From c9aff6baeb98ca4cc00016ad940615e8f903b51b Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Thu, 25 Feb 2021 14:58:48 +0800 Subject: [PATCH] fix CVE-2019-13619 CVE-2019-19553 CVE-2020-9428 CVE-2020-9431 (cherry picked from commit 61b29152adc39617605836cbcfe4405906fabb41) --- CVE-2019-13619.patch | 33 +++++++ CVE-2019-19553.patch | 197 ++++++++++++++++++++++++++++++++++++++++ CVE-2020-9428-pre.patch | 108 ++++++++++++++++++++++ CVE-2020-9428.patch | 34 +++++++ CVE-2020-9431.patch | 82 +++++++++++++++++ wireshark.spec | 10 +- 6 files changed, 463 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-13619.patch create mode 100644 CVE-2019-19553.patch create mode 100644 CVE-2020-9428-pre.patch create mode 100644 CVE-2020-9428.patch create mode 100644 CVE-2020-9431.patch diff --git a/CVE-2019-13619.patch b/CVE-2019-13619.patch new file mode 100644 index 0000000..96b8deb --- /dev/null +++ b/CVE-2019-13619.patch @@ -0,0 +1,33 @@ +From 7e90aed666e809c0db5de9d1816802a7dcea28d9 Mon Sep 17 00:00:00 2001 +From: Dario Lombardo +Date: Mon, 24 Jun 2019 23:36:15 +0200 +Subject: [PATCH] asn1: don't increment a buffer beyond its end. + +Bug: 15870 +Change-Id: I04cbb822f0e77c8e0ac8513e3a5c13116920ca6e +Reviewed-on: https://code.wireshark.org/review/33731 +Petri-Dish: Anders Broman +Tested-by: Petri Dish Buildbot +Reviewed-by: Anders Broman +(cherry picked from commit 45a3d0787f3c9f6f5fb5b53a8c29771b3f28e406) +Reviewed-on: https://code.wireshark.org/review/33736 +Petri-Dish: Dario Lombardo +Reviewed-by: Gerald Combs +--- + epan/asn1.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/epan/asn1.c b/epan/asn1.c +index bf30529cc6..1faef845ee 100644 +--- a/epan/asn1.c ++++ b/epan/asn1.c +@@ -234,6 +234,9 @@ double asn1_get_real(const guint8 *real_ptr, gint len) { + DISSECTOR_ASSERT_NOT_REACHED(); + } + ++ /* Ensure the buffer len and its content are coherent */ ++ DISSECTOR_ASSERT(lenE < len - 1); ++ + Eneg = (*p) & 0x80 ? TRUE : FALSE; + for (i = 0; i < lenE; i++) { + if(Eneg) { diff --git a/CVE-2019-19553.patch b/CVE-2019-19553.patch new file mode 100644 index 0000000..89f262e --- /dev/null +++ b/CVE-2019-19553.patch @@ -0,0 +1,197 @@ +From 34d2e0d5318d0a7e9889498c721639e5cbf4ce45 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin +Date: Mon, 4 Nov 2019 15:08:22 +0100 +Subject: [PATCH] CMS: reset object_identifier_id after dissecting ContentInfo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: 15961 +Change-Id: I3d6b3e96103b69f88fcb512da81fa20ff6a1c40e +Reviewed-on: https://code.wireshark.org/review/34960 +Petri-Dish: Pascal Quantin +Tested-by: Petri Dish Buildbot +Reviewed-by: Stig Bjørlykke +Reviewed-by: Roland Knall +(cherry picked from commit 23850a3342d64b9c9808f14c20bfea6d22b7dc08) +Conflicts: + epan/dissectors/packet-cms.c +Reviewed-on: https://code.wireshark.org/review/34975 +Reviewed-by: Pascal Quantin +--- + epan/dissectors/asn1/cms/cms.cnf | 1 + + .../dissectors/asn1/cms/packet-cms-template.c | 2 +- + epan/dissectors/packet-cms.c | 31 ++++++++++--------- + 3 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/epan/dissectors/asn1/cms/cms.cnf b/epan/dissectors/asn1/cms/cms.cnf +index 06ff8d239f..4384fd0ae7 100644 +--- a/epan/dissectors/asn1/cms/cms.cnf ++++ b/epan/dissectors/asn1/cms/cms.cnf +@@ -97,6 +97,7 @@ FirmwarePackageLoadError/version fwErrorVersion + top_tree = tree; + %(DEFAULT_BODY)s + content_tvb = NULL; ++ object_identifier_id = NULL; + top_tree = NULL; + + #.FN_PARS ContentType +diff --git a/epan/dissectors/asn1/cms/packet-cms-template.c b/epan/dissectors/asn1/cms/packet-cms-template.c +index b03c96421b..199353cd85 100644 +--- a/epan/dissectors/asn1/cms/packet-cms-template.c ++++ b/epan/dissectors/asn1/cms/packet-cms-template.c +@@ -43,7 +43,7 @@ static int hf_cms_ci_contentType = -1; + static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */ + + +-static const char *object_identifier_id; ++static const char *object_identifier_id = NULL; + static tvbuff_t *content_tvb = NULL; + + static proto_tree *top_tree=NULL; +diff --git a/epan/dissectors/packet-cms.c b/epan/dissectors/packet-cms.c +index c62c92be44..592af2dad0 100644 +--- a/epan/dissectors/packet-cms.c ++++ b/epan/dissectors/packet-cms.c +@@ -309,7 +309,7 @@ static gint ett_cms_FirmwarePackageMessageDigest = -1; + static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */ + + +-static const char *object_identifier_id; ++static const char *object_identifier_id = NULL; + static tvbuff_t *content_tvb = NULL; + + static proto_tree *top_tree=NULL; +@@ -371,7 +371,7 @@ cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, const char *alg, tvbuff + + int + dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 106 "./asn1/cms/cms.cnf" ++#line 107 "./asn1/cms/cms.cnf" + const char *name = NULL; + + offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &object_identifier_id); +@@ -391,7 +391,7 @@ dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset + + static int + dissect_cms_T_content(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 116 "./asn1/cms/cms.cnf" ++#line 117 "./asn1/cms/cms.cnf" + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + + +@@ -415,6 +415,7 @@ dissect_cms_ContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset + ContentInfo_sequence, hf_index, ett_cms_ContentInfo); + + content_tvb = NULL; ++ object_identifier_id = NULL; + top_tree = NULL; + + +@@ -468,7 +469,7 @@ dissect_cms_DigestAlgorithmIdentifiers(gboolean implicit_tag _U_, tvbuff_t *tvb + + static int + dissect_cms_T_eContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 120 "./asn1/cms/cms.cnf" ++#line 121 "./asn1/cms/cms.cnf" + + offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &content_tvb); + +@@ -502,7 +503,7 @@ dissect_cms_EncapsulatedContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_ + + static int + dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 150 "./asn1/cms/cms.cnf" ++#line 151 "./asn1/cms/cms.cnf" + const char *name = NULL; + + offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id); +@@ -522,7 +523,7 @@ dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset + + static int + dissect_cms_AttributeValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 160 "./asn1/cms/cms.cnf" ++#line 161 "./asn1/cms/cms.cnf" + + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + +@@ -784,7 +785,7 @@ dissect_cms_T_otherRevInfoFormat(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, i + + static int + dissect_cms_T_otherRevInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 144 "./asn1/cms/cms.cnf" ++#line 145 "./asn1/cms/cms.cnf" + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + + +@@ -1121,7 +1122,7 @@ dissect_cms_T_keyAttrId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset + + static int + dissect_cms_T_keyAttr(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 139 "./asn1/cms/cms.cnf" ++#line 140 "./asn1/cms/cms.cnf" + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + + +@@ -1309,7 +1310,7 @@ dissect_cms_T_oriType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _ + + static int + dissect_cms_T_oriValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 133 "./asn1/cms/cms.cnf" ++#line 134 "./asn1/cms/cms.cnf" + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + + +@@ -1386,14 +1387,14 @@ dissect_cms_ContentEncryptionAlgorithmIdentifier(gboolean implicit_tag _U_, tvbu + + static int + dissect_cms_EncryptedContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 210 "./asn1/cms/cms.cnf" ++#line 211 "./asn1/cms/cms.cnf" + tvbuff_t *encrypted_tvb; + proto_item *item; + + offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, + &encrypted_tvb); + +-#line 215 "./asn1/cms/cms.cnf" ++#line 216 "./asn1/cms/cms.cnf" + + item = actx->created_item; + +@@ -1551,7 +1552,7 @@ dissect_cms_AuthenticatedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int + + static int + dissect_cms_MessageDigest(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 164 "./asn1/cms/cms.cnf" ++#line 165 "./asn1/cms/cms.cnf" + proto_item *pi; + int old_offset = offset; + +@@ -1626,7 +1627,7 @@ dissect_cms_Countersignature(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o + + static int + dissect_cms_RC2ParameterVersion(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 200 "./asn1/cms/cms.cnf" ++#line 201 "./asn1/cms/cms.cnf" + guint32 length = 0; + + offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, +@@ -1694,7 +1695,7 @@ dissect_cms_DigestInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset + + static int + dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 182 "./asn1/cms/cms.cnf" ++#line 183 "./asn1/cms/cms.cnf" + const char *name = NULL; + + offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id); +@@ -1715,7 +1716,7 @@ dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse + + static int + dissect_cms_T_parameters(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 193 "./asn1/cms/cms.cnf" ++#line 194 "./asn1/cms/cms.cnf" + + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + diff --git a/CVE-2020-9428-pre.patch b/CVE-2020-9428-pre.patch new file mode 100644 index 0000000..19459e9 --- /dev/null +++ b/CVE-2020-9428-pre.patch @@ -0,0 +1,108 @@ +From 71cf784bfc5435cd7e1531d9ef7dce462274e9ad Mon Sep 17 00:00:00 2001 +From: Dario Lombardo +Date: Thu, 11 Oct 2018 14:20:22 +0200 +Subject: [PATCH] eap: don't dissect the identity as IMSI unless that's the + case. + +The identity in SIM/AKA/AKA' is IMSI (permanent identity) in some cases only. +Others contain a pseudonym or a fast reauthentication username. Dissect the +formers as flat usernames. + +Bug: 15196 +Change-Id: Ia4491431b6ff557a248271b743c1e37c4e6c0b24 +Reviewed-on: https://code.wireshark.org/review/30129 +Petri-Dish: Dario Lombardo +Tested-by: Dario Lombardo +Tested-by: Petri Dish Buildbot +Reviewed-by: Peter Wu +Reviewed-on: https://code.wireshark.org/review/30130 +Reviewed-by: Dario Lombardo +--- + epan/dissectors/packet-eap.c | 37 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 35 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-eap.c b/epan/dissectors/packet-eap.c +index b1f10b8150..a4b1527957 100644 +--- a/epan/dissectors/packet-eap.c ++++ b/epan/dissectors/packet-eap.c +@@ -36,6 +36,8 @@ static int hf_eap_type = -1; + static int hf_eap_type_nak = -1; + + static int hf_eap_identity = -1; ++static int hf_eap_identity_pseudo = -1; ++static int hf_eap_identity_reauth = -1; + static int hf_eap_identity_actual_len = -1; + static int hf_eap_identity_wlan_prefix = -1; + static int hf_eap_identity_wlan_mcc = -1; +@@ -94,6 +96,7 @@ static expert_field ei_eap_ms_chap_v2_length = EI_INIT; + static expert_field ei_eap_mitm_attacks = EI_INIT; + static expert_field ei_eap_md5_value_size_overflow = EI_INIT; + static expert_field ei_eap_dictionary_attacks = EI_INIT; ++static expert_field ei_eap_identity_invalid = EI_INIT; + + static dissector_handle_t eap_handle; + +@@ -543,6 +546,7 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i + guint ntokens = 0; + gboolean ret = TRUE; + int hf_eap_identity_wlan_mcc_mnc; ++ proto_item* item; + + identity = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, size, ENC_ASCII); + +@@ -566,10 +570,28 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i + /* Go on with the dissection */ + eap_identity_tree = proto_item_add_subtree(tree, ett_identity); + eap_identity_prefix = tokens[0][0]; +- proto_tree_add_uint(eap_identity_tree, hf_eap_identity_wlan_prefix, ++ item = proto_tree_add_uint(eap_identity_tree, hf_eap_identity_wlan_prefix, + tvb, offset, 1, eap_identity_prefix); + +- dissect_e212_utf8_imsi(tvb, pinfo, eap_identity_tree, offset + 1, (guint)strlen(tokens[0]) - 1); ++ switch(eap_identity_prefix) { ++ case '0': ++ case '1': ++ case '6': ++ dissect_e212_utf8_imsi(tvb, pinfo, eap_identity_tree, offset + 1, (guint)strlen(tokens[0]) - 1); ++ break; ++ case '2': ++ case '3': ++ case '7': ++ proto_tree_add_item(eap_identity_tree, hf_eap_identity_pseudo, tvb, offset + 1, (guint)strlen(tokens[0]) - 1, ENC_ASCII|ENC_NA); ++ break; ++ case '4': ++ case '5': ++ case '8': ++ proto_tree_add_item(eap_identity_tree, hf_eap_identity_reauth, tvb, offset + 1, (guint)strlen(tokens[0]) - 1, ENC_ASCII|ENC_NA); ++ break; ++ default: ++ expert_add_info(pinfo, item, &ei_eap_identity_invalid); ++ } + + /* guess if we have a 3 bytes mnc by comparing the first bytes with the imsi */ + if (!sscanf(tokens[2] + 3, "%u", &mnc) || !sscanf(tokens[3] + 3, "%u", &mcc)) { +@@ -1339,6 +1361,16 @@ proto_register_eap(void) + FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL }}, + ++ { &hf_eap_identity_pseudo, { ++ "Identity (Pseudonym)", "eap.identity", ++ FT_STRING, BASE_NONE, NULL, 0x0, ++ NULL, HFILL }}, ++ ++ { &hf_eap_identity_reauth, { ++ "Identity (Reauth)", "eap.identity", ++ FT_STRING, BASE_NONE, NULL, 0x0, ++ NULL, HFILL }}, ++ + { &hf_eap_identity_wlan_prefix, { + "WLAN Identity Prefix", "eap.identity.wlan.prefix", + FT_CHAR, BASE_HEX, VALS(eap_identity_wlan_prefix_vals), 0x0, +@@ -1664,6 +1696,7 @@ proto_register_eap(void) + { &ei_eap_dictionary_attacks, { "eap.dictionary_attacks", PI_SECURITY, PI_WARN, + "Vulnerable to dictionary attacks. If possible, change EAP type." + " See http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/2331_pp.pdf", EXPFILL }}, ++ { &ei_eap_identity_invalid, { "eap.identity.invalid", PI_PROTOCOL, PI_WARN, "Invalid identity code", EXPFILL }} + }; + + expert_module_t* expert_eap; diff --git a/CVE-2020-9428.patch b/CVE-2020-9428.patch new file mode 100644 index 0000000..14960ce --- /dev/null +++ b/CVE-2020-9428.patch @@ -0,0 +1,34 @@ +From 9fe2de783dbcbe74144678d60a4e3923367044b2 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Fri, 21 Feb 2020 10:19:35 -0800 +Subject: [PATCH] EAP: Remove a couple of string length assumptions. + +Don't assume our MNC and MCC string lengths are > 3. + +Bug: 16397 +Change-Id: I0759dcb9d0c5f078cf3a98e9323d9cb741e15dd4 +Reviewed-on: https://code.wireshark.org/review/36146 +Reviewed-by: Gerald Combs +Petri-Dish: Gerald Combs +Tested-by: Petri Dish Buildbot +Reviewed-by: Anders Broman +(cherry picked from commit 8bda8642dfc8c9a870c6a48771566012353cc898) +Reviewed-on: https://code.wireshark.org/review/36173 +--- + epan/dissectors/packet-eap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-eap.c b/epan/dissectors/packet-eap.c +index a4b1527957..c3fc33fb07 100644 +--- a/epan/dissectors/packet-eap.c ++++ b/epan/dissectors/packet-eap.c +@@ -594,7 +594,8 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i + } + + /* guess if we have a 3 bytes mnc by comparing the first bytes with the imsi */ +- if (!sscanf(tokens[2] + 3, "%u", &mnc) || !sscanf(tokens[3] + 3, "%u", &mcc)) { ++ /* XXX Should we force matches on "mnc" and "mmc"? */ ++ if (!sscanf(tokens[2], "%*3c%u", &mnc) || !sscanf(tokens[3], "%*3c%u", &mcc)) { + ret = FALSE; + goto end; + } diff --git a/CVE-2020-9431.patch b/CVE-2020-9431.patch new file mode 100644 index 0000000..5fa72eb --- /dev/null +++ b/CVE-2020-9431.patch @@ -0,0 +1,82 @@ +From 086003c9d616906e08bbeeab9c17b3aa4c6ff850 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin +Date: Wed, 22 Jan 2020 11:38:02 +0100 +Subject: [PATCH] LTE RRC: fix a memory leak in composite TVB handling + +Bug: 16341 +Change-Id: Ib6c020ea3df8b39a02f742f0684fca7db96f1fc3 +Reviewed-on: https://code.wireshark.org/review/35899 +Petri-Dish: Pascal Quantin +Tested-by: Petri Dish Buildbot +Reviewed-by: Pascal Quantin +(cherry picked from commit adeeb7f2da801303768ce96e2cacf6a703a69c6f) +Conflicts: + epan/dissectors/packet-lte-rrc.c +Reviewed-on: https://code.wireshark.org/review/35903 +--- + epan/dissectors/asn1/lte-rrc/lte-rrc.cnf | 6 +++--- + epan/dissectors/packet-lte-rrc.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf b/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf +index 2a00468a0f..eb2b9d20dd 100644 +--- a/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf ++++ b/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf +@@ -438,7 +438,7 @@ MasterInformationBlock/schedulingInfoSIB1-BR-r13 TYPE=FT_UINT32 DISPLAY=BASE_DEC + tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite(); + guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1); + pd[0] = 0x40; +- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1)); ++ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1)); + tvb_composite_append(gsm_rlcmac_dl_tvb, target_rat_msg_cont_tvb); + tvb_composite_finalize(gsm_rlcmac_dl_tvb); + add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block"); +@@ -506,7 +506,7 @@ MasterInformationBlock/schedulingInfoSIB1-BR-r13 TYPE=FT_UINT32 DISPLAY=BASE_DEC + tvbuff_t *si_tvb = tvb_new_composite(); + guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1); + pd[0] = 0x06; +- tvb_composite_append(si_tvb, tvb_new_real_data(pd, 1, 1)); ++ tvb_composite_append(si_tvb, tvb_new_child_real_data(tvb, pd, 1, 1)); + tvb_composite_append(si_tvb, sys_info_list_tvb); + tvb_composite_finalize(si_tvb); + add_new_data_source(actx->pinfo, si_tvb, "System Information"); +@@ -519,7 +519,7 @@ MasterInformationBlock/schedulingInfoSIB1-BR-r13 TYPE=FT_UINT32 DISPLAY=BASE_DEC + tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite(); + guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1); + pd[0] = 0x40; +- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1)); ++ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1)); + tvb_composite_append(gsm_rlcmac_dl_tvb, sys_info_list_tvb); + tvb_composite_finalize(gsm_rlcmac_dl_tvb); + add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block"); +diff --git a/epan/dissectors/packet-lte-rrc.c b/epan/dissectors/packet-lte-rrc.c +index 71ad21350d..6cef81e81f 100644 +--- a/epan/dissectors/packet-lte-rrc.c ++++ b/epan/dissectors/packet-lte-rrc.c +@@ -52217,7 +52217,7 @@ dissect_lte_rrc_T_targetRAT_MessageContainer(tvbuff_t *tvb _U_, int offset _U_, + tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite(); + guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1); + pd[0] = 0x40; +- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1)); ++ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1)); + tvb_composite_append(gsm_rlcmac_dl_tvb, target_rat_msg_cont_tvb); + tvb_composite_finalize(gsm_rlcmac_dl_tvb); + add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block"); +@@ -52279,7 +52279,7 @@ dissect_lte_rrc_SystemInfoListGERAN_item(tvbuff_t *tvb _U_, int offset _U_, asn1 + tvbuff_t *si_tvb = tvb_new_composite(); + guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1); + pd[0] = 0x06; +- tvb_composite_append(si_tvb, tvb_new_real_data(pd, 1, 1)); ++ tvb_composite_append(si_tvb, tvb_new_child_real_data(tvb, pd, 1, 1)); + tvb_composite_append(si_tvb, sys_info_list_tvb); + tvb_composite_finalize(si_tvb); + add_new_data_source(actx->pinfo, si_tvb, "System Information"); +@@ -52292,7 +52292,7 @@ dissect_lte_rrc_SystemInfoListGERAN_item(tvbuff_t *tvb _U_, int offset _U_, asn1 + tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite(); + guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1); + pd[0] = 0x40; +- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1)); ++ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1)); + tvb_composite_append(gsm_rlcmac_dl_tvb, sys_info_list_tvb); + tvb_composite_finalize(gsm_rlcmac_dl_tvb); + add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block"); diff --git a/wireshark.spec b/wireshark.spec index 09db6a9..d7111e4 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -49,6 +49,11 @@ Patch6034: CVE-2020-9430-1.patch Patch6035: CVE-2020-9430-2.patch Patch6036: CVE-2019-16319.patch Patch6037: CVE-2020-26575.patch +Patch6038: CVE-2019-13619.patch +Patch6039: CVE-2019-19553.patch +Patch6040: CVE-2020-9428-pre.patch +Patch6041: CVE-2020-9428.patch +Patch6042: CVE-2020-9431.patch Requires: %{name}-help = %{epoch}:%{version}-%{release} Requires(pre): shadow-utils @@ -156,7 +161,10 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog -* Mon Feb 08 2021 wangyue - 2.6.2-18 +* Thu Feb 25 2021 wangxiao - 2.6.2-18 +- Fix CVE-2019-13619 CVE-2019-19553 CVE-2020-9428 CVE-2020-9431 + +* Mon Feb 08 2021 wangyue - 2.6.2-17 - fix CVE-2020-26575 * Thu Jan 14 2021 zhanghua - 2.6.2-17 -- Gitee