packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185

Browse Source
This commit is contained in:
starlet-dx 2022-04-01 15:43:52 +08:00
parent 602f3e135c
commit 629b09a183
5 changed files with 236 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
CVE-2021-22191.patch Normal file
View File

@ -0,0 +1,82 @@
From: Markus Koschany <apo@debian.org>
Date: Thu, 24 Mar 2022 14:03:00 +0100
Subject: CVE-2021-22191
Origin: https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034
---
epan/wslua/wslua_gui.c | 24 ++++++++++++++++++++++--
ui/qt/proto_tree.cpp | 5 ++++-
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/epan/wslua/wslua_gui.c b/epan/wslua/wslua_gui.c
index e93618f..b7eef3f 100644
--- a/epan/wslua/wslua_gui.c
+++ b/epan/wslua/wslua_gui.c
@@ -854,7 +854,16 @@ WSLUA_FUNCTION wslua_reload_lua_plugins(lua_State* L) { /* Reload all Lua plugin
}
-WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browser. */
+WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /*
+ Opens an URL in a web browser. Requires a GUI.
+
+ [WARNING]
+ ====
+ Do not pass an untrusted URL to this function.
+
+ It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things.
+ ====
+ */
#define WSLUA_ARG_browser_open_url_URL 1 /* The url. */
const char* url = luaL_checkstring(L,WSLUA_ARG_browser_open_url_URL);
@@ -868,7 +877,18 @@ WSLUA_FUNCTION wslua_browser_open_url(lua_State* L) { /* Open an url in a browse
return 0;
}
-WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /* Open a file in a browser. */
+WSLUA_FUNCTION wslua_browser_open_data_file(lua_State* L) { /*
+ Open a file located in the data directory (specified in the Wireshark preferences) in the web browser.
+ If the file does not exist, the function silently ignores the request.
+ Requires a GUI.
+
+ [WARNING]
+ ====
+ Do not pass an untrusted URL to this function.
+
+ It will be passed to the system's URL handler, which might execute malicious code, switch on your Bluetooth-connected foghorn, or any of a number of unexpected or harmful things.
+ ====
+ */
#define WSLUA_ARG_browser_open_data_file_FILENAME 1 /* The file name. */
const char* file = luaL_checkstring(L,WSLUA_ARG_browser_open_data_file_FILENAME);
diff --git a/ui/qt/proto_tree.cpp b/ui/qt/proto_tree.cpp
index 0525cf2..15f4c08 100644
--- a/ui/qt/proto_tree.cpp
+++ b/ui/qt/proto_tree.cpp
@@ -18,6 +18,8 @@
#include <ui/qt/utils/variant_pointer.h>
#include <ui/qt/utils/wireshark_mime_data.h>
#include <ui/qt/widgets/drag_label.h>
+#include "wireshark_application.h"
+
#include <QApplication>
#include <QContextMenuEvent>
@@ -27,6 +29,7 @@
#include <QScrollBar>
#include <QStack>
#include <QUrl>
+#include <QClipboard>
#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)
#include <QWindow>
@@ -430,7 +433,7 @@ void ProtoTree::itemDoubleClicked(const QModelIndex &index) {
} else {
QString url = finfo.url();
if (!url.isEmpty()) {
- QDesktopServices::openUrl(QUrl(url));
+ QApplication::clipboard()->setText(url);
}
}
}

70
CVE-2021-22207.patch Normal file
View File

@ -0,0 +1,70 @@
From b7a0650e061b5418ab4a8f72c6e4b00317aff623 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Mon, 19 Apr 2021 10:39:01 -0700
Subject: [PATCH] MS-WSP: Don't allocate huge amounts of memory.
Add a couple of memory allocation sanity checks, one of which
fixes #17331.
---
epan/dissectors/packet-mswsp.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c
index 37ad06c2b2..38bcefd072 100644
--- a/epan/dissectors/packet-mswsp.c
+++ b/epan/dissectors/packet-mswsp.c
@@ -313,8 +313,10 @@ struct CTableColumn {
guint16 lengthoffset;
char name[PROP_LENGTH];
};
-/* minimum size in bytes on the wire CTableColumn can be */
+/* Minimum size in bytes on the wire CTableColumn can be */
#define MIN_CTABLECOL_SIZE 32
+/* Maximum sane size in bytes on the wire CTableColumn can be. Arbitrary. */
+#define MAX_CTABLECOL_SIZE 5000
/* 2.2.3.10 */
@@ -3973,6 +3975,8 @@ static int vvalue_tvb_lpwstr(tvbuff_t *tvb, int offset, void *val)
return 4 + vvalue_tvb_lpwstr_len(tvb, offset + 4, 0, val);
}
+/* Maximum sane vector size. Arbitrary. */
+#define MAX_VT_VECTOR_SIZE 5000
static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vector *val, struct vtype_data *type, guint num)
{
const int offset_in = offset;
@@ -3987,18 +3991,14 @@ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vecto
* here, before making a possibly-doomed attempt to allocate
* memory for it.
*
- * First, check for an overflow.
+ * First, check for sane values.
*/
- if ((guint64)elsize * (guint64)num > G_MAXUINT) {
- /*
- * We never have more than G_MAXUINT bytes in a tvbuff,
- * so this will *definitely* fail.
- */
+ if (num > MAX_VT_VECTOR_SIZE) {
THROW(ReportedBoundsError);
}
/*
- * No overflow; now make sure we at least have that data.
+ * No huge numbers from the wire; now make sure we at least have that data.
*/
tvb_ensure_bytes_exist(tvb, offset, elsize * num);
@@ -5859,7 +5859,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree
/* Sanity check size value */
column_size = num*MIN_CTABLECOL_SIZE;
- if (column_size > tvb_reported_length_remaining(tvb, offset))
+ if (num > MAX_CTABLECOL_SIZE || column_size > tvb_reported_length_remaining(tvb, offset))
{
expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns);
return tvb_reported_length(tvb);
--
GitLab

27
CVE-2021-4181.patch Normal file
View File

@ -0,0 +1,27 @@
From: Markus Koschany <apo@debian.org>
Date: Thu, 24 Mar 2022 15:43:12 +0100
Subject: CVE-2021-4181
Origin: https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda
---
epan/dissectors/packet-sysdig-event.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c
index ce88970..7dd127e 100644
--- a/epan/dissectors/packet-sysdig-event.c
+++ b/epan/dissectors/packet-sysdig-event.c
@@ -1864,6 +1864,13 @@ dissect_event_params(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding,
param_offset = offset + dissect_header_lens(tvb, offset, tree, encoding, hf_indexes);
for (cur_param = 0; hf_indexes[cur_param]; cur_param++) {
+ if (!hf_indexes[cur_param]) {
+ // This happens when new params are added to existent events in sysdig,
+ // if the event is already mapped in wireshark with a lower number of params.
+ // hf_indexes array size would be < than event being dissected, leading to SIGSEGV.
+ break;
+ }
+
int param_len = tvb_get_guint16(tvb, len_offset, encoding);
const int hf_index = *hf_indexes[cur_param];
if (proto_registrar_get_ftype(hf_index) == FT_STRING) {

45
CVE-2021-4185.patch Normal file
View File

@ -0,0 +1,45 @@
From: Markus Koschany <apo@debian.org>
Date: Thu, 24 Mar 2022 15:10:57 +0100
Subject: CVE-2021-4185
Origin: https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
---
epan/dissectors/packet-rtmpt.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-rtmpt.c b/epan/dissectors/packet-rtmpt.c
index f043cc7..555daad 100644
--- a/epan/dissectors/packet-rtmpt.c
+++ b/epan/dissectors/packet-rtmpt.c
@@ -1893,6 +1893,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
if (pinfo->fd->flags.visited) {
/* Already done the work, so just dump the existing state */
+ /* XXX: If there's bogus sequence numbers and the
+ * tcp.analyze_sequence_numbers pref is TRUE, we can't actually
+ * assume that we processed this frame the first time around,
+ * since the TCP dissector might not have given it to us.
+ */
wmem_stack_t *packets;
/* List all RTMP packets terminating in this TCP segment, from end to beginning */
@@ -1901,10 +1906,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
wmem_stack_push(packets, 0);
tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1);
- while (tp && tp->lastseq >= seq) {
+ while (tp && GE_SEQ(tp->lastseq, seq)) {
+ /* Sequence numbers can wrap around (especially with
+ * tcp.relative_sequence_numbers FALSE), so use the
+ * wrap around aware comparison from packet-tcp.h
+ */
wmem_stack_push(packets, tp);
if (tp->seq == 0) {
// reached first segment.
+ /* XXX: Assuming tcp.relative_sequence_numbers
+ * is TRUE, that is, since on TCP we just
+ * reuse the sequence numbers from tcpinfo.
+ */
break;
}
tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1);

13
wireshark.spec
View File

@ -1,6 +1,6 @@
Name: wireshark
Version: 2.6.2
Release: 20
Release: 21
Epoch: 1
Summary: Network traffic analyzer
License: GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC
@ -60,6 +60,14 @@ Patch6040: CVE-2020-9428-pre.patch
Patch6041: CVE-2020-9428.patch
Patch6042: CVE-2020-9431.patch
Patch6043: CVE-2019-12295.patch
#https://gitlab.com/wireshark/wireshark/-/commit/0f638a240ceefb467025b7aa28acb56045381034
Patch6044: CVE-2021-22191.patch
#https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623
Patch6045: CVE-2021-22207.patch
#https://gitlab.com/wireshark/wireshark/-/commit/d2436f19a3babc61ed97aa635f6eb43bfc44cfda
Patch6046: CVE-2021-4181.patch
#https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
Patch6047: CVE-2021-4185.patch
Requires(pre): shadow-utils
Requires(post): systemd-udev
@ -166,6 +174,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
%{_mandir}/man?/*
%changelog
* Fri Apr 1 2022 yaoxin <yaoxin30@huawei.com> - 2.6.2-21
- Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185
* Tue Jul 27 2021 wangyue <wangyue92@huawei.com> - 2.6.2-20
- fix CVE-2019-12295