From 629b09a183db4d40d181e3fc7a6999cd8ebe18a9 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 1 Apr 2022 15:43:52 +0800
Subject: [PATCH] Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185

---
 CVE-2021-22191.patch | 82 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2021-22207.patch | 70 +++++++++++++++++++++++++++++++++++++
 CVE-2021-4181.patch  | 27 +++++++++++++++
 CVE-2021-4185.patch  | 45 ++++++++++++++++++++++++
 wireshark.spec       | 13 ++++++-
 5 files changed, 236 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-22191.patch
 create mode 100644 CVE-2021-22207.patch
 create mode 100644 CVE-2021-4181.patch
 create mode 100644 CVE-2021-4185.patch

diff --git a/CVE-2021-22191.patch b/CVE-2021-22191.patch
new file mode 100644
index 0000000..2e821ce
--- /dev/null
+++ b/CVE-2021-22191.patch
@@ -0,0 +1,82 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 24 Mar 2022 14:03:00 +0100
+Subject: CVE-2021-22191
+
+Origin: https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034
+---
+ epan/wslua/wslua_gui.c | 24 ++++++++++++++++++++++--
+ ui/qt/proto_tree.cpp   |  5 ++++-
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/epan/wslua/wslua_gui.c b/epan/wslua/wslua_gui.c
+index e93618f..b7eef3f 100644
+--- a/epan/wslua/wslua_gui.c
++++ b/epan/wslua/wslua_gui.c
+@@ -854,7 +854,16 @@ WSLUA_FUNCTION wslua_reload_lua_plugins(lua_State* L) { /* Reload all Lua plugin
+ }
+ 
+ 
+-WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browser. */
++WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /*
++    Opens an URL in a web browser. Requires a GUI.
++
++    [WARNING]
++    ====
++    Do not pass an untrusted URL to this function.
++
++    It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things.
++    ====
++    */
+ #define WSLUA_ARG_browser_open_url_URL 1 /* The url. */
+     const char* url = luaL_checkstring(L,WSLUA_ARG_browser_open_url_URL);
+ 
+@@ -868,7 +877,18 @@ WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browse
+     return 0;
+ }
+ 
+-WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /* Open a file in a browser. */
++WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /*
++    Open a file located in the data directory (specified in the Wireshark preferences) in the web browser.
++    If the file does not exist, the function silently ignores the request.
++    Requires a GUI.
++
++    [WARNING]
++    ====
++    Do not pass an untrusted URL to this function.
++
++    It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things.
++    ====
++    */
+ #define WSLUA_ARG_browser_open_data_file_FILENAME 1 /* The file name. */
+     const char* file = luaL_checkstring(L,WSLUA_ARG_browser_open_data_file_FILENAME);
+ 
+diff --git a/ui/qt/proto_tree.cpp b/ui/qt/proto_tree.cpp
+index 0525cf2..15f4c08 100644
+--- a/ui/qt/proto_tree.cpp
++++ b/ui/qt/proto_tree.cpp
+@@ -18,6 +18,8 @@
+ #include <ui/qt/utils/variant_pointer.h>
+ #include <ui/qt/utils/wireshark_mime_data.h>
+ #include <ui/qt/widgets/drag_label.h>
++#include "wireshark_application.h"
++
+ 
+ #include <QApplication>
+ #include <QContextMenuEvent>
+@@ -27,6 +29,7 @@
+ #include <QScrollBar>
+ #include <QStack>
+ #include <QUrl>
++#include <QClipboard>
+ 
+ #if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)
+ #include <QWindow>
+@@ -430,7 +433,7 @@ void ProtoTree::itemDoubleClicked(const QModelIndex &index) {
+     } else {
+         QString url = finfo.url();
+         if (!url.isEmpty()) {
+-            QDesktopServices::openUrl(QUrl(url));
++            QApplication::clipboard()->setText(url);
+         }
+     }
+ }
diff --git a/CVE-2021-22207.patch b/CVE-2021-22207.patch
new file mode 100644
index 0000000..fbb48a0
--- /dev/null
+++ b/CVE-2021-22207.patch
@@ -0,0 +1,70 @@
+From b7a0650e061b5418ab4a8f72c6e4b00317aff623 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 19 Apr 2021 10:39:01 -0700
+Subject: [PATCH] MS-WSP: Don't allocate huge amounts of memory.
+
+Add a couple of memory allocation sanity checks, one of which
+fixes #17331.
+---
+ epan/dissectors/packet-mswsp.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c
+index 37ad06c2b2..38bcefd072 100644
+--- a/epan/dissectors/packet-mswsp.c
++++ b/epan/dissectors/packet-mswsp.c
+@@ -313,8 +313,10 @@ struct CTableColumn {
+ 	guint16 lengthoffset;
+ 	char name[PROP_LENGTH];
+ };
+-/* minimum size in bytes on the wire CTableColumn can be */
++/* Minimum size in bytes on the wire CTableColumn can be */
+ #define MIN_CTABLECOL_SIZE 32
++/* Maximum sane size in bytes on the wire CTableColumn can be. Arbitrary. */
++#define MAX_CTABLECOL_SIZE 5000
+ 
+ /* 2.2.3.10 */
+ 
+@@ -3973,6 +3975,8 @@ static int vvalue_tvb_lpwstr(tvbuff_t *tvb, int offset, void *val)
+ 	return 4 + vvalue_tvb_lpwstr_len(tvb, offset + 4, 0, val);
+ }
+ 
++/* Maximum sane vector size. Arbitrary. */
++#define MAX_VT_VECTOR_SIZE 5000
+ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vector *val, struct vtype_data *type, guint num)
+ {
+ 	const int offset_in = offset;
+@@ -3987,18 +3991,14 @@ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vecto
+ 	 * here, before making a possibly-doomed attempt to allocate
+ 	 * memory for it.
+ 	 *
+-	 * First, check for an overflow.
++	 * First, check for sane values.
+ 	 */
+-	if ((guint64)elsize * (guint64)num > G_MAXUINT) {
+-		/*
+-		 * We never have more than G_MAXUINT bytes in a tvbuff,
+-		 * so this will *definitely* fail.
+-		 */
++	if (num > MAX_VT_VECTOR_SIZE) {
+ 		THROW(ReportedBoundsError);
+ 	}
+ 
+ 	/*
+-	 * No overflow; now make sure we at least have that data.
++	 * No huge numbers from the wire; now make sure we at least have that data.
+ 	 */
+ 	tvb_ensure_bytes_exist(tvb, offset, elsize * num);
+ 
+@@ -5859,7 +5859,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree
+ 
+ 		/* Sanity check size value */
+ 		column_size = num*MIN_CTABLECOL_SIZE;
+-		if (column_size > tvb_reported_length_remaining(tvb, offset))
++		if (num > MAX_CTABLECOL_SIZE || column_size > tvb_reported_length_remaining(tvb, offset))
+ 		{
+ 			expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns);
+ 			return tvb_reported_length(tvb);
+-- 
+GitLab
+
diff --git a/CVE-2021-4181.patch b/CVE-2021-4181.patch
new file mode 100644
index 0000000..69a88c7
--- /dev/null
+++ b/CVE-2021-4181.patch
@@ -0,0 +1,27 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 24 Mar 2022 15:43:12 +0100
+Subject: CVE-2021-4181
+
+Origin: https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda
+---
+ epan/dissectors/packet-sysdig-event.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c
+index ce88970..7dd127e 100644
+--- a/epan/dissectors/packet-sysdig-event.c
++++ b/epan/dissectors/packet-sysdig-event.c
+@@ -1864,6 +1864,13 @@ dissect_event_params(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding,
+     param_offset = offset + dissect_header_lens(tvb, offset, tree, encoding, hf_indexes);
+ 
+     for (cur_param = 0; hf_indexes[cur_param]; cur_param++) {
++        if (!hf_indexes[cur_param]) {
++            // This happens when new params are added to existent events in sysdig,
++            // if the event is already mapped in wireshark with a lower number of params.
++            // hf_indexes array size would be < than event being dissected, leading to SIGSEGV.
++            break;
++        }
++
+         int param_len = tvb_get_guint16(tvb, len_offset, encoding);
+         const int hf_index = *hf_indexes[cur_param];
+         if (proto_registrar_get_ftype(hf_index) == FT_STRING) {
diff --git a/CVE-2021-4185.patch b/CVE-2021-4185.patch
new file mode 100644
index 0000000..3845597
--- /dev/null
+++ b/CVE-2021-4185.patch
@@ -0,0 +1,45 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 24 Mar 2022 15:10:57 +0100
+Subject: CVE-2021-4185
+
+Origin: https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
+---
+ epan/dissectors/packet-rtmpt.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-rtmpt.c b/epan/dissectors/packet-rtmpt.c
+index f043cc7..555daad 100644
+--- a/epan/dissectors/packet-rtmpt.c
++++ b/epan/dissectors/packet-rtmpt.c
+@@ -1893,6 +1893,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
+ 
+         if (pinfo->fd->flags.visited) {
+                 /* Already done the work, so just dump the existing state */
++                /* XXX: If there's bogus sequence numbers and the
++                 * tcp.analyze_sequence_numbers pref is TRUE, we can't actually
++                 * assume that we processed this frame the first time around,
++                 * since the TCP dissector might not have given it to us.
++                 */
+                 wmem_stack_t *packets;
+ 
+                 /* List all RTMP packets terminating in this TCP segment, from end to beginning */
+@@ -1901,10 +1906,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
+                 wmem_stack_push(packets, 0);
+ 
+                 tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1);
+-                while (tp && tp->lastseq >= seq) {
++                while (tp && GE_SEQ(tp->lastseq, seq)) {
++                        /* Sequence numbers can wrap around (especially with
++                         * tcp.relative_sequence_numbers FALSE), so use the
++                         * wrap around aware comparison from packet-tcp.h
++                         */
+                         wmem_stack_push(packets, tp);
+                         if (tp->seq == 0) {
+                                 // reached first segment.
++                                /* XXX: Assuming tcp.relative_sequence_numbers
++                                 * is TRUE, that is, since on TCP we just
++                                 * reuse the sequence numbers from tcpinfo.
++                                 */
+                                 break;
+                         }
+                         tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1);
diff --git a/wireshark.spec b/wireshark.spec
index 07f7578..6d8d816 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        20
+Release:        21
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC
@@ -60,6 +60,14 @@ Patch6040:      CVE-2020-9428-pre.patch
 Patch6041:      CVE-2020-9428.patch
 Patch6042:      CVE-2020-9431.patch
 Patch6043:      CVE-2019-12295.patch
+#https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034
+Patch6044:      CVE-2021-22191.patch
+#https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623
+Patch6045:      CVE-2021-22207.patch
+#https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda
+Patch6046:      CVE-2021-4181.patch
+#https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
+Patch6047:      CVE-2021-4185.patch
 
 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@@ -166,6 +174,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*
 
 %changelog
+* Fri Apr 1 2022 yaoxin <yaoxin30@huawei.com> - 2.6.2-21
+- Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185
+
 * Tue Jul 27 2021 wangyue <wangyue92@huawei.com> - 2.6.2-20
 - fix CVE-2019-12295
 
-- 
Gitee