Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185

2022-04-01 15:43:52 +08:00 · 2022-04-01 15:43:52 +08:00 · 629b09a183
commit 629b09a183
parent 602f3e135c
5 changed files with 236 additions and 1 deletions
--- a/CVE-2021-22191.patch
+++ b/CVE-2021-22191.patch
@ -0,0 +1,82 @@
 From: Markus Koschany <apo@debian.org>
 Date: Thu, 24 Mar 2022 14:03:00 +0100
 Subject: CVE-2021-22191
 Origin: https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034
 ---
 epan/wslua/wslua_gui.c | 24 ++++++++++++++++++++++--
 ui/qt/proto_tree.cpp   |  5 ++++-
 2 files changed, 26 insertions(+), 3 deletions(-)
 diff --git a/epan/wslua/wslua_gui.c b/epan/wslua/wslua_gui.c
 index e93618f..b7eef3f 100644
 --- a/epan/wslua/wslua_gui.c
 +++ b/epan/wslua/wslua_gui.c
@@ -854,7 +854,16 @@ WSLUA_FUNCTION wslua_reload_lua_plugins(lua_State* L) { /* Reload all Lua plugin
 }
 -WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browser. */
 +WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /*
 +    Opens an URL in a web browser. Requires a GUI.
 +
 +    [WARNING]
 +    ====
 +    Do not pass an untrusted URL to this function.
 +
 +    It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things.
 +    ====
 +    */
 #define WSLUA_ARG_browser_open_url_URL 1 /* The url. */
     const char* url = luaL_checkstring(L,WSLUA_ARG_browser_open_url_URL);
@@ -868,7 +877,18 @@ WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browse
     return 0;
 }
 -WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /* Open a file in a browser. */
 +WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /*
 +    Open a file located in the data directory (specified in the Wireshark preferences) in the web browser.
 +    If the file does not exist, the function silently ignores the request.
 +    Requires a GUI.
 +
 +    [WARNING]
 +    ====
 +    Do not pass an untrusted URL to this function.
 +
 +    It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things.
 +    ====
 +    */
 #define WSLUA_ARG_browser_open_data_file_FILENAME 1 /* The file name. */
     const char* file = luaL_checkstring(L,WSLUA_ARG_browser_open_data_file_FILENAME);
 diff --git a/ui/qt/proto_tree.cpp b/ui/qt/proto_tree.cpp
 index 0525cf2..15f4c08 100644
 --- a/ui/qt/proto_tree.cpp
 +++ b/ui/qt/proto_tree.cpp
@@ -18,6 +18,8 @@
 #include <ui/qt/utils/variant_pointer.h>
 #include <ui/qt/utils/wireshark_mime_data.h>
 #include <ui/qt/widgets/drag_label.h>
 +#include "wireshark_application.h"
 +
 #include <QApplication>
 #include <QContextMenuEvent>
@@ -27,6 +29,7 @@
 #include <QScrollBar>
 #include <QStack>
 #include <QUrl>
 +#include <QClipboard>
 #if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)
 #include <QWindow>
@@ -430,7 +433,7 @@ void ProtoTree::itemDoubleClicked(const QModelIndex &index) {
     } else {
         QString url = finfo.url();
         if (!url.isEmpty()) {
 -            QDesktopServices::openUrl(QUrl(url));
 +            QApplication::clipboard()->setText(url);
         }
     }
 }
--- a/CVE-2021-22207.patch
+++ b/CVE-2021-22207.patch
@ -0,0 +1,70 @@
 From b7a0650e061b5418ab4a8f72c6e4b00317aff623 Mon Sep 17 00:00:00 2001
 From: Gerald Combs <gerald@wireshark.org>
 Date: Mon, 19 Apr 2021 10:39:01 -0700
 Subject: [PATCH] MS-WSP: Don't allocate huge amounts of memory.
 Add a couple of memory allocation sanity checks, one of which
 fixes #17331.
 ---
 epan/dissectors/packet-mswsp.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)
 diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c
 index 37ad06c2b2..38bcefd072 100644
 --- a/epan/dissectors/packet-mswsp.c
 +++ b/epan/dissectors/packet-mswsp.c
@@ -313,8 +313,10 @@ struct CTableColumn {
 	guint16 lengthoffset;
 	char name[PROP_LENGTH];
 };
 -/* minimum size in bytes on the wire CTableColumn can be */
 +/* Minimum size in bytes on the wire CTableColumn can be */
 #define MIN_CTABLECOL_SIZE 32
 +/* Maximum sane size in bytes on the wire CTableColumn can be. Arbitrary. */
 +#define MAX_CTABLECOL_SIZE 5000
 /* 2.2.3.10 */
@@ -3973,6 +3975,8 @@ static int vvalue_tvb_lpwstr(tvbuff_t *tvb, int offset, void *val)
 	return 4 + vvalue_tvb_lpwstr_len(tvb, offset + 4, 0, val);
 }
 +/* Maximum sane vector size. Arbitrary. */
 +#define MAX_VT_VECTOR_SIZE 5000
 static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vector *val, struct vtype_data *type, guint num)
 {
 	const int offset_in = offset;
@@ -3987,18 +3991,14 @@ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vecto
 	 * here, before making a possibly-doomed attempt to allocate
 	 * memory for it.
 	 *
 -	 * First, check for an overflow.
 +	 * First, check for sane values.
 	 */
 -	if ((guint64)elsize * (guint64)num > G_MAXUINT) {
 -		/*
 -		 * We never have more than G_MAXUINT bytes in a tvbuff,
 -		 * so this will *definitely* fail.
 -		 */
 +	if (num > MAX_VT_VECTOR_SIZE) {
 		THROW(ReportedBoundsError);
 	}
 	/*
 -	 * No overflow; now make sure we at least have that data.
 +	 * No huge numbers from the wire; now make sure we at least have that data.
 	 */
 	tvb_ensure_bytes_exist(tvb, offset, elsize * num);
@@ -5859,7 +5859,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 		/* Sanity check size value */
 		column_size = num*MIN_CTABLECOL_SIZE;
 -		if (column_size > tvb_reported_length_remaining(tvb, offset))
 +		if (num > MAX_CTABLECOL_SIZE || column_size > tvb_reported_length_remaining(tvb, offset))
 		{
 			expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns);
 			return tvb_reported_length(tvb);
 -- 
 GitLab
--- a/CVE-2021-4181.patch
+++ b/CVE-2021-4181.patch
@ -0,0 +1,27 @@
 From: Markus Koschany <apo@debian.org>
 Date: Thu, 24 Mar 2022 15:43:12 +0100
 Subject: CVE-2021-4181
 Origin: https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda
 ---
 epan/dissectors/packet-sysdig-event.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c
 index ce88970..7dd127e 100644
 --- a/epan/dissectors/packet-sysdig-event.c
 +++ b/epan/dissectors/packet-sysdig-event.c
@@ -1864,6 +1864,13 @@ dissect_event_params(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding,
     param_offset = offset + dissect_header_lens(tvb, offset, tree, encoding, hf_indexes);
     for (cur_param = 0; hf_indexes[cur_param]; cur_param++) {
 +        if (!hf_indexes[cur_param]) {
 +            // This happens when new params are added to existent events in sysdig,
 +            // if the event is already mapped in wireshark with a lower number of params.
 +            // hf_indexes array size would be < than event being dissected, leading to SIGSEGV.
 +            break;
 +        }
 +
         int param_len = tvb_get_guint16(tvb, len_offset, encoding);
         const int hf_index = *hf_indexes[cur_param];
         if (proto_registrar_get_ftype(hf_index) == FT_STRING) {
--- a/CVE-2021-4185.patch
+++ b/CVE-2021-4185.patch
@ -0,0 +1,45 @@
 From: Markus Koschany <apo@debian.org>
 Date: Thu, 24 Mar 2022 15:10:57 +0100
 Subject: CVE-2021-4185
 Origin: https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
 ---
 epan/dissectors/packet-rtmpt.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 diff --git a/epan/dissectors/packet-rtmpt.c b/epan/dissectors/packet-rtmpt.c
 index f043cc7..555daad 100644
 --- a/epan/dissectors/packet-rtmpt.c
 +++ b/epan/dissectors/packet-rtmpt.c
@@ -1893,6 +1893,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
         if (pinfo->fd->flags.visited) {
                 /* Already done the work, so just dump the existing state */
 +                /* XXX: If there's bogus sequence numbers and the
 +                 * tcp.analyze_sequence_numbers pref is TRUE, we can't actually
 +                 * assume that we processed this frame the first time around,
 +                 * since the TCP dissector might not have given it to us.
 +                 */
                 wmem_stack_t *packets;
                 /* List all RTMP packets terminating in this TCP segment, from end to beginning */
@@ -1901,10 +1906,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
                 wmem_stack_push(packets, 0);
                 tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1);
 -                while (tp && tp->lastseq >= seq) {
 +                while (tp && GE_SEQ(tp->lastseq, seq)) {
 +                        /* Sequence numbers can wrap around (especially with
 +                         * tcp.relative_sequence_numbers FALSE), so use the
 +                         * wrap around aware comparison from packet-tcp.h
 +                         */
                         wmem_stack_push(packets, tp);
                         if (tp->seq == 0) {
                                 // reached first segment.
 +                                /* XXX: Assuming tcp.relative_sequence_numbers
 +                                 * is TRUE, that is, since on TCP we just
 +                                 * reuse the sequence numbers from tcpinfo.
 +                                 */
                                 break;
                         }
                         tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1);
--- a/wireshark.spec
+++ b/wireshark.spec
@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        20
+Release:        21
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC
@ -60,6 +60,14 @@ Patch6040:      CVE-2020-9428-pre.patch
 Patch6041:      CVE-2020-9428.patch
 Patch6042:      CVE-2020-9431.patch
 Patch6043:      CVE-2019-12295.patch
 #https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034
 Patch6044:      CVE-2021-22191.patch
 #https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623
 Patch6045:      CVE-2021-22207.patch
 #https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda
 Patch6046:      CVE-2021-4181.patch
 #https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
 Patch6047:      CVE-2021-4185.patch
 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@ -166,6 +174,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*
 %changelog
 * Fri Apr 1 2022 yaoxin <yaoxin30@huawei.com> - 2.6.2-21
 - Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185
 * Tue Jul 27 2021 wangyue <wangyue92@huawei.com> - 2.6.2-20
 - fix CVE-2019-12295