From 629b09a183db4d40d181e3fc7a6999cd8ebe18a9 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 1 Apr 2022 15:43:52 +0800 Subject: [PATCH] Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185 --- CVE-2021-22191.patch | 82 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2021-22207.patch | 70 +++++++++++++++++++++++++++++++++++++ CVE-2021-4181.patch | 27 +++++++++++++++ CVE-2021-4185.patch | 45 ++++++++++++++++++++++++ wireshark.spec | 13 ++++++- 5 files changed, 236 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-22191.patch create mode 100644 CVE-2021-22207.patch create mode 100644 CVE-2021-4181.patch create mode 100644 CVE-2021-4185.patch diff --git a/CVE-2021-22191.patch b/CVE-2021-22191.patch new file mode 100644 index 0000000..2e821ce --- /dev/null +++ b/CVE-2021-22191.patch @@ -0,0 +1,82 @@ +From: Markus Koschany +Date: Thu, 24 Mar 2022 14:03:00 +0100 +Subject: CVE-2021-22191 + +Origin: https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034 +--- + epan/wslua/wslua_gui.c | 24 ++++++++++++++++++++++-- + ui/qt/proto_tree.cpp | 5 ++++- + 2 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/epan/wslua/wslua_gui.c b/epan/wslua/wslua_gui.c +index e93618f..b7eef3f 100644 +--- a/epan/wslua/wslua_gui.c ++++ b/epan/wslua/wslua_gui.c +@@ -854,7 +854,16 @@ WSLUA_FUNCTION wslua_reload_lua_plugins(lua_State* L) { /* Reload all Lua plugin + } + + +-WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browser. */ ++WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* ++ Opens an URL in a web browser. Requires a GUI. ++ ++ [WARNING] ++ ==== ++ Do not pass an untrusted URL to this function. ++ ++ It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things. ++ ==== ++ */ + #define WSLUA_ARG_browser_open_url_URL 1 /* The url. */ + const char* url = luaL_checkstring(L,WSLUA_ARG_browser_open_url_URL); + +@@ -868,7 +877,18 @@ WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browse + return 0; + } + +-WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /* Open a file in a browser. */ ++WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /* ++ Open a file located in the data directory (specified in the Wireshark preferences) in the web browser. ++ If the file does not exist, the function silently ignores the request. ++ Requires a GUI. ++ ++ [WARNING] ++ ==== ++ Do not pass an untrusted URL to this function. ++ ++ It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things. ++ ==== ++ */ + #define WSLUA_ARG_browser_open_data_file_FILENAME 1 /* The file name. */ + const char* file = luaL_checkstring(L,WSLUA_ARG_browser_open_data_file_FILENAME); + +diff --git a/ui/qt/proto_tree.cpp b/ui/qt/proto_tree.cpp +index 0525cf2..15f4c08 100644 +--- a/ui/qt/proto_tree.cpp ++++ b/ui/qt/proto_tree.cpp +@@ -18,6 +18,8 @@ + #include + #include + #include ++#include "wireshark_application.h" ++ + + #include + #include +@@ -27,6 +29,7 @@ + #include + #include + #include ++#include + + #if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0) + #include +@@ -430,7 +433,7 @@ void ProtoTree::itemDoubleClicked(const QModelIndex &index) { + } else { + QString url = finfo.url(); + if (!url.isEmpty()) { +- QDesktopServices::openUrl(QUrl(url)); ++ QApplication::clipboard()->setText(url); + } + } + } diff --git a/CVE-2021-22207.patch b/CVE-2021-22207.patch new file mode 100644 index 0000000..fbb48a0 --- /dev/null +++ b/CVE-2021-22207.patch @@ -0,0 +1,70 @@ +From b7a0650e061b5418ab4a8f72c6e4b00317aff623 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Mon, 19 Apr 2021 10:39:01 -0700 +Subject: [PATCH] MS-WSP: Don't allocate huge amounts of memory. + +Add a couple of memory allocation sanity checks, one of which +fixes #17331. +--- + epan/dissectors/packet-mswsp.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c +index 37ad06c2b2..38bcefd072 100644 +--- a/epan/dissectors/packet-mswsp.c ++++ b/epan/dissectors/packet-mswsp.c +@@ -313,8 +313,10 @@ struct CTableColumn { + guint16 lengthoffset; + char name[PROP_LENGTH]; + }; +-/* minimum size in bytes on the wire CTableColumn can be */ ++/* Minimum size in bytes on the wire CTableColumn can be */ + #define MIN_CTABLECOL_SIZE 32 ++/* Maximum sane size in bytes on the wire CTableColumn can be. Arbitrary. */ ++#define MAX_CTABLECOL_SIZE 5000 + + /* 2.2.3.10 */ + +@@ -3973,6 +3975,8 @@ static int vvalue_tvb_lpwstr(tvbuff_t *tvb, int offset, void *val) + return 4 + vvalue_tvb_lpwstr_len(tvb, offset + 4, 0, val); + } + ++/* Maximum sane vector size. Arbitrary. */ ++#define MAX_VT_VECTOR_SIZE 5000 + static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vector *val, struct vtype_data *type, guint num) + { + const int offset_in = offset; +@@ -3987,18 +3991,14 @@ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vecto + * here, before making a possibly-doomed attempt to allocate + * memory for it. + * +- * First, check for an overflow. ++ * First, check for sane values. + */ +- if ((guint64)elsize * (guint64)num > G_MAXUINT) { +- /* +- * We never have more than G_MAXUINT bytes in a tvbuff, +- * so this will *definitely* fail. +- */ ++ if (num > MAX_VT_VECTOR_SIZE) { + THROW(ReportedBoundsError); + } + + /* +- * No overflow; now make sure we at least have that data. ++ * No huge numbers from the wire; now make sure we at least have that data. + */ + tvb_ensure_bytes_exist(tvb, offset, elsize * num); + +@@ -5859,7 +5859,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree + + /* Sanity check size value */ + column_size = num*MIN_CTABLECOL_SIZE; +- if (column_size > tvb_reported_length_remaining(tvb, offset)) ++ if (num > MAX_CTABLECOL_SIZE || column_size > tvb_reported_length_remaining(tvb, offset)) + { + expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns); + return tvb_reported_length(tvb); +-- +GitLab + diff --git a/CVE-2021-4181.patch b/CVE-2021-4181.patch new file mode 100644 index 0000000..69a88c7 --- /dev/null +++ b/CVE-2021-4181.patch @@ -0,0 +1,27 @@ +From: Markus Koschany +Date: Thu, 24 Mar 2022 15:43:12 +0100 +Subject: CVE-2021-4181 + +Origin: https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda +--- + epan/dissectors/packet-sysdig-event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c +index ce88970..7dd127e 100644 +--- a/epan/dissectors/packet-sysdig-event.c ++++ b/epan/dissectors/packet-sysdig-event.c +@@ -1864,6 +1864,13 @@ dissect_event_params(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding, + param_offset = offset + dissect_header_lens(tvb, offset, tree, encoding, hf_indexes); + + for (cur_param = 0; hf_indexes[cur_param]; cur_param++) { ++ if (!hf_indexes[cur_param]) { ++ // This happens when new params are added to existent events in sysdig, ++ // if the event is already mapped in wireshark with a lower number of params. ++ // hf_indexes array size would be < than event being dissected, leading to SIGSEGV. ++ break; ++ } ++ + int param_len = tvb_get_guint16(tvb, len_offset, encoding); + const int hf_index = *hf_indexes[cur_param]; + if (proto_registrar_get_ftype(hf_index) == FT_STRING) { diff --git a/CVE-2021-4185.patch b/CVE-2021-4185.patch new file mode 100644 index 0000000..3845597 --- /dev/null +++ b/CVE-2021-4185.patch @@ -0,0 +1,45 @@ +From: Markus Koschany +Date: Thu, 24 Mar 2022 15:10:57 +0100 +Subject: CVE-2021-4185 + +Origin: https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa +--- + epan/dissectors/packet-rtmpt.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-rtmpt.c b/epan/dissectors/packet-rtmpt.c +index f043cc7..555daad 100644 +--- a/epan/dissectors/packet-rtmpt.c ++++ b/epan/dissectors/packet-rtmpt.c +@@ -1893,6 +1893,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_ + + if (pinfo->fd->flags.visited) { + /* Already done the work, so just dump the existing state */ ++ /* XXX: If there's bogus sequence numbers and the ++ * tcp.analyze_sequence_numbers pref is TRUE, we can't actually ++ * assume that we processed this frame the first time around, ++ * since the TCP dissector might not have given it to us. ++ */ + wmem_stack_t *packets; + + /* List all RTMP packets terminating in this TCP segment, from end to beginning */ +@@ -1901,10 +1906,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_ + wmem_stack_push(packets, 0); + + tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1); +- while (tp && tp->lastseq >= seq) { ++ while (tp && GE_SEQ(tp->lastseq, seq)) { ++ /* Sequence numbers can wrap around (especially with ++ * tcp.relative_sequence_numbers FALSE), so use the ++ * wrap around aware comparison from packet-tcp.h ++ */ + wmem_stack_push(packets, tp); + if (tp->seq == 0) { + // reached first segment. ++ /* XXX: Assuming tcp.relative_sequence_numbers ++ * is TRUE, that is, since on TCP we just ++ * reuse the sequence numbers from tcpinfo. ++ */ + break; + } + tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1); diff --git a/wireshark.spec b/wireshark.spec index 07f7578..6d8d816 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -1,6 +1,6 @@ Name: wireshark Version: 2.6.2 -Release: 20 +Release: 21 Epoch: 1 Summary: Network traffic analyzer License: GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC @@ -60,6 +60,14 @@ Patch6040: CVE-2020-9428-pre.patch Patch6041: CVE-2020-9428.patch Patch6042: CVE-2020-9431.patch Patch6043: CVE-2019-12295.patch +#https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034 +Patch6044: CVE-2021-22191.patch +#https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623 +Patch6045: CVE-2021-22207.patch +#https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda +Patch6046: CVE-2021-4181.patch +#https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa +Patch6047: CVE-2021-4185.patch Requires(pre): shadow-utils Requires(post): systemd-udev @@ -166,6 +174,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog +* Fri Apr 1 2022 yaoxin - 2.6.2-21 +- Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185 + * Tue Jul 27 2021 wangyue - 2.6.2-20 - fix CVE-2019-12295 -- Gitee