packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855

Browse Source 
(cherry picked from commit 25172a75a967548218af7b18d163e8e613ebd3d1)
This commit is contained in:
starlet-dx 2024-05-15 10:58:49 +08:00 committed by openeuler-sync-bot
parent b574e264a6
commit a83aed463a
4 changed files with 246 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
CVE-2024-4853.patch Normal file
View File

@ -0,0 +1,33 @@
From 683166c81bc1f8a6268f4955654bfd64ca98c07a Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Fri, 29 Mar 2024 09:42:44 -0400
Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer
When moving from the begining with a beginning offset specified,
don't run off the end. Subtract the source memory area's full offset
from the beginning of the buffer from the capture length.
Fix #19724
(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282)
---
editcap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/editcap.c b/editcap.c
index 3b5a70127ee..f64a8155576 100644
--- a/editcap.c
+++ b/editcap.c
@@ -2462,7 +2462,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr,
if (chop.off_begin_pos > 0) {
memmove(*buf + chop.off_begin_pos,
*buf + chop.off_begin_pos + chop.len_begin,
- out_phdr->caplen - chop.len_begin);
+ out_phdr->caplen - (chop.off_begin_pos + chop.len_begin));
} else {
*buf += chop.len_begin;
}
--
GitLab

48
CVE-2024-4854.patch Normal file
View File

@ -0,0 +1,48 @@
From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 30 Mar 2024 08:07:26 -0400
Subject: [PATCH] Mongo: Ensure the offset advances
The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths.
dissect_bson_document checks for bogus values and ensures that a
non-negative (and at least 5) size is returned, but we need to make
sure to use that return value instead of trusting the value read
from the packet in dissect_op_msg_section.
Fix #19726
(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f)
---
epan/dissectors/packet-mongo.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
index b5a8bbffc2a..8e5f6370fbf 100644
--- a/epan/dissectors/packet-mongo.c
+++ b/epan/dissectors/packet-mongo.c
@@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
switch (e_type) {
case KIND_BODY:
- dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+ section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+ /* If section_len is bogus (e.g., negative), dissect_bson_document sets
+ * an expert info and can return a different value than read above.
+ */
break;
case KIND_DOCUMENT_SEQUENCE: {
gint32 dsi_length;
@@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
proto_tree *documents_tree;
proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ /* This is redundant with the lengths in the documents, we don't use this
+ * size at all. We could still report an expert info if it's bogus.
+ */
offset += 4;
to_read -= 4;
--
GitLab

158
CVE-2024-4855.patch Normal file
View File

@ -0,0 +1,158 @@
From f6cb547426d1ee5df2038809b5a6f23380edc932 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 20 Apr 2024 13:15:16 +0000
Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after
freeing
wtap_dump_close frees the passed in GArray of initial DSBs, used
by editcap for injecting DSBs from a file or list of files.
Add functions to increment and decrement the reference count of
an array of wtap blocks. Dereference the block of initial DSBs
in wtap_dump_close() instead of freeing it. In editcap, before
closing the dump file in cases where we intend to open a new
file (e.g., with a maximum time value or a maximum packet count),
reference the block.
Fix #19782, #19783, #19784.
(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847)
Co-authored-by: John Thacker <johnthacker@gmail.com>
---
editcap.c | 9 +++++++++
wiretap/file_access.c | 2 +-
wiretap/wtap.h | 3 ++-
wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++
wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++
5 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/editcap.c b/editcap.c
index 45091e5..50597c5 100644
--- a/editcap.c
+++ b/editcap.c
@@ -1858,6 +1858,10 @@ main(int argc, char *argv[])
}
while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */
+ /* We presumably want to write the DSBs from files given
+ * on the command line to every file.
+ */
+ wtap_block_array_ref(params.dsbs_initial);
if (!wtap_dump_close(pdh, &write_err, &write_err_info)) {
cfile_close_failure_message(filename, write_err,
write_err_info);
@@ -1890,6 +1894,11 @@ main(int argc, char *argv[])
if (split_packet_count != 0) {
/* time for the next file? */
if (written_count > 0 && (written_count % split_packet_count) == 0) {
+
+ /* We presumably want to write the DSBs from files given
+ * on the command line to every file.
+ */
+ wtap_block_array_ref(params.dsbs_initial);
if (!wtap_dump_close(pdh, &write_err, &write_err_info)) {
cfile_close_failure_message(filename, write_err,
write_err_info);
diff --git a/wiretap/file_access.c b/wiretap/file_access.c
index ff7a640..50d1fb1 100644
--- a/wiretap/file_access.c
+++ b/wiretap/file_access.c
@@ -2655,7 +2655,7 @@ wtap_dump_close_new_temp(wtap_dumper *wdh, gboolean *needs_reload,
*needs_reload = wdh->needs_reload;
g_free(wdh->priv);
wtap_block_array_free(wdh->interface_data);
- wtap_block_array_free(wdh->dsbs_initial);
+ wtap_block_array_unref(wdh->dsbs_initial);
g_free(wdh);
return ret;
}
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index d592884..75e4fc6 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1419,7 +1419,8 @@ typedef struct addrinfo_lists {
* @note The shb_hdr, idb_inf, and nrb_hdr arguments will be used until
* wtap_dump_close() is called, but will not be free'd by the dumper. If
* you created them, you must free them yourself after wtap_dump_close().
- * dsbs_initial will be freed by wtap_dump_close(),
+ * dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse
+ * them for another dump file, call wtap_block_array_ref() before closing.
* dsbs_growing typically refers to another wth->dsbs.
*
* @see wtap_dump_params_init, wtap_dump_params_cleanup.
diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c
index 2068743..d4a9602 100644
--- a/wiretap/wtap_opttypes.c
+++ b/wiretap/wtap_opttypes.c
@@ -436,6 +436,32 @@ void wtap_block_array_free(GArray* block_array)
g_array_free(block_array, TRUE);
}
+void wtap_block_array_ref(GArray* block_array)
+{
+ unsigned block;
+
+ if (block_array == NULL)
+ return;
+
+ for (block = 0; block < block_array->len; block++) {
+ wtap_block_ref(g_array_index(block_array, wtap_block_t, block));
+ }
+ g_array_ref(block_array);
+}
+
+void wtap_block_array_unref(GArray* block_array)
+{
+ unsigned block;
+
+ if (block_array == NULL)
+ return;
+
+ for (block = 0; block < block_array->len; block++) {
+ wtap_block_unref(g_array_index(block_array, wtap_block_t, block));
+ }
+ g_array_unref(block_array);
+}
+
/*
* Make a copy of a block.
*/
diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h
index 58d3103..5d130c5 100644
--- a/wiretap/wtap_opttypes.h
+++ b/wiretap/wtap_opttypes.h
@@ -572,6 +572,29 @@ wtap_block_unref(wtap_block_t block);
WS_DLL_PUBLIC void
wtap_block_array_free(GArray* block_array);
+/** Decrement the reference count of an array of blocks
+ *
+ * Decrement the reference count of each block in the array
+ * and the GArray itself. Any element whose reference count
+ * drops to 0 will be freed. If the GArray and every block
+ * has a reference count of 1, this is the same as
+ * wtap_block_array_free().
+ *
+ * @param[in] block_array Array of blocks to be dereferenced
+ */
+WS_DLL_PUBLIC void
+wtap_block_array_unref(GArray* block_array);
+
+/** Increment the reference count of an array of blocks
+ *
+ * Increment the reference count of each block in the array
+ * and the GArray itself.
+ *
+ * @param[in] block_array Array of blocks to be referenced
+ */
+WS_DLL_PUBLIC void
+wtap_block_array_ref(GArray* block_array);
+
/** Provide type of a block
*
* @param[in] block Block from which to retrieve mandatory data
--
2.33.0

8
wireshark.spec
View File

@ -5,7 +5,7 @@
Summary: Network traffic analyzer
Name: wireshark
Version: 3.6.14
Release: 8
Release: 9
Epoch: 1
License: GPL+
Url: http://www.wireshark.org/
@ -35,6 +35,9 @@ Patch17: CVE-2024-0208.patch
Patch18: CVE-2024-0209.patch
# https://gitlab.com/wireshark/wireshark/-/commit/28fdce547c417b868c521f87fb58f71ca6b1e3f7
Patch19: CVE-2023-0666.patch
Patch20: CVE-2024-4853.patch
Patch21: CVE-2024-4854.patch
Patch22: CVE-2024-4855.patch
Requires: xdg-utils
Requires: hicolor-icon-theme
@ -209,6 +212,9 @@ exit 0
%{_mandir}/man?/*
%changelog
* Wed May 15 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-9
- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855
* Mon Mar 25 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-8
- Fix CVE-2023-0666