packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!121 Fix CVE-2023-0668,CVE-2023-2855,CVE-2023-2856,CVE-2023-2857,CVE-2023-2858 and CVE-2023-2879

Browse Source 
From: @starlet-dx 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-05-30 11:39:42 +00:00 committed by Gitee
commit 0b30e80d82
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
7 changed files with 561 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CVE-2023-0668.patch Normal file
View File

@ -0,0 +1,32 @@
From c23343d2213c04b26a4810c0894ea2bb2cefec82 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 20 May 2023 23:08:08 -0400
Subject: [PATCH] synphasor: Use val_to_str_const
Don't use a value from packet data to directly index a value_string,
particularly when the value string doesn't cover all possible values.
Fix #19087
(cherry picked from commit c4f37d77b29ec6a9754795d0efb6f68d633728d9)
---
epan/dissectors/packet-synphasor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c
index 12b388b3667..fbde8756ef3 100644
--- a/epan/dissectors/packet-synphasor.c
+++ b/epan/dissectors/packet-synphasor.c
@@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c
data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4,
ett_conf_phflags, NULL, "Phasor Data flags: %s",
- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr);
+ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown"));
/* first and second bytes - phasor modification flags*/
phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags,
--
GitLab

105
CVE-2023-2855.patch Normal file
View File

@ -0,0 +1,105 @@
From 9ce7445be0b38c4df824671ffe196177c2bd107e Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 16 May 2023 12:05:07 -0700
Subject: [PATCH] candump: check for a too-long frame length.
If the frame length is longer than the maximum, report an error in the
file.
Fixes #19062, preventing the overflow on a buffer on the stack (assuming
your compiler doesn't call a bounds-checknig version of memcpy() if the
size of the target space is known).
(backported from commit 0181fafb2134a177328443a60b5e29c4ee1041cb)
---
wiretap/candump.c | 39 +++++++++++++++++++++++++++++++--------
1 file changed, 31 insertions(+), 8 deletions(-)
diff --git a/wiretap/candump.c b/wiretap/candump.c
index 28fda911072..f548cb0b6e6 100644
--- a/wiretap/candump.c
+++ b/wiretap/candump.c
@@ -34,8 +34,9 @@ void register_candump(void);
* This is written by the candump utility on Linux.
*/
-static void
-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+ gchar **err_info)
{
static const char *can_proto_name = "can-hostendian";
static const char *canfd_proto_name = "canfd";
@@ -67,6 +68,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
{
canfd_frame_t canfd_frame = {0};
+ /*
+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+ */
+ if (msg->data.length > CANFD_MAX_DLEN) {
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+ msg->data.length, CANFD_MAX_DLEN);
+ }
+ return FALSE;
+ }
+
canfd_frame.can_id = msg->id;
canfd_frame.flags = msg->flags;
canfd_frame.len = msg->data.length;
@@ -78,6 +91,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
{
can_frame_t can_frame = {0};
+ /*
+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+ */
+ if (msg->data.length > CAN_MAX_DLEN) {
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+ msg->data.length, CAN_MAX_DLEN);
+ }
+ return FALSE;
+ }
+
can_frame.can_id = msg->id;
can_frame.can_dlc = msg->data.length;
memcpy(can_frame.data, msg->data.data, msg->data.length);
@@ -93,6 +118,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
rec->rec_header.packet_header.caplen = packet_length;
rec->rec_header.packet_header.len = packet_length;
+
+ return TRUE;
}
static gboolean
@@ -199,9 +226,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
candump_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
#endif
- candump_write_packet(rec, buf, &msg);
-
- return TRUE;
+ return candump_write_packet(rec, buf, &msg, err, err_info);
}
static gboolean
@@ -225,9 +250,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
return FALSE;
- candump_write_packet(rec, buf, &msg);
-
- return TRUE;
+ return candump_write_packet(rec, buf, &msg, err, err_info);
}
static const struct supported_block_type candump_blocks_supported[] = {
--
GitLab

66
CVE-2023-2856.patch Normal file
View File

@ -0,0 +1,66 @@
From 1c264ced5701dd7ec22f425ee82c9e7abc45fe94 Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Thu, 18 May 2023 15:03:23 -0700
Subject: [PATCH] vms: fix the search for the packet length field.
The packet length field is of the form
Total Length = DDD = ^xXXX
where "DDD" is the length in decimal and "XXX" is the length in
hexadecimal.
Search for "length ". not just "Length", as we skip past "Length ", not
just "Length", so if we assume we found "Length " but only found
"Length", we'd skip past the end of the string.
While we're at it, fail if we don't find a length field, rather than
just blithely acting as if the packet length were zero.
Fixes #19083.
(backported from commit db5135826de3a5fdb3618225c2ff02f4207012ca)
---
wiretap/vms.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/wiretap/vms.c b/wiretap/vms.c
index 600282e506c..7f82461570c 100644
--- a/wiretap/vms.c
+++ b/wiretap/vms.c
@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
{
char line[VMS_LINE_LENGTH + 1];
int num_items_scanned;
+ gboolean have_pkt_len = FALSE;
guint32 pkt_len = 0;
int pktnum;
int csec = 101;
@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
return FALSE;
}
}
- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
p += sizeof("Length ");
while (*p && ! g_ascii_isdigit(*p))
p++;
@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
*err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
return FALSE;
}
+ have_pkt_len = TRUE;
break;
}
} while (! isdumpline(line));
+ if (! have_pkt_len) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup_printf("vms: Length field not found");
+ return FALSE;
+ }
if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
/*
* Probably a corrupt capture file; return an error,
--
GitLab

219
CVE-2023-2857.patch Normal file
View File

@ -0,0 +1,219 @@
From 6c7199da0c84a966ac9b06cd7fbb6aa0ccff9acb Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 16 May 2023 18:09:41 -0700
Subject: [PATCH] blf: add some sanity checks.
Have blf_pull_logcontainer_into_memory() return a libwiretap error code
and additional information string, including various values being
inconsistent.
(If any of those correspond to identifiable file problems, they should
be reported with WTAP_ERR_BAD_FILE and with a description more relevant
to somebody writing code to write those files.)
Fixes #19063.
(backported from commit c899be35a94440b6c46cf5715c5f24eda597f4c1)
---
wiretap/blf.c | 134 +++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 115 insertions(+), 19 deletions(-)
diff --git a/wiretap/blf.c b/wiretap/blf.c
index 92b7f55ed56..ed2ee5f7135 100644
--- a/wiretap/blf.c
+++ b/wiretap/blf.c
@@ -433,12 +433,18 @@ blf_find_logcontainer_for_address(blf_t *blf_data, gint64 pos, blf_log_container
}
static gboolean
-blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container) {
+blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container, int *err, gchar **err_info) {
blf_t *blf_data = params->blf_data;
blf_log_container_t tmp;
if (index_log_container >= blf_data->log_containers->len) {
- ws_debug("cannot pull an unknown log container into memory");
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: index_log_container (%u) >= blf_data->log_containers->len (%u)",
+ index_log_container, blf_data->log_containers->len);
return FALSE;
}
@@ -450,20 +456,56 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
if (tmp.compression_method == BLF_COMPRESSION_ZLIB) {
#ifdef HAVE_ZLIB
- int err = 0;
- gchar *err_info;
-
- file_seek(params->fh, tmp.infile_data_start, SEEK_SET, &err);
- if (err < 0) {
- ws_debug("cannot seek to start of log_container");
+ if (file_seek(params->fh, tmp.infile_data_start, SEEK_SET, err) == -1) {
return FALSE;
}
/* pull compressed data into buffer */
unsigned char *compressed_data = g_try_malloc0((gsize)tmp.infile_length);
- guint64 data_length = (unsigned int)tmp.infile_length - (tmp.infile_data_start - tmp.infile_start_pos);
- if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, &err, &err_info)) {
- ws_debug("cannot read compressed data");
+ if (tmp.infile_start_pos < 0) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_start_pos (%" G_GINT64_FORMAT ") < 0",
+ tmp.infile_start_pos);
+ return FALSE;
+ }
+ if (tmp.infile_data_start < (guint64)tmp.infile_start_pos) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_data_start (%" G_GUINT64_FORMAT ") < tmp.infile_start_pos (%" G_GINT64_FORMAT ")",
+ tmp.infile_data_start, tmp.infile_start_pos);
+ return FALSE;
+ }
+ if (tmp.infile_length < tmp.infile_data_start - (guint64)tmp.infile_start_pos) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_length (%" G_GUINT64_FORMAT ") < (tmp.infile_data_start (%" G_GUINT64_FORMAT ") - tmp.infile_start_pos (%" G_GINT64_FORMAT ")) = %" G_GUINT64_FORMAT,
+ tmp.infile_length,
+ tmp.infile_data_start, tmp.infile_start_pos,
+ tmp.infile_data_start - (guint64)tmp.infile_start_pos);
+ return FALSE;
+ }
+ guint64 data_length = tmp.infile_length - (tmp.infile_data_start - (guint64)tmp.infile_start_pos);
+ if (data_length > UINT_MAX) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: data_length (%" G_GUINT64_FORMAT ") > UINT_MAX",
+ data_length);
+ return FALSE;
+ }
+ if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, err, err_info)) {
return FALSE;
}
@@ -477,6 +519,18 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
/* the actual DE-compression work. */
if (Z_OK != inflateInit(&infstream)) {
+ /*
+ * XXX - check the error code and handle this appropriately.
+ */
+ *err = WTAP_ERR_INTERNAL;
+ if (infstream.msg != NULL) {
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d, message\"%s\"",
+ index_log_container,
+ infstream.msg);
+ } else {
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d",
+ index_log_container);
+ }
ws_debug("inflateInit failed for LogContainer %d", index_log_container);
if (infstream.msg != NULL) {
ws_debug("inflateInit returned: \"%s\"", infstream.msg);
@@ -487,6 +541,50 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
int ret = inflate(&infstream, Z_NO_FLUSH);
/* Z_OK should not happen here since we know how big the buffer should be */
if (Z_STREAM_END != ret) {
+ switch (ret) {
+
+ case Z_NEED_DICT:
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = g_strdup("preset dictionary needed");
+ break;
+
+ case Z_STREAM_ERROR:
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL;
+ break;
+
+ case Z_MEM_ERROR:
+ /* This means "not enough memory". */
+ *err = ENOMEM;
+ *err_info = NULL;
+ break;
+
+ case Z_DATA_ERROR:
+ /* This means "deflate stream invalid" */
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL;
+ break;
+
+ case Z_BUF_ERROR:
+ /* XXX - this is recoverable; what should we do here? */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_BUF_ERROR from inflate(), message \"%s\"",
+ (infstream.msg != NULL) ? infstream.msg : "(none)");
+ break;
+
+ case Z_VERSION_ERROR:
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_VERSION_ERROR from inflate(), message \"%s\"",
+ (infstream.msg != NULL) ? infstream.msg : "(none)");
+ break;
+
+ default:
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: unexpected error %d from inflate(), message \"%s\"",
+ ret,
+ (infstream.msg != NULL) ? infstream.msg : "(none)");
+ break;
+ }
ws_debug("inflate failed (return code %d) for LogContainer %d", ret, index_log_container);
if (infstream.msg != NULL) {
ws_debug("inflate returned: \"%s\"", infstream.msg);
@@ -495,6 +593,9 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
}
if (Z_OK != inflateEnd(&infstream)) {
+ /* Returns either Z_OK or Z_STREAM_ERROR. */
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL;
ws_debug("inflateEnd failed for LogContainer %d", index_log_container);
if (infstream.msg != NULL) {
ws_debug("inflateEnd returned: \"%s\"", infstream.msg);
@@ -506,6 +607,8 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
g_array_index(blf_data->log_containers, blf_log_container_t, index_log_container) = tmp;
return TRUE;
#else
+ *err = WTAP_ERR_DECOMPRESSION_NOT_SUPPORTED;
+ *err_info = NULL;
return FALSE;
#endif
}
@@ -593,14 +696,7 @@ blf_read_bytes_or_eof(blf_params_t *params, guint64 real_pos, void *target_buffe
case BLF_COMPRESSION_ZLIB:
while (current_container_index <= end_container_index) {
- if (!blf_pull_logcontainer_into_memory(params, current_container_index)) {
- /*
- * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
- * malformed file (WTAP_ERR_BAD_FILE)?
- */
- *err = WTAP_ERR_INTERNAL;
- *err_info = g_strdup_printf("blf_read_bytes_or_eof: cannot pull in container");
- ws_debug("cannot pull in container");
+ if (!blf_pull_logcontainer_into_memory(params, current_container_index, err, err_info)) {
return FALSE;
}
--
GitLab

93
CVE-2023-2858.patch Normal file
View File

@ -0,0 +1,93 @@
From a0403c4b396adacd666d8ebd3b97506e355e646c Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Fri, 19 May 2023 16:29:45 -0700
Subject: [PATCH] netscaler: add more checks to make sure the record is within
the page.
Whie we're at it, restructure some other checks to test-before-casting -
it's OK to test afterwards, but testing before makes it follow the
pattern used elsewhere.
Fixes #19081.
(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105)
---
wiretap/netscaler.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
index 8dcbd42a089..b94caca0869 100644
--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err,
#define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
do {\
- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Make sure the record header is entirely contained in the page */\
- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
*err = WTAP_ERR_BAD_FILE;\
*err_info = g_strdup("nstrace: record header crosses page boundary");\
return FALSE;\
}\
+ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Check sanity of record size */\
if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
*err = WTAP_ERR_BAD_FILE;\
@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
case NSPR_ABSTIME_V10:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
case NSPR_RELTIME_V10:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
default:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
#define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
do {\
- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Make sure the record header is entirely contained in the page */\
- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
*err = WTAP_ERR_BAD_FILE;\
*err_info = g_strdup("nstrace: record header crosses page boundary");\
g_free(nstrace_tmpbuff);\
return FALSE;\
}\
+ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
(rec)->rec_type = REC_TYPE_PACKET;\
(rec)->block = wtap_block_create(WTAP_BLOCK_PACKET);\
TIMEDEFV##ver((rec),fp,type);\
@@ -1615,7 +1621,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf,
g_free(nstrace_tmpbuff);
return FALSE;
}
-
hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
if (nspr_getv20recordsize(hdp) == 0) {
*err = WTAP_ERR_BAD_FILE;
--
GitLab

36
CVE-2023-2879.patch Normal file
View File

@ -0,0 +1,36 @@
From 3412780abd6f44ff1613cd1472c867b8372de24c Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 13 May 2023 21:45:16 -0400
Subject: [PATCH] GDSDB: Make sure our offset advances.
add_uint_string() returns the next offset to use, not the number
of bytes consumed. So to consume all the bytes and make sure the
offset advances, return the entire reported tvb length, not the
number of bytes remaining.
Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
Fixes #19068
(cherry picked from commit 118815ca7c9f82c1f83f8f64d9e0e54673f31677)
---
epan/dissectors/packet-gdsdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
index 13ba8b37628..e2dd332ca85 100644
--- a/epan/dissectors/packet-gdsdb.c
+++ b/epan/dissectors/packet-gdsdb.c
@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
int ret_offset = offset + length;
if (length < 4 || ret_offset < offset) {
expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
- return tvb_reported_length_remaining(tvb, offset);
+ return tvb_reported_length(tvb);
}
return ret_offset;
}
--
GitLab

11
wireshark.spec
View File

@ -5,7 +5,7 @@
Summary: Network traffic analyzer
Name: wireshark
Version: 3.6.11
Release: 3
Release: 4
Epoch: 1
License: GPL+
Url: http://www.wireshark.org/
@ -25,6 +25,12 @@ Patch8: CVE-2023-1161.patch
Patch9: CVE-2023-1992.patch
Patch10: CVE-2023-1993.patch
Patch11: CVE-2023-1994.patch
Patch12: CVE-2023-0668.patch
Patch13: CVE-2023-2855.patch
Patch14: CVE-2023-2856.patch
Patch15: CVE-2023-2857.patch
Patch16: CVE-2023-2858.patch
Patch17: CVE-2023-2879.patch
Requires: xdg-utils
Requires: hicolor-icon-theme
@ -199,6 +205,9 @@ exit 0
%{_mandir}/man?/*
%changelog
* Tue May 30 2023 yaoxin <yao_xin001@hoperun.com> - 1:3.6.11-4
- Fix CVE-2023-0668,CVE-2023-2855,CVE-2023-2856,CVE-2023-2857,CVE-2023-2858 and CVE-2023-2879
* Mon Apr 24 2023 yaoxin <yao_xin001@hoperun.com> - 1:3.6.11-3
- Fix CVE-2023-1992,CVE-2023-1993 and CVE-2023-1994