packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cves

Browse Source
This commit is contained in:
gu-gu-gu 2019-12-25 18:35:15 +08:00
parent d4281d17a2
commit 29af5ef1cf
7 changed files with 355 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
CVE-2019-10894.patch Normal file
View File

@ -0,0 +1,46 @@
diff -Nurp wireshark-2.6.2/epan/dissectors/packet-gssapi.c wireshark-2.6.2-bak/epan/dissectors/packet-gssapi.c
--- wireshark-2.6.2/epan/dissectors/packet-gssapi.c 2018-07-18 15:39:22.000000000 -0400
+++ wireshark-2.6.2-bak/epan/dissectors/packet-gssapi.c 2019-08-14 18:44:52.909000000 -0400
@@ -370,16 +370,34 @@ dissect_gssapi_work(tvbuff_t *tvb, packe
} else {
tvbuff_t *oid_tvb_local;
- oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset);
- if (is_verifier)
+ if (is_verifier) {
handle = oidvalue->wrap_handle;
- else
+ if (handle != NULL) {
+ oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset);
+ len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info);
+ if (len == 0)
+ return_offset = tvb_captured_length(gss_tvb);
+ else
+ return_offset = start_offset + len;
+ } else {
+ proto_tree_add_item(subtree, hf_gssapi_auth_verifier, gss_tvb, offset, -1, ENC_NA);
+ return_offset = tvb_captured_length(gss_tvb);
+ }
+ } else {
handle = oidvalue->handle;
- len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info);
- if (len == 0)
- return_offset = tvb_captured_length(gss_tvb);
- else
- return_offset = start_offset + len;
+ if (handle != NULL) {
+ oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset);
+ len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info);
+ if (len == 0)
+ return_offset = tvb_captured_length(gss_tvb);
+ else
+ return_offset = start_offset + len;
+ } else {
+ proto_tree_add_item(subtree, hf_gssapi_auth_credentials, gss_tvb, offset, -1, ENC_NA);
+ return_offset = tvb_captured_length(gss_tvb);
+ }
+ }
+
goto done; /* We are finished here */
}
}

67
CVE-2019-10895.patch Normal file
View File

@ -0,0 +1,67 @@
From 2fbbde780e5d5d82e31dca656217daf278cf62bb Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Tue, 5 Mar 2019 17:25:24 +0100
Subject: [PATCH] netscaler: add more sanity checks.
Fix more crashes found in the provided bug report.
Bug: 15497
Change-Id: If84498fa879ad56c8677f8c1442a8dc0e5906003
Reviewed-on: https://code.wireshark.org/review/32333
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 134a513dd59315d67866f238459fdee6347f1055)
Reviewed-on: https://code.wireshark.org/review/32422
(cherry picked from commit fc8367a50516e832be960a9001ccdb09ced9b27f)
Reviewed-on: https://code.wireshark.org/review/32430
Reviewed-by: Guy Harris <guy@alum.mit.edu>
---
wiretap/netscaler.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
index c88c082..fc350e2 100644
--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
@@ -653,6 +653,20 @@ static gboolean nstrace_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
#define GET_READ_PAGE_SIZE(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE)?NSPR_PAGESIZE:remaining_file_size))
#define GET_READ_PAGE_SIZEV3(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE_TRACE)?NSPR_PAGESIZE_TRACE:remaining_file_size))
+/*
+ * Check whether we have enough room to retrieve the data in the caller.
+ * If not, we have a malformed file.
+ */
+static gboolean nstrace_ensure_buflen(nstrace_t* nstrace, guint offset, guint len, int *err, gchar** err_info)
+{
+ if (offset > nstrace->nstrace_buflen || nstrace->nstrace_buflen - offset < len) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("nstrace: malformed file");
+ return FALSE;
+ }
+ return TRUE;
+}
+
static guint64 ns_hrtime2nsec(guint32 tm)
{
guint32 val = tm & NSPR_HRTIME_MASKTM;
@@ -940,6 +940,8 @@ nspm_signature_version(wtap *wth, gchar *nstrace_buf, gint32 len)
switch (nspr_getv##ver##recordtype(fp))\
{\
case NSPR_ABSTIME_V##ver:\
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_abstime_v##ver##_t), err, err_info))\
+ return FALSE;\
ns_setabstime(nstrace, pletoh32(&((nspr_abstime_v##ver##_t *) fp)->abs_Time), pletoh16(&((nspr_abstime_v##ver##_t *) fp)->abs_RelTime));\
nstrace->nstrace_buf_offset = nstrace_buf_offset + nspr_getv##ver##recordsize(fp);\
nstrace->nstrace_buflen = nstrace_buflen;\
@@ -1330,6 +1332,8 @@ static gboolean nstrace_read_v20(wtap *wth, int *err, gchar **err_info, gint64 *
case NSPR_RELTIME_V20:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_hd_v20_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v20_t *fp20 = (nspr_pktracefull_v20_t *) &nstrace_buf[nstrace_buf_offset];
if (nspr_getv20recordsize((nspr_hd_v20_t *)fp20) == 0) {
*err = WTAP_ERR_BAD_FILE;
--
2.7.4

44
CVE-2019-10896.patch Normal file
View File

@ -0,0 +1,44 @@
From 651cd91b16b01e3da698b04542da376d946bc54b Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Wed, 3 Apr 2019 09:41:36 -0700
Subject: [PATCH] DOF: Fix alias binding dissection.
When adding generated IID and OID bytes to the tree, use a zero offset
and length like we do elsewhere in the dissector.
Bug: 15617
Change-Id: Id900f2aeeef7926706b417622d452ffa72949e8a
(cherry picked from commit ecf03bb37b3345e684890f7eee031cb17a247939)
Reviewed-on: https://code.wireshark.org/review/32723
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
epan/dissectors/packet-dof.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/epan/dissectors/packet-dof.c b/epan/dissectors/packet-dof.c
index 2663eed..9770deb 100644
--- a/epan/dissectors/packet-dof.c
+++ b/epan/dissectors/packet-dof.c
@@ -1379,16 +1379,17 @@ static int oap_1_tree_add_alias(dof_api_data *api_data, oap_1_packet_data *oap_p
key.sender = packet->sender_id;
key.alias = alias;
binding = oap_1_resolve_alias(&key);
+
if (binding)
{
options_tree = proto_item_add_subtree(ti, ett_oap_1_alias);
/* Decode the Interface */
- ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_interfaceid, tvb, offset, alias_length, binding->iid, "%s", dof_iid_create_standard_string(binding->iid_length, binding->iid));
+ ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_interfaceid, tvb, 0, 0, binding->iid, "%s", dof_iid_create_standard_string(binding->iid_length, binding->iid));
PROTO_ITEM_SET_GENERATED(ti);
/* Decode the Object ID */
- ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_objectid, tvb, offset, alias_length, binding->oid, "%s", dof_oid_create_standard_string(binding->oid_length, binding->oid));
+ ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_objectid, tvb, 0, 0, binding->oid, "%s", dof_oid_create_standard_string(binding->oid_length, binding->oid));
PROTO_ITEM_SET_GENERATED(ti);
proto_tree_add_uint_format(options_tree, hf_oap_1_alias_frame,
--
2.7.4

39
CVE-2019-10899.patch Normal file
View File

@ -0,0 +1,39 @@
From f43ac1291b80bbccdd1ef3e6118f72e08dc8beac Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Fri, 1 Mar 2019 11:18:53 +0100
Subject: [PATCH] srvloc: check buffer index to prevent heap overflow.
Bug: 15546
Change-Id: I35eee1f6e1127db74339ec7218d7681bd93de59c
Reviewed-on: https://code.wireshark.org/review/32285
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 8f15ebed65ceea5c856fce055b5d83fb0c4b597b)
Reviewed-on: https://code.wireshark.org/review/32340
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
---
epan/dissectors/packet-srvloc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/epan/dissectors/packet-srvloc.c b/epan/dissectors/packet-srvloc.c
index 629ca78..d0ecf88 100644
--- a/epan/dissectors/packet-srvloc.c
+++ b/epan/dissectors/packet-srvloc.c
@@ -444,9 +444,13 @@ unicode_to_bytes(tvbuff_t *tvb, int offset, int length, gboolean endianness)
for (i = length; i > 0; i--) {
c_char = ascii_text[i];
if (c_char != 0) {
+ if (i == 0)
+ break;
i--;
c_char1 = ascii_text[i];
if (c_char1 == 0) {
+ if (i == 0)
+ break;
i--;
c_char1 = ascii_text[i];
}
--
2.7.4

90
CVE-2019-10901.patch Normal file
View File

@ -0,0 +1,90 @@
From 6c3467945cd9bf1242a2dcd4a8fbff32b885391e Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Wed, 3 Apr 2019 09:10:38 +0200
Subject: [PATCH] ldss: add checks on file digest.
Bug: 15620
Change-Id: I600c262f42414dd50c0cf4c1230acfb2a8042212
Reviewed-on: https://code.wireshark.org/review/32520
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
epan/dissectors/packet-ldss.c | 19 +++----------------
1 file changed, 3 insertions(+), 16 deletions(-)
diff --git a/epan/dissectors/packet-ldss.c b/epan/dissectors/packet-ldss.c
index 861fccd..68e6e54 100644
--- a/epan/dissectors/packet-ldss.c
+++ b/epan/dissectors/packet-ldss.c
@@ -466,13 +466,10 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
* Compression: 0
* (remote end sends the file identified by the digest) */
guint offset = 0;
- gboolean already_dissected = TRUE;
col_set_str(pinfo->cinfo, COL_INFO, "LDSS File Transfer (Requesting file - pull)");
if (transfer_info->req == NULL) {
-
- already_dissected = FALSE;
transfer_info->req = wmem_new0(wmem_file_scope(), ldss_file_request_t);
transfer_info->req->file = wmem_new0(wmem_file_scope(), ldss_file_t);
}
@@ -490,8 +487,7 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
gint next_offset;
const guint8 *line;
int linelen;
- gboolean is_digest_line;
- guint digest_type_len;
+ guint digest_type_len = 0;
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
@@ -502,28 +498,19 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
ett_ldss_transfer_req, NULL,
tvb_format_text(tvb, offset, next_offset-offset));
- /* Reduce code duplication processing digest lines.
- * There are too many locals to pass to a function - the signature
- * looked pretty ugly when I tried! */
- is_digest_line = FALSE;
-
if (strncmp(line,"md5:",4)==0) {
- is_digest_line = TRUE;
digest_type_len = 4;
transfer_info->file->digest_type = DIGEST_TYPE_MD5;
}
else if (strncmp(line, "sha1:", 5)==0) {
- is_digest_line = TRUE;
digest_type_len = 5;
transfer_info->file->digest_type = DIGEST_TYPE_SHA1;
}
else if (strncmp(line, "sha256:", 7)==0) {
- is_digest_line = TRUE;
digest_type_len = 7;
transfer_info->file->digest_type = DIGEST_TYPE_SHA256;
}
else if (strncmp(line, "unknown:", 8)==0) {
- is_digest_line = TRUE;
digest_type_len = 8;
transfer_info->file->digest_type = DIGEST_TYPE_UNKNOWN;
}
@@ -555,12 +542,12 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
proto_tree_add_expert(line_tree, pinfo, &ei_ldss_unrecognized_line, tvb, offset, linelen);
}
- if (is_digest_line) {
+ if (digest_type_len > 0) {
proto_item *tii = NULL;
/* Sample digest-type/digest line:
* md5:0123456789ABCDEF\n */
- if (!already_dissected) {
+ if (!transfer_info->file->digest) {
GByteArray *digest_bytes;
digest_bytes = g_byte_array_new();
--
2.7.4

56
CVE-2019-10903.patch Normal file
View File

@ -0,0 +1,56 @@
From 5aba3ed0cdebc1ec960261e3e9eda87c8408259f Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Sun, 17 Mar 2019 00:47:02 +0100
Subject: [PATCH] dcerpc: ensure the length in the packet doesn't overcome the
boundaries.
The spoolss dissector creates a new source using the length from the packet
data. If it overcomes the ends of the packet we hit a crash. In this case
add an expert info and stop the dissection
Bug: 15568
Change-Id: Idfb0b54c1f41842170d3d03c80897a3b7edc9400
Reviewed-on: https://code.wireshark.org/review/32449
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
epan/dissectors/packet-dcerpc-spoolss.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/epan/dissectors/packet-dcerpc-spoolss.c b/epan/dissectors/packet-dcerpc-spoolss.c
index 2bf8cc8..46b3d34 100644
--- a/epan/dissectors/packet-dcerpc-spoolss.c
+++ b/epan/dissectors/packet-dcerpc-spoolss.c
@@ -315,6 +315,7 @@ static expert_field ei_driver_info_level = EI_INIT;
static expert_field ei_level = EI_INIT;
static expert_field ei_notify_info_data_type = EI_INIT;
static expert_field ei_enumprinterdataex_value = EI_INIT;
+static expert_field ei_buffer_size_too_long = EI_INIT;
/* Registry data types */
@@ -441,6 +442,13 @@ dissect_spoolss_buffer_data(tvbuff_t *tvb, int offset, packet_info *pinfo,
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_buffer_size, &size);
+ /* Before going any further, we must ensure the bytes
+ actually esist in the tvb */
+ if ((guint32)tvb_reported_length_remaining(tvb, offset) < size) {
+ expert_add_info(pinfo, tree, &ei_buffer_size_too_long);
+ return offset;
+ }
+
offset = dissect_ndr_uint8s(tvb, offset, pinfo, NULL, di, drep,
hf_buffer_data, size, &data);
@@ -8315,6 +8323,7 @@ proto_register_dcerpc_spoolss(void)
{ &ei_level, { "spoolss.level.unknown", PI_PROTOCOL, PI_WARN, "Info level unknown", EXPFILL }},
{ &ei_notify_info_data_type, { "spoolss.notify_info_data.type.unknown", PI_PROTOCOL, PI_WARN, "Unknown notify type", EXPFILL }},
{ &ei_enumprinterdataex_value, { "spoolss.enumprinterdataex.val_unknown", PI_PROTOCOL, PI_WARN, "Unknown value type", EXPFILL }},
+ { &ei_buffer_size_too_long, { "spoolss.buffer.size.invalid", PI_PROTOCOL, PI_ERROR, "Buffer size too long", EXPFILL }},
};
expert_module_t* expert_dcerpc_spoolss;
--
2.7.4

14
wireshark.spec
View File

@ -1,6 +1,6 @@
Name: wireshark
Version: 2.6.2
Release: 3
Release: 4
Epoch: 1
Summary: Network traffic analyzer
License: GPL+
@ -32,6 +32,12 @@ Patch6012: wireshark-CVE-2018-19628.patch
Patch6013: wireshark-CVE-2019-9208.patch
Patch6014: wireshark-CVE-2019-9209.patch
Patch6015: wireshark-CVE-2019-5718.patch
Patch6016: CVE-2019-10894.patch
Patch6017: CVE-2019-10896.patch
Patch6018: CVE-2019-10899.patch
Patch6019: CVE-2019-10901.patch
Patch6020: CVE-2019-10903.patch
Patch6021: CVE-2019-10895.patch
Requires(pre): shadow-utils
Requires(post): systemd-udev
@ -140,6 +146,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon
%{_mandir}/man?/*
%changelog
* Wed Dec 25 2019 gulining <gulining1@huawei.com> - 2.6.2-4
- Type:cves
- ID: CVE-2019-10894 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-10895
- SUG:restart
- DESC: fix CVE-2019-10894 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-10895
* Mon Nov 25 2019 gulining<gulining1@huawei.com> - 2.6.2-3
- revise obsoletes