch b/CVE-2024-4853.patch new file mode 100644 index 0000000000000000000000000000000000000000..adbff983c8e6279b71b95d97277cbba2fcb5d02d --- /dev/null +++ b/CVE-2024-4853.patch @@ -0,0 +1,33 @@ +From 683166c81bc1f8a6268f4955654bfd64ca98c07a Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Fri, 29 Mar 2024 09:42:44 -0400 +Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer + +When moving from the begining with a beginning offset specified, +don't run off the end. Subtract the source memory area's full offset +from the beginning of the buffer from the capture length. + +Fix #19724 + + +(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282) +--- + editcap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editcap.c b/editcap.c +index 3b5a70127ee..f64a8155576 100644 +--- a/editcap.c ++++ b/editcap.c +@@ -2462,7 +2462,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr, + if (chop.off_begin_pos > 0) { + memmove(*buf + chop.off_begin_pos, + *buf + chop.off_begin_pos + chop.len_begin, +- out_phdr->caplen - chop.len_begin); ++ out_phdr->caplen - (chop.off_begin_pos + chop.len_begin)); + } else { + *buf += chop.len_begin; + } +-- +GitLab + diff --git a/CVE-2024-4854.patch b/CVE-2024-4854.patch new file mode 100644 index 0000000000000000000000000000000000000000..6963c0e9e6be0e5cc8c0b84cdf4946fb00a01623 --- /dev/null +++ b/CVE-2024-4854.patch @@ -0,0 +1,48 @@ +From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 30 Mar 2024 08:07:26 -0400 +Subject: [PATCH] Mongo: Ensure the offset advances + +The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths. +dissect_bson_document checks for bogus values and ensures that a +non-negative (and at least 5) size is returned, but we need to make +sure to use that return value instead of trusting the value read +from the packet in dissect_op_msg_section. + +Fix #19726 + + +(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f) +--- + epan/dissectors/packet-mongo.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c +index b5a8bbffc2a..8e5f6370fbf 100644 +--- a/epan/dissectors/packet-mongo.c ++++ b/epan/dissectors/packet-mongo.c +@@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr + + switch (e_type) { + case KIND_BODY: +- dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); ++ section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); ++ /* If section_len is bogus (e.g., negative), dissect_bson_document sets ++ * an expert info and can return a different value than read above. ++ */ + break; + case KIND_DOCUMENT_SEQUENCE: { + gint32 dsi_length; +@@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr + proto_tree *documents_tree; + + proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); ++ /* This is redundant with the lengths in the documents, we don't use this ++ * size at all. We could still report an expert info if it's bogus. ++ */ + offset += 4; + to_read -= 4; + +-- +GitLab + diff --git a/CVE-2024-4855.patch b/CVE-2024-4855.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e77911a6103cc0643fcfde2725aee822857cf6f --- /dev/null +++ b/CVE-2024-4855.patch @@ -0,0 +1,158 @@ +From f6cb547426d1ee5df2038809b5a6f23380edc932 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 20 Apr 2024 13:15:16 +0000 +Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after + freeing + +wtap_dump_close frees the passed in GArray of initial DSBs, used +by editcap for injecting DSBs from a file or list of files. + +Add functions to increment and decrement the reference count of +an array of wtap blocks. Dereference the block of initial DSBs +in wtap_dump_close() instead of freeing it. In editcap, before +closing the dump file in cases where we intend to open a new +file (e.g., with a maximum time value or a maximum packet count), +reference the block. + +Fix #19782, #19783, #19784. + + +(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847) + +Co-authored-by: John Thacker +--- + editcap.c | 9 +++++++++ + wiretap/file_access.c | 2 +- + wiretap/wtap.h | 3 ++- + wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++ + wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++ + 5 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/editcap.c b/editcap.c +index 45091e5..50597c5 100644 +--- a/editcap.c ++++ b/editcap.c +@@ -1858,6 +1858,10 @@ main(int argc, char *argv[]) + } + while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */ + ++ /* We presumably want to write the DSBs from files given ++ * on the command line to every file. ++ */ ++ wtap_block_array_ref(params.dsbs_initial); + if (!wtap_dump_close(pdh, &write_err, &write_err_info)) { + cfile_close_failure_message(filename, write_err, + write_err_info); +@@ -1890,6 +1894,11 @@ main(int argc, char *argv[]) + if (split_packet_count != 0) { + /* time for the next file? */ + if (written_count > 0 && (written_count % split_packet_count) == 0) { ++ ++ /* We presumably want to write the DSBs from files given ++ * on the command line to every file. ++ */ ++ wtap_block_array_ref(params.dsbs_initial); + if (!wtap_dump_close(pdh, &write_err, &write_err_info)) { + cfile_close_failure_message(filename, write_err, + write_err_info); +diff --git a/wiretap/file_access.c b/wiretap/file_access.c +index ff7a640..50d1fb1 100644 +--- a/wiretap/file_access.c ++++ b/wiretap/file_access.c +@@ -2655,7 +2655,7 @@ wtap_dump_close_new_temp(wtap_dumper *wdh, gboolean *needs_reload, + *needs_reload = wdh->needs_reload; + g_free(wdh->priv); + wtap_block_array_free(wdh->interface_data); +- wtap_block_array_free(wdh->dsbs_initial); ++ wtap_block_array_unref(wdh->dsbs_initial); + g_free(wdh); + return ret; + } +diff --git a/wiretap/wtap.h b/wiretap/wtap.h +index d592884..75e4fc6 100644 +--- a/wiretap/wtap.h ++++ b/wiretap/wtap.h +@@ -1419,7 +1419,8 @@ typedef struct addrinfo_lists { + * @note The shb_hdr, idb_inf, and nrb_hdr arguments will be used until + * wtap_dump_close() is called, but will not be free'd by the dumper. If + * you created them, you must free them yourself after wtap_dump_close(). +- * dsbs_initial will be freed by wtap_dump_close(), ++ * dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse ++ * them for another dump file, call wtap_block_array_ref() before closing. + * dsbs_growing typically refers to another wth->dsbs. + * + * @see wtap_dump_params_init, wtap_dump_params_cleanup. +diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c +index 2068743..d4a9602 100644 +--- a/wiretap/wtap_opttypes.c ++++ b/wiretap/wtap_opttypes.c +@@ -436,6 +436,32 @@ void wtap_block_array_free(GArray* block_array) + g_array_free(block_array, TRUE); + } + ++void wtap_block_array_ref(GArray* block_array) ++{ ++ unsigned block; ++ ++ if (block_array == NULL) ++ return; ++ ++ for (block = 0; block < block_array->len; block++) { ++ wtap_block_ref(g_array_index(block_array, wtap_block_t, block)); ++ } ++ g_array_ref(block_array); ++} ++ ++void wtap_block_array_unref(GArray* block_array) ++{ ++ unsigned block; ++ ++ if (block_array == NULL) ++ return; ++ ++ for (block = 0; block < block_array->len; block++) { ++ wtap_block_unref(g_array_index(block_array, wtap_block_t, block)); ++ } ++ g_array_unref(block_array); ++} ++ + /* + * Make a copy of a block. + */ +diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h +index 58d3103..5d130c5 100644 +--- a/wiretap/wtap_opttypes.h ++++ b/wiretap/wtap_opttypes.h +@@ -572,6 +572,29 @@ wtap_block_unref(wtap_block_t block); + WS_DLL_PUBLIC void + wtap_block_array_free(GArray* block_array); + ++/** Decrement the reference count of an array of blocks ++ * ++ * Decrement the reference count of each block in the array ++ * and the GArray itself. Any element whose reference count ++ * drops to 0 will be freed. If the GArray and every block ++ * has a reference count of 1, this is the same as ++ * wtap_block_array_free(). ++ * ++ * @param[in] block_array Array of blocks to be dereferenced ++ */ ++WS_DLL_PUBLIC void ++wtap_block_array_unref(GArray* block_array); ++ ++/** Increment the reference count of an array of blocks ++ * ++ * Increment the reference count of each block in the array ++ * and the GArray itself. ++ * ++ * @param[in] block_array Array of blocks to be referenced ++ */ ++WS_DLL_PUBLIC void ++wtap_block_array_ref(GArray* block_array); ++ + /** Provide type of a block + * + * @param[in] block Block from which to retrieve mandatory data +-- +2.33.0 + diff --git a/wireshark.spec b/wireshark.spec index bcb66018bfc8712cd15b7a91a8e0029243638df5..9c2016ffe86889e4351a3a78a7ff94dca30e56ec 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.14 -Release: 7 +Release: 8 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -34,6 +34,9 @@ Patch16: CVE-2024-0208.patch Patch17: CVE-2024-0209.patch # https://gitlab.com/wireshark/wireshark/-/commit/28fdce547c417b868c521f87fb58f71ca6b1e3f7 Patch18: CVE-2023-0666.patch +Patch19: CVE-2024-4853.patch +Patch20: CVE-2024-4854.patch +Patch21: CVE-2024-4855.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -208,6 +211,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Wed May 15 2024 yaoxin - 1:3.6.14-8 +- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855 + * Mon Mar 25 2024 yaoxin - 1:3.6.14-7 - Fix CVE-2023-0666