From 51371eb3cbd8da2517e922f20e4acc444a179c91 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Mon, 8 Feb 2021 10:57:43 +0800 Subject: [PATCH] fix CVE-2020-26575 --- CVE-2020-26575.patch | 63 ++++++++++++++++++++++++++++++++++++++++++++ wireshark.spec | 8 ++++-- 2 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-26575.patch diff --git a/CVE-2020-26575.patch b/CVE-2020-26575.patch new file mode 100644 index 0000000..bbd1004 --- /dev/null +++ b/CVE-2020-26575.patch @@ -0,0 +1,63 @@ +From 3ff940652962c099b73ae3233322b8697b0d10ab Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Fri, 2 Oct 2020 12:42:03 -0700 +Subject: [PATCH] FBZERO: Make sure our offset advances. + +Make sure our offset advances so that we don't infinitely loop. +Fixes #16887. +--- + epan/dissectors/packet-fbzero.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-fbzero.c b/epan/dissectors/packet-fbzero.c +index 16ffb63cf1..132079cfaa 100644 +--- a/epan/dissectors/packet-fbzero.c ++++ b/epan/dissectors/packet-fbzero.c +@@ -66,6 +66,7 @@ static gint ett_fb_zero_tag_value = -1; + static expert_field ei_fb_zero_tag_undecoded = EI_INIT; + static expert_field ei_fb_zero_tag_length = EI_INIT; + static expert_field ei_fb_zero_tag_unknown = EI_INIT; ++static expert_field ei_fb_zero_length_invalid = EI_INIT; + + #define FBZERO_MIN_LENGTH 3 + +@@ -261,18 +262,26 @@ dissect_fb_zero_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *fb_zero_tree, + "Dissector for FB Zero Tag" + " %s (%s) code not implemented, Contact" + " Wireshark developers if you want this supported", tvb_get_string_enc(wmem_packet_scope(), tvb, offset-8, 4, ENC_ASCII|ENC_NA), val_to_str(tag, tag_vals, "Unknown")); +- tag_offset += tag_len; ++ goto end; + break; + } + + if(tag_offset != offset_end){ + /* Wrong Tag len... */ + proto_tree_add_expert(tag_tree, pinfo, &ei_fb_zero_tag_unknown, tvb, tag_offset_start + tag_offset, offset_end - tag_offset); +- tag_offset = offset_end; ++ // XXX Return instead? ++ goto end; + } + + tag_number--; + } ++ ++ end: ++ if (offset + total_tag_len <= offset) { ++ expert_add_info_format(pinfo, fb_zero_tree, &ei_fb_zero_length_invalid, ++ "Invalid total tag length: %u", total_tag_len); ++ return offset + tvb_reported_length_remaining(tvb, offset); ++ } + return offset + total_tag_len; + + } +@@ -562,6 +571,7 @@ proto_register_fb_zero(void) + { &ei_fb_zero_tag_undecoded, { "fb_zero.tag.undecoded", PI_UNDECODED, PI_NOTE, "Dissector for FB Zero Tag code not implemented, Contact Wireshark developers if you want this supported", EXPFILL }}, + { &ei_fb_zero_tag_length, { "fb_zero.tag.length.truncated", PI_MALFORMED, PI_NOTE, "Truncated Tag Length...", EXPFILL }}, + { &ei_fb_zero_tag_unknown, { "fb_zero.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }}, ++ { &ei_fb_zero_length_invalid, { "fb_zero.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid length", EXPFILL }}, + }; + + expert_module_t *expert_fb_zero; +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 8d9ed9e..0fec557 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -1,9 +1,9 @@ Name: wireshark Version: 2.6.2 -Release: 16 +Release: 17 Epoch: 1 Summary: Network traffic analyzer -License: GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD +License: GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC URL: http://www.wireshark.org/ Source0: https://wireshark.org/download/src/all-versions/%{name}-%{version}.tar.xz Source1: https://www.wireshark.org/download/src/all-versions/SIGNATURES-%{version}.txt @@ -48,6 +48,7 @@ Patch6033: CVE-2020-28030.patch Patch6034: CVE-2020-9430-1.patch Patch6035: CVE-2020-9430-2.patch Patch6036: CVE-2019-16319.patch +Patch6037: CVE-2020-26575.patch Requires(pre): shadow-utils Requires(post): systemd-udev @@ -154,6 +155,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog +* Mon Feb 08 2021 wangyue - 2.6.2-17 +- fix CVE-2020-26575 + * Thu Jan 14 2021 zhanghua - 2.6.2-16 - fix CVE-2019-16319 -- Gitee