From 88f6c9ebad3187dcb75a6932e4b3f994bdb953af Mon Sep 17 00:00:00 2001 From: gnaygnil Date: Sun, 2 Feb 2020 22:35:58 +0800 Subject: [PATCH] wireshark: fix CVE-2019-5719 --- CVE-2019-5719.patch | 92 +++++++++++++++++++++++++++++++++++++++++++++ wireshark.spec | 9 ++++- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-5719.patch diff --git a/CVE-2019-5719.patch b/CVE-2019-5719.patch new file mode 100644 index 0000000..d35e2db --- /dev/null +++ b/CVE-2019-5719.patch @@ -0,0 +1,92 @@ +From b5b02f2a9b8772d8814096f86c60a32889d61f2c Mon Sep 17 00:00:00 2001 +From: Jaap Keuter +Date: Mon, 24 Dec 2018 23:15:26 +0100 +Subject: [PATCH] ISAKMP: Fix a crash when no decryption data block is there + +Don't try to (re)set parameters in a struct when its pointer +points to NULL. + +Bug: 15374 +Change-Id: I953e82795990fde5fce2ad6d955781b372a9e405 +Signed-off-by: Jaap Keuter +Reviewed-on: https://code.wireshark.org/review/31189 +Tested-by: Petri Dish Buildbot +Reviewed-by: Michael Mann +(cherry picked from commit c9cfae7fecd4bc21b8b4f48328d08e104d47dd52) +Reviewed-on: https://code.wireshark.org/review/31220 +Petri-Dish: Michael Mann +--- + epan/dissectors/packet-isakmp.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/epan/dissectors/packet-isakmp.c b/epan/dissectors/packet-isakmp.c +index 8b9ba85db5..e134ca8632 100644 +--- a/epan/dissectors/packet-isakmp.c ++++ b/epan/dissectors/packet-isakmp.c +@@ -3741,8 +3741,7 @@ dissect_resp_lifetime_ipsec_attribute(tvbuff_t *tvb, packet_info *pinfo, proto_t + + /* Returns the number of bytes consumed by this attribute. */ + static int +-dissect_ike_attribute(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, decrypt_data_t *decr +-) ++dissect_ike_attribute(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, decrypt_data_t *decr) + { + guint headerlen, value_len, attr_type; + proto_item *attr_item; +@@ -3765,22 +3764,22 @@ dissect_ike_attribute(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int o + case IKE_ATTR_ENCRYPTION_ALGORITHM: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_encryption_algorithm, tvb, offset, value_len, ENC_BIG_ENDIAN); + proto_item_append_text(attr_item, ": %s", val_to_str(tvb_get_ntohs(tvb, offset), ike_attr_enc_algo, "Unknown %d")); +- decr->ike_encr_alg = tvb_get_ntohs(tvb, offset); ++ if (decr) decr->ike_encr_alg = tvb_get_ntohs(tvb, offset); + break; + case IKE_ATTR_HASH_ALGORITHM: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_hash_algorithm, tvb, offset, value_len, ENC_BIG_ENDIAN); + proto_item_append_text(attr_item, ": %s", val_to_str(tvb_get_ntohs(tvb, offset), ike_attr_hash_algo, "Unknown %d")); +- decr->ike_hash_alg = tvb_get_ntohs(tvb, offset); ++ if (decr) decr->ike_hash_alg = tvb_get_ntohs(tvb, offset); + break; + case IKE_ATTR_AUTHENTICATION_METHOD: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_authentication_method, tvb, offset, value_len, ENC_BIG_ENDIAN); + proto_item_append_text(attr_item, ": %s", val_to_str(tvb_get_ntohs(tvb, offset), ike_attr_authmeth, "Unknown %d")); +- decr->is_psk = tvb_get_ntohs(tvb, offset) == 0x01 ? TRUE : FALSE; ++ if (decr) decr->is_psk = tvb_get_ntohs(tvb, offset) == 0x01 ? TRUE : FALSE; + break; + case IKE_ATTR_GROUP_DESCRIPTION: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_group_description, tvb, offset, value_len, ENC_BIG_ENDIAN); + proto_item_append_text(attr_item, ": %s", val_to_str(tvb_get_ntohs(tvb, offset), dh_group, "Unknown %d")); +- decr->group = tvb_get_ntohs(tvb, offset); ++ if (decr) decr->group = tvb_get_ntohs(tvb, offset); + break; + case IKE_ATTR_GROUP_TYPE: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_group_type, tvb, offset, value_len, ENC_BIG_ENDIAN); +@@ -3814,7 +3813,7 @@ dissect_ike_attribute(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int o + case IKE_ATTR_KEY_LENGTH: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_key_length, tvb, offset, value_len, ENC_BIG_ENDIAN); + proto_item_append_text(attr_item, ": %d", tvb_get_ntohs(tvb, offset)); +- decr->ike_encr_keylen = tvb_get_ntohs(tvb, offset); ++ if (decr) decr->ike_encr_keylen = tvb_get_ntohs(tvb, offset); + break; + case IKE_ATTR_FIELD_SIZE: + proto_tree_add_item(attr_tree, hf_isakmp_ike_attr_field_size, tvb, offset, value_len, ENC_NA); +@@ -3950,12 +3949,14 @@ dissect_transform(tvbuff_t *tvb, packet_info *pinfo, int offset, int length, pro + offset += 2; + + if (protocol_id == 1 && transform_id == 1) { +- /* Allow detection of missing IKE transform attributes: +- * Make sure their values are not carried over from another transform +- * dissected previously. */ +- decr->ike_encr_alg = 0; +- decr->ike_encr_keylen = 0; +- decr->ike_hash_alg = 0; ++ if (decr) { ++ /* Allow detection of missing IKE transform attributes: ++ * Make sure their values are not carried over from another transform ++ * dissected previously. */ ++ decr->ike_encr_alg = 0; ++ decr->ike_encr_keylen = 0; ++ decr->ike_hash_alg = 0; ++ } + while (offset < offset_end) { + offset += dissect_ike_attribute(tvb, pinfo, tree, offset, decr); + } diff --git a/wireshark.spec b/wireshark.spec index 89fc14f..a808550 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -1,6 +1,6 @@ Name: wireshark Version: 2.6.2 -Release: 4 +Release: 5 Epoch: 1 Summary: Network traffic analyzer License: GPL+ @@ -33,6 +33,7 @@ Patch6018: CVE-2019-10899.patch Patch6019: CVE-2019-10901.patch Patch6020: CVE-2019-10903.patch Patch6021: CVE-2019-10895.patch +Patch6022: CVE-2019-5719.patch Requires(pre): shadow-utils Requires(post): systemd-udev @@ -139,6 +140,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog +* Sun Feb 2 2020 lingyang - 2.6.2-5 +- Type:cves +- ID: CVE-2019-5719 +- SUG:restart +- DESC: fix CVE-2019-5719 + * Wed Dec 25 2019 gulining - 2.6.2-4 - Type:cves - ID: CVE-2019-10894 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-10895 -- Gitee