diff --git a/CVE-2023-0666.patch b/CVE-2023-0666.patch new file mode 100644 index 0000000000000000000000000000000000000000..c27b4f4ff1db6c7507e03a1518320a60329905b2 --- /dev/null +++ b/CVE-2023-0666.patch @@ -0,0 +1,116 @@ +From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Thu, 18 May 2023 13:52:48 -0700 +Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes + +Use the proper dest_size in various g_strlcpy calls. + +Fixes #19085 +--- + epan/dissectors/packet-rtps.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c +index c152d50..f4da449 100644 +--- a/epan/dissectors/packet-rtps.c ++++ b/epan/dissectors/packet-rtps.c +@@ -4487,7 +4487,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + ++tk_id; + } + +- (void) g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40); ++ (void) g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name)); + + /* Structure of the typecode data: + * +@@ -4658,7 +4658,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + member_name, -1, NULL, ndds_40_hack); + } + /* Finally prints the name of the struct (if provided) */ +- (void) g_strlcpy(type_name, "}", 40); ++ (void) g_strlcpy(type_name, "}", sizeof(type_name)); + break; + + } /* end of case UNION */ +@@ -4829,7 +4829,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + } + } + /* Finally prints the name of the struct (if provided) */ +- (void) g_strlcpy(type_name, "}", 40); ++ (void) g_strlcpy(type_name, "}", sizeof(type_name)); + break; + } + +@@ -4921,7 +4921,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + offset += 4; + alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII); + offset = check_offset_addition(offset, alias_name_length, tree, NULL, tvb); +- (void) g_strlcpy(type_name, alias_name, 40); ++ (void) g_strlcpy(type_name, alias_name, sizeof(type_name)); + break; + } + +@@ -4956,7 +4956,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + if (tk_id == RTI_CDR_TK_VALUE_PARAM) { + type_id_name = "valueparam"; + } +- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name); ++ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name); + break; + } + } /* switch(tk_id) */ +@@ -5120,7 +5120,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree, + long_number = tvb_get_guint32(tvb, offset_tmp, encoding); + name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII); + if (info) +- (void) g_strlcpy(info->member_name, name, long_number); ++ (void) g_strlcpy(info->member_name, name, sizeof(info->member_name)); + + proto_item_append_text(tree, " %s", name); + offset = check_offset_addition(offset, member_length, tree, NULL, tvb); +@@ -5296,13 +5296,13 @@ static gint rtps_util_add_type_member(proto_tree *tree, + proto_item_append_text(tree, " %s (ID: %d)", name, member_id); + if (member_object) { + member_object->member_id = member_id; +- (void) g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256); ++ (void) g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name)); + member_object->type_id = member_type_id; + } + if (info && info->extensibility == EXTENSIBILITY_MUTABLE) { + mutable_member_mapping * mutable_mapping = NULL; + mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping); +- (void) g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256); ++ (void) g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name)); + mutable_mapping->struct_type_id = info->type_id; + mutable_mapping->member_type_id = member_type_id; + mutable_mapping->member_id = member_id; +@@ -5357,7 +5357,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- (void) g_strlcpy(mapping->member_name, object.member_name, 256); ++ (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -5370,7 +5370,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- (void) g_strlcpy(mapping->member_name, object.member_name, 256); ++ (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = -1; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -5390,7 +5390,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding); + offset_tmp += 4; + +- (void) g_strlcpy(mapping->member_name, object.member_name, 256); ++ (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = discriminator_case; + mapping->union_type_id = union_type_id + discriminator_case; +-- +2.33.0 + diff --git a/CVE-2024-24476.patch b/CVE-2024-24476.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc56bf3f415d24c4bccfc68e0da64b94e42f9d16 --- /dev/null +++ b/CVE-2024-24476.patch @@ -0,0 +1,157 @@ +From 108217f4bb1afb8b25fc705c2722b3e328b1ad78 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jo=C3=A3o=20Valverde?= +Date: Sat, 16 Sep 2023 06:59:12 +0100 +Subject: [PATCH] addr_resolv: Fix a heap buffer overflow + +Make sure we always pass at least 6 bytes to ws_manuf_lookup_str(). + +Fixes #19344. +--- + epan/addr_resolv.c | 29 +++++++++++++++++++++-------- + epan/addr_resolv.h | 4 ++-- + epan/address_types.c | 4 ++-- + 3 files changed, 25 insertions(+), 12 deletions(-) + +diff --git a/epan/addr_resolv.c b/epan/addr_resolv.c +index 3e0cc6d..4a6be03 100644 +--- a/epan/addr_resolv.c ++++ b/epan/addr_resolv.c +@@ -1607,12 +1607,16 @@ add_manuf_name(const guint8 *addr, unsigned int mask, gchar *name, gchar *longna + } /* add_manuf_name */ + + static hashmanuf_t * +-manuf_name_lookup(const guint8 *addr) ++manuf_name_lookup(const guint8 *addr, size_t size) + { + guint32 manuf_key; + guint8 oct; + hashmanuf_t *manuf_value; + ++ if (size < 6) { ++ return NULL; ++ } ++ + /* manuf needs only the 3 most significant octets of the ethernet address */ + manuf_key = addr[0]; + manuf_key = manuf_key<<8; +@@ -1773,6 +1777,7 @@ eth_addr_resolve(hashether_t *tp) { + ether_t *eth; + hashmanuf_t *manuf_value; + const guint8 *addr = tp->addr; ++ size_t addr_size = sizeof(tp->addr); + + if ( (eth = get_ethbyaddr(addr)) != NULL) { + (void) g_strlcpy(tp->resolved_name, eth->name, MAXNAMELEN); +@@ -1819,7 +1824,7 @@ eth_addr_resolve(hashether_t *tp) { + } while (mask--); + + /* Now try looking in the manufacturer table. */ +- manuf_value = manuf_name_lookup(addr); ++ manuf_value = manuf_name_lookup(addr, addr_size); + if ((manuf_value != NULL) && (manuf_value->status != HASHETHER_STATUS_UNRESOLVED)) { + g_snprintf(tp->resolved_name, MAXNAMELEN, "%s_%02x:%02x:%02x", + manuf_value->resolved_name, addr[3], addr[4], addr[5]); +@@ -3378,11 +3383,11 @@ get_vlan_name(wmem_allocator_t *allocator, const guint16 id) + } /* get_vlan_name */ + + const gchar * +-get_manuf_name(const guint8 *addr) ++get_manuf_name(const guint8 *addr, size_t size) + { + hashmanuf_t *manuf_value; + +- manuf_value = manuf_name_lookup(addr); ++ manuf_value = manuf_name_lookup(addr, size); + if (gbl_resolv_flags.mac_name && manuf_value->status != HASHETHER_STATUS_UNRESOLVED) + return manuf_value->resolved_name; + +@@ -3393,16 +3398,22 @@ get_manuf_name(const guint8 *addr) + const gchar * + tvb_get_manuf_name(tvbuff_t *tvb, gint offset) + { +- return get_manuf_name(tvb_get_ptr(tvb, offset, 3)); ++ guint8 buf[6] = { 0 }; ++ tvb_memcpy(tvb, buf, offset, 3); ++ return get_manuf_name(buf, sizeof(buf)); + } + + const gchar * +-get_manuf_name_if_known(const guint8 *addr) ++get_manuf_name_if_known(const guint8 *addr, size_t size) + { + hashmanuf_t *manuf_value; + guint manuf_key; + guint8 oct; + ++ if (size != 6) { ++ return NULL; ++ } ++ + /* manuf needs only the 3 most significant octets of the ethernet address */ + manuf_key = addr[0]; + manuf_key = manuf_key<<8; +@@ -3437,7 +3448,9 @@ uint_get_manuf_name_if_known(const guint manuf_key) + const gchar * + tvb_get_manuf_name_if_known(tvbuff_t *tvb, gint offset) + { +- return get_manuf_name_if_known(tvb_get_ptr(tvb, offset, 3)); ++ guint8 buf[6] = { 0 }; ++ tvb_memcpy(tvb, buf, offset, 3); ++ return get_manuf_name_if_known(buf, sizeof(buf)); + } + + char* get_hash_manuf_resolved_name(hashmanuf_t* manuf) +@@ -3455,7 +3468,7 @@ eui64_to_display(wmem_allocator_t *allocator, const guint64 addr_eui64) + /* Copy and convert the address to network byte order. */ + *(guint64 *)(void *)(addr) = pntoh64(&(addr_eui64)); + +- manuf_value = manuf_name_lookup(addr); ++ manuf_value = manuf_name_lookup(addr, 8); + if (!gbl_resolv_flags.mac_name || (manuf_value->status == HASHETHER_STATUS_UNRESOLVED)) { + ret = wmem_strdup_printf(allocator, "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]); + } else { +diff --git a/epan/addr_resolv.h b/epan/addr_resolv.h +index 313e8f9..362682c 100644 +--- a/epan/addr_resolv.h ++++ b/epan/addr_resolv.h +@@ -223,13 +223,13 @@ const gchar *get_ether_name_if_known(const guint8 *addr); + * Given a sequence of 3 octets containing an OID, get_manuf_name() + * returns the vendor name, or "%02x:%02x:%02x" if not known. + */ +-extern const gchar *get_manuf_name(const guint8 *addr); ++extern const gchar *get_manuf_name(const guint8 *addr, size_t size); + + /* + * Given a sequence of 3 octets containing an OID, get_manuf_name_if_known() + * returns the vendor name, or NULL if not known. + */ +-WS_DLL_PUBLIC const gchar *get_manuf_name_if_known(const guint8 *addr); ++WS_DLL_PUBLIC const gchar *get_manuf_name_if_known(const guint8 *addr, size_t size); + + /* + * Given an integer containing a 24-bit OID, uint_get_manuf_name_if_known() +diff --git a/epan/address_types.c b/epan/address_types.c +index 86812af..776a02d 100644 +--- a/epan/address_types.c ++++ b/epan/address_types.c +@@ -382,7 +382,7 @@ static const gchar* fcwwn_name_res_str(const address* addr) + case FC_NH_NAA_IEEE_E: + + memcpy (oui, &addrp[2], 6); +- return get_manuf_name(oui); ++ return get_manuf_name(oui, sizeof(oui)); + + case FC_NH_NAA_IEEE_R: + oui[0] = ((addrp[0] & 0x0F) << 4) | ((addrp[1] & 0xF0) >> 4); +@@ -392,7 +392,7 @@ static const gchar* fcwwn_name_res_str(const address* addr) + oui[4] = ((addrp[4] & 0x0F) << 4) | ((addrp[5] & 0xF0) >> 4); + oui[5] = ((addrp[5] & 0x0F) << 4) | ((addrp[6] & 0xF0) >> 4); + +- return get_manuf_name(oui); ++ return get_manuf_name(oui, sizeof(oui)); + } + + return ""; +-- +2.33.0 + diff --git a/CVE-2024-4853.patch b/CVE-2024-4853.patch new file mode 100644 index 0000000000000000000000000000000000000000..adbff983c8e6279b71b95d97277cbba2fcb5d02d --- /dev/null +++ b/CVE-2024-4853.patch @@ -0,0 +1,33 @@ +From 683166c81bc1f8a6268f4955654bfd64ca98c07a Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Fri, 29 Mar 2024 09:42:44 -0400 +Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer + +When moving from the begining with a beginning offset specified, +don't run off the end. Subtract the source memory area's full offset +from the beginning of the buffer from the capture length. + +Fix #19724 + + +(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282) +--- + editcap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editcap.c b/editcap.c +index 3b5a70127ee..f64a8155576 100644 +--- a/editcap.c ++++ b/editcap.c +@@ -2462,7 +2462,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr, + if (chop.off_begin_pos > 0) { + memmove(*buf + chop.off_begin_pos, + *buf + chop.off_begin_pos + chop.len_begin, +- out_phdr->caplen - chop.len_begin); ++ out_phdr->caplen - (chop.off_begin_pos + chop.len_begin)); + } else { + *buf += chop.len_begin; + } +-- +GitLab + diff --git a/CVE-2024-4854.patch b/CVE-2024-4854.patch new file mode 100644 index 0000000000000000000000000000000000000000..6963c0e9e6be0e5cc8c0b84cdf4946fb00a01623 --- /dev/null +++ b/CVE-2024-4854.patch @@ -0,0 +1,48 @@ +From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 30 Mar 2024 08:07:26 -0400 +Subject: [PATCH] Mongo: Ensure the offset advances + +The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths. +dissect_bson_document checks for bogus values and ensures that a +non-negative (and at least 5) size is returned, but we need to make +sure to use that return value instead of trusting the value read +from the packet in dissect_op_msg_section. + +Fix #19726 + + +(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f) +--- + epan/dissectors/packet-mongo.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c +index b5a8bbffc2a..8e5f6370fbf 100644 +--- a/epan/dissectors/packet-mongo.c ++++ b/epan/dissectors/packet-mongo.c +@@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr + + switch (e_type) { + case KIND_BODY: +- dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); ++ section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); ++ /* If section_len is bogus (e.g., negative), dissect_bson_document sets ++ * an expert info and can return a different value than read above. ++ */ + break; + case KIND_DOCUMENT_SEQUENCE: { + gint32 dsi_length; +@@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr + proto_tree *documents_tree; + + proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); ++ /* This is redundant with the lengths in the documents, we don't use this ++ * size at all. We could still report an expert info if it's bogus. ++ */ + offset += 4; + to_read -= 4; + +-- +GitLab + diff --git a/CVE-2024-4855.patch b/CVE-2024-4855.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e77911a6103cc0643fcfde2725aee822857cf6f --- /dev/null +++ b/CVE-2024-4855.patch @@ -0,0 +1,158 @@ +From f6cb547426d1ee5df2038809b5a6f23380edc932 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 20 Apr 2024 13:15:16 +0000 +Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after + freeing + +wtap_dump_close frees the passed in GArray of initial DSBs, used +by editcap for injecting DSBs from a file or list of files. + +Add functions to increment and decrement the reference count of +an array of wtap blocks. Dereference the block of initial DSBs +in wtap_dump_close() instead of freeing it. In editcap, before +closing the dump file in cases where we intend to open a new +file (e.g., with a maximum time value or a maximum packet count), +reference the block. + +Fix #19782, #19783, #19784. + + +(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847) + +Co-authored-by: John Thacker +--- + editcap.c | 9 +++++++++ + wiretap/file_access.c | 2 +- + wiretap/wtap.h | 3 ++- + wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++ + wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++ + 5 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/editcap.c b/editcap.c +index 45091e5..50597c5 100644 +--- a/editcap.c ++++ b/editcap.c +@@ -1858,6 +1858,10 @@ main(int argc, char *argv[]) + } + while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */ + ++ /* We presumably want to write the DSBs from files given ++ * on the command line to every file. ++ */ ++ wtap_block_array_ref(params.dsbs_initial); + if (!wtap_dump_close(pdh, &write_err, &write_err_info)) { + cfile_close_failure_message(filename, write_err, + write_err_info); +@@ -1890,6 +1894,11 @@ main(int argc, char *argv[]) + if (split_packet_count != 0) { + /* time for the next file? */ + if (written_count > 0 && (written_count % split_packet_count) == 0) { ++ ++ /* We presumably want to write the DSBs from files given ++ * on the command line to every file. ++ */ ++ wtap_block_array_ref(params.dsbs_initial); + if (!wtap_dump_close(pdh, &write_err, &write_err_info)) { + cfile_close_failure_message(filename, write_err, + write_err_info); +diff --git a/wiretap/file_access.c b/wiretap/file_access.c +index ff7a640..50d1fb1 100644 +--- a/wiretap/file_access.c ++++ b/wiretap/file_access.c +@@ -2655,7 +2655,7 @@ wtap_dump_close_new_temp(wtap_dumper *wdh, gboolean *needs_reload, + *needs_reload = wdh->needs_reload; + g_free(wdh->priv); + wtap_block_array_free(wdh->interface_data); +- wtap_block_array_free(wdh->dsbs_initial); ++ wtap_block_array_unref(wdh->dsbs_initial); + g_free(wdh); + return ret; + } +diff --git a/wiretap/wtap.h b/wiretap/wtap.h +index d592884..75e4fc6 100644 +--- a/wiretap/wtap.h ++++ b/wiretap/wtap.h +@@ -1419,7 +1419,8 @@ typedef struct addrinfo_lists { + * @note The shb_hdr, idb_inf, and nrb_hdr arguments will be used until + * wtap_dump_close() is called, but will not be free'd by the dumper. If + * you created them, you must free them yourself after wtap_dump_close(). +- * dsbs_initial will be freed by wtap_dump_close(), ++ * dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse ++ * them for another dump file, call wtap_block_array_ref() before closing. + * dsbs_growing typically refers to another wth->dsbs. + * + * @see wtap_dump_params_init, wtap_dump_params_cleanup. +diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c +index 2068743..d4a9602 100644 +--- a/wiretap/wtap_opttypes.c ++++ b/wiretap/wtap_opttypes.c +@@ -436,6 +436,32 @@ void wtap_block_array_free(GArray* block_array) + g_array_free(block_array, TRUE); + } + ++void wtap_block_array_ref(GArray* block_array) ++{ ++ unsigned block; ++ ++ if (block_array == NULL) ++ return; ++ ++ for (block = 0; block < block_array->len; block++) { ++ wtap_block_ref(g_array_index(block_array, wtap_block_t, block)); ++ } ++ g_array_ref(block_array); ++} ++ ++void wtap_block_array_unref(GArray* block_array) ++{ ++ unsigned block; ++ ++ if (block_array == NULL) ++ return; ++ ++ for (block = 0; block < block_array->len; block++) { ++ wtap_block_unref(g_array_index(block_array, wtap_block_t, block)); ++ } ++ g_array_unref(block_array); ++} ++ + /* + * Make a copy of a block. + */ +diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h +index 58d3103..5d130c5 100644 +--- a/wiretap/wtap_opttypes.h ++++ b/wiretap/wtap_opttypes.h +@@ -572,6 +572,29 @@ wtap_block_unref(wtap_block_t block); + WS_DLL_PUBLIC void + wtap_block_array_free(GArray* block_array); + ++/** Decrement the reference count of an array of blocks ++ * ++ * Decrement the reference count of each block in the array ++ * and the GArray itself. Any element whose reference count ++ * drops to 0 will be freed. If the GArray and every block ++ * has a reference count of 1, this is the same as ++ * wtap_block_array_free(). ++ * ++ * @param[in] block_array Array of blocks to be dereferenced ++ */ ++WS_DLL_PUBLIC void ++wtap_block_array_unref(GArray* block_array); ++ ++/** Increment the reference count of an array of blocks ++ * ++ * Increment the reference count of each block in the array ++ * and the GArray itself. ++ * ++ * @param[in] block_array Array of blocks to be referenced ++ */ ++WS_DLL_PUBLIC void ++wtap_block_array_ref(GArray* block_array); ++ + /** Provide type of a block + * + * @param[in] block Block from which to retrieve mandatory data +-- +2.33.0 + diff --git a/CVE-2024-8250.patch b/CVE-2024-8250.patch new file mode 100644 index 0000000000000000000000000000000000000000..4791221734d995f0808d360f3d74e2bc3be43bb4 --- /dev/null +++ b/CVE-2024-8250.patch @@ -0,0 +1,56 @@ +From be0e7c955d7efa628baa97447127c3434b575765 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sun, 28 Jul 2024 13:06:50 +0000 +Subject: [PATCH] ntlmssp: Don't insert a key created on the stack into a hash + table + +Origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/16640 + +We could change this table to an autoreset wmem_map as well. + +Fix #19943 + + +(cherry picked from commit 66dcd56f1eae615697b6588ac4778a61a5576391) + +Co-authored-by: John Thacker +--- + epan/dissectors/packet-ntlmssp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c +index a538c204e61..d279d74eb53 100644 +--- a/epan/dissectors/packet-ntlmssp.c ++++ b/epan/dissectors/packet-ntlmssp.c +@@ -2353,7 +2353,9 @@ decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + decrypted_payloads = g_slist_prepend(decrypted_payloads, + packet_ntlmssp_info->decrypted_payload); + if (key != NULL) { +- g_hash_table_insert(hash_packet, key, packet_ntlmssp_info); ++ uint8_t *perm_key = g_new(uint8_t, NTLMSSP_KEY_LEN); ++ memcpy(perm_key, key, NTLMSSP_KEY_LEN); ++ g_hash_table_insert(hash_packet, perm_key, packet_ntlmssp_info); + } + + /* Do the decryption of the payload */ +@@ -2803,7 +2805,7 @@ header_hash(gconstpointer pointer) + static gboolean + header_equal(gconstpointer pointer1, gconstpointer pointer2) + { +- if (!memcmp(pointer1, pointer2, 16)) { ++ if (!memcmp(pointer1, pointer2, NTLMSSP_KEY_LEN)) { + return TRUE; + } + else { +@@ -2814,7 +2816,7 @@ header_equal(gconstpointer pointer1, gconstpointer pointer2) + static void + ntlmssp_init_protocol(void) + { +- hash_packet = g_hash_table_new(header_hash, header_equal); ++ hash_packet = g_hash_table_new_full(header_hash, header_equal, g_free, NULL); + } + + static void +-- +GitLab + diff --git a/CVE-2024-8645.patch b/CVE-2024-8645.patch new file mode 100644 index 0000000000000000000000000000000000000000..5bcf249c3e1ed89cd2815fe0e1c654317732d5c2 --- /dev/null +++ b/CVE-2024-8645.patch @@ -0,0 +1,87 @@ +From cc67f836c01b6f55f2ff70aa4df44a1b934d7404 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Wed, 29 May 2024 14:23:04 +0000 +Subject: [PATCH] SPRT: Fix crash + +SDP can setup a RTP conversation with a setup frame before the current +frame, which changes the dissection on the second pass. If in the period +in the middle there is a SPRT packet, it can be dissected differently on +the second pass, and the SPRT conversation data won't be found on the +second pass. + +Fix #19559 (at least prevent the crash. There's some more cleanup that +should happen.) + + +(cherry picked from commit 05f6364cbd766e8758f98c5ee2070aef27c1ffef) + +Co-authored-by: John Thacker +--- + epan/dissectors/packet-rtp.c | 3 +++ + epan/dissectors/packet-sprt.c | 29 +++++++++++++++++------------ + 2 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/epan/dissectors/packet-rtp.c b/epan/dissectors/packet-rtp.c +index 9731e03..6ec8f6f 100644 +--- a/epan/dissectors/packet-rtp.c ++++ b/epan/dissectors/packet-rtp.c +@@ -1097,6 +1097,9 @@ srtp_add_address(packet_info *pinfo, const port_type ptype, address *addr, int p + * If not, create a new conversation. + */ + if (!p_conv || p_conv->setup_frame != setup_frame_number) { ++ /* XXX - If setup_frame_number < pinfo->num, creating this conversation ++ * can mean that the dissection is different on later passes. ++ */ + p_conv = conversation_new(setup_frame_number, addr, &null_addr, conversation_pt_to_endpoint_type(ptype), + (guint32)port, (guint32)other_port, + NO_ADDR2 | (!other_port ? NO_PORT2 : 0)); +diff --git a/epan/dissectors/packet-sprt.c b/epan/dissectors/packet-sprt.c +index 87e543c..568d242 100644 +--- a/epan/dissectors/packet-sprt.c ++++ b/epan/dissectors/packet-sprt.c +@@ -1341,6 +1341,23 @@ dissect_sprt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_ + /*guint16 tcn;*/ + /*guint16 sqn;*/ + ++ /* Get conversation data, or create it if not found */ ++ p_conv_data = find_sprt_conversation_data(pinfo); ++ if (!p_conv_data) ++ { ++ sprt_add_address(pinfo, ++ &pinfo->src, pinfo->srcport, ++ 0, ++ "SPRT stream", ++ pinfo->num); ++ p_conv_data = find_sprt_conversation_data(pinfo); ++ if (!p_conv_data) { ++ // This shouldn't happen; likely a new RTP conversation was set up ++ // after this frame but with a setup frame before this one. ++ return 0; ++ } ++ } ++ + /* Make entries in Protocol column and Info column on summary display */ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "SPRT"); + col_clear(pinfo->cinfo, COL_INFO); +@@ -1395,18 +1412,6 @@ dissect_sprt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_ + + noa = (tvb_get_ntohs(tvb, offset + 4) & 0xC000) >> 14; + +- /* Get conversation data, or create it if not found */ +- p_conv_data = find_sprt_conversation_data(pinfo); +- if (!p_conv_data) +- { +- sprt_add_address(pinfo, +- &pinfo->src, pinfo->srcport, +- 0, +- "SPRT stream", +- pinfo->num); +- p_conv_data = find_sprt_conversation_data(pinfo); +- } +- + proto_tree_add_item(sprt_tree, hf_sprt_header_extension_bit, tvb, offset, 1, ENC_BIG_ENDIAN); + proto_tree_add_item(sprt_tree, hf_sprt_subsession_id, tvb, offset, 1, ENC_BIG_ENDIAN); + offset++; +-- +2.46.2 + diff --git a/wireshark.spec b/wireshark.spec index b7831bfbc979fa7318e7f73c64366218e403e6e6..1ad9fd1096a9ca176de630e4d0e5402d94b4a1e8 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.14 -Release: 7 +Release: 12 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -33,6 +33,14 @@ Patch15: CVE-2023-6175.patch Patch16: Fix-libvirt-build-fail.patch Patch17: CVE-2024-0208.patch Patch18: CVE-2024-0209.patch +# https://gitlab.com/wireshark/wireshark/-/commit/28fdce547c417b868c521f87fb58f71ca6b1e3f7 +Patch19: CVE-2023-0666.patch +Patch20: CVE-2024-4853.patch +Patch21: CVE-2024-4854.patch +Patch22: CVE-2024-4855.patch +Patch23: CVE-2024-8250.patch +Patch24: CVE-2024-24476.patch +Patch25: CVE-2024-8645.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -207,6 +215,21 @@ exit 0 %{_mandir}/man?/* %changelog +* Wed Oct 09 2024 yaoxin - 1:3.6.14-12 +- Fix CVE-2024-8645 + +* Mon Oct 07 2024 liningjie - 1:3.6.14-11 +- Fix CVE-2024-24476 + +* Fri Aug 30 2024 wangkai <13474090681@163.com> - 1:3.6.14-10 +- Fix CVE-2024-8250 + +* Wed May 15 2024 yaoxin - 1:3.6.14-9 +- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855 + +* Mon Mar 25 2024 yaoxin - 1:3.6.14-8 +- Fix CVE-2023-0666 + * Thu Jan 04 2024 wangkai <13474090681@163.com> - 1:3.6.14-7 - Fix CVE-2024-0208,CVE-2024-0209