fix CVE-2020-26575

CVE-2020-26575.patch

@@ -0,0 +1,63 @@
+From 3ff940652962c099b73ae3233322b8697b0d10ab Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Fri, 2 Oct 2020 12:42:03 -0700
+Subject: [PATCH] FBZERO: Make sure our offset advances.
+
+Make sure our offset advances so that we don't infinitely loop.
+Fixes #16887.
+---
+ epan/dissectors/packet-fbzero.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-fbzero.c b/epan/dissectors/packet-fbzero.c
+index 16ffb63cf1..132079cfaa 100644
+--- a/epan/dissectors/packet-fbzero.c
++++ b/epan/dissectors/packet-fbzero.c
+@@ -66,6 +66,7 @@ static gint ett_fb_zero_tag_value = -1;
+ static expert_field ei_fb_zero_tag_undecoded = EI_INIT;
+ static expert_field ei_fb_zero_tag_length = EI_INIT;
+ static expert_field ei_fb_zero_tag_unknown = EI_INIT;
++static expert_field ei_fb_zero_length_invalid = EI_INIT;
+ 
+ #define FBZERO_MIN_LENGTH 3
+ 
+@@ -261,18 +262,26 @@ dissect_fb_zero_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *fb_zero_tree,
+                                  "Dissector for FB Zero Tag"
+                                  " %s (%s) code not implemented, Contact"
+                                  " Wireshark developers if you want this supported", tvb_get_string_enc(wmem_packet_scope(), tvb, offset-8, 4, ENC_ASCII|ENC_NA), val_to_str(tag, tag_vals, "Unknown"));
+-                tag_offset += tag_len;
++                goto end;
+             break;
+         }
+ 
+         if(tag_offset != offset_end){
+             /* Wrong Tag len... */
+             proto_tree_add_expert(tag_tree, pinfo, &ei_fb_zero_tag_unknown, tvb, tag_offset_start + tag_offset, offset_end - tag_offset);
+-            tag_offset = offset_end;
++            // XXX Return instead?
++            goto end;
+         }
+ 
+         tag_number--;
+     }
++
++    end:
++    if (offset + total_tag_len <= offset) {
++        expert_add_info_format(pinfo, fb_zero_tree, &ei_fb_zero_length_invalid,
++                         "Invalid total tag length: %u", total_tag_len);
++        return offset + tvb_reported_length_remaining(tvb, offset);
++    }
+     return offset + total_tag_len;
+ 
+ }
+@@ -562,6 +571,7 @@ proto_register_fb_zero(void)
+         { &ei_fb_zero_tag_undecoded, { "fb_zero.tag.undecoded", PI_UNDECODED, PI_NOTE, "Dissector for FB Zero Tag code not implemented, Contact Wireshark developers if you want this supported", EXPFILL }},
+         { &ei_fb_zero_tag_length, { "fb_zero.tag.length.truncated", PI_MALFORMED, PI_NOTE, "Truncated Tag Length...", EXPFILL }},
+         { &ei_fb_zero_tag_unknown, { "fb_zero.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }},
++        { &ei_fb_zero_length_invalid, { "fb_zero.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid length", EXPFILL }},
+     };
+ 
+     expert_module_t *expert_fb_zero;
+-- 
+GitLab
+

wireshark.spec

@@ -1,9 +1,9 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        16
+Release:        17
 Epoch:          1
 Summary:        Network traffic analyzer
-License:        GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD
+License:        GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC
 URL:            http://www.wireshark.org/
 Source0:        https://wireshark.org/download/src/all-versions/%{name}-%{version}.tar.xz
 Source1:        https://www.wireshark.org/download/src/all-versions/SIGNATURES-%{version}.txt
@@ -48,6 +48,7 @@ Patch6033:      CVE-2020-28030.patch
 Patch6034:      CVE-2020-9430-1.patch
 Patch6035:      CVE-2020-9430-2.patch
 Patch6036:      CVE-2019-16319.patch
+Patch6037:      CVE-2020-26575.patch
 
 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@@ -154,6 +155,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*
 
 %changelog
+* Mon Feb 08 2021 wangyue <wangyue92@huawei.com> - 2.6.2-17
+- fix CVE-2020-26575
+
 * Thu Jan 14 2021 zhanghua <zhanghua40@huawei.com> - 2.6.2-16
 - fix CVE-2019-16319