!7 fix CVE-2019-5716 CVE-2019-5717

Merge pull request !7 from gu-gu-gu/gu

CVE-2019-5716.patch

@@ -0,0 +1,45 @@
+From 2b2eea1793dbff813896e1ae9dff1bedb39ee010 Mon Sep 17 00:00:00 2001
+From: Jeff Morriss <jeff.morriss.ws@gmail.com>
+Date: Wed, 2 Jan 2019 16:45:05 -0500
+Subject: [PATCH] 6lowpan: don't try to use (new) TVB that wasn't created.
+
+If the IPHC TVB wasn't created then bail out of dissection before trying
+to use it.
+
+Bug: 15217
+Change-Id: I6e297590cdf86e13b0185f75f1d409888f2498d8
+Reviewed-on: https://code.wireshark.org/review/31308
+Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
+Tested-by: Petri Dish Buildbot
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+(cherry picked from commit 62e81562e4e3a33dad705b1b66a3407afbde3242)
+Reviewed-on: https://code.wireshark.org/review/31311
+Petri-Dish: Michael Mann <mmann78@netscape.net>
+Reviewed-by: Anders Broman <a.broman58@gmail.com>
+---
+ epan/dissectors/packet-6lowpan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-6lowpan.c b/epan/dissectors/packet-6lowpan.c
+index 6ac3a63..7daa8e8 100644
+--- a/epan/dissectors/packet-6lowpan.c
++++ b/epan/dissectors/packet-6lowpan.c
+@@ -1218,6 +1218,7 @@ dissect_6lowpan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
+         next = dissect_6lowpan_6loRH(next, offset, lowpan_tree);
+         if (tvb_get_bits8(next, 0, LOWPAN_PATTERN_IPHC_BITS) == LOWPAN_PATTERN_IPHC) {
+             next = dissect_6lowpan_iphc(next, pinfo, lowpan_tree, -1, src_iid, dst_iid);
++            if (!next) return tvb_captured_length(tvb);
+         }
+         if (tvb_get_bits8(next, 0, LOWPAN_PATTERN_HC1_BITS) == LOWPAN_PATTERN_HC1) {
+             next = dissect_6lowpan_hc1(next, pinfo, lowpan_tree, -1, src_iid, dst_iid);
+@@ -1816,7 +1817,7 @@ dissect_6lowpan_hc1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint dg
+  *      siid            ; Source Interface ID.
+  *      diid            ; Destination Interface ID.
+  *  RETURNS
+- *      tvbuff_t *      ; The remaining payload to be parsed.
++ *      tvbuff_t *      ; The remaining payload to be parsed or NULL on error.
+  *---------------------------------------------------------------
+  */
+ static tvbuff_t *
+-- 
+2.7.4

CVE-2019-5717.patch

@@ -0,0 +1,70 @@
+From bf9272a92f3df1e4ccfaad434e123222ae5313f7 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Stig=20Bj=C3=B8rlykke?= <stig@bjorlykke.org>
+Date: Sun, 9 Dec 2018 21:54:18 +0100
+Subject: [PATCH] p_mul: Detect Data PDU sequence number 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Data PDU sequence number 0 is illegal, add an expert info for this.
+Don't include this packet in SEQ/ACK analysis.
+
+Bug: 15337
+Change-Id: I476088531e8a3605393ee1dedf1e8b159dac342b
+Reviewed-on: https://code.wireshark.org/review/30980
+Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
+Tested-by: Petri Dish Buildbot
+Reviewed-by: Anders Broman <a.broman58@gmail.com>
+(cherry picked from commit 3cccd4ec5b922e79afd134db4f0c9acb10bf7202)
+Reviewed-on: https://code.wireshark.org/review/30987
+Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
+---
+ epan/dissectors/packet-p_mul.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-p_mul.c b/epan/dissectors/packet-p_mul.c
+index 35edde7..2dd6f15 100644
+--- a/epan/dissectors/packet-p_mul.c
++++ b/epan/dissectors/packet-p_mul.c
+@@ -163,6 +163,7 @@ static gint ett_msg_fragments = -1;
+ 
+ static expert_field ei_more_data = EI_INIT;
+ static expert_field ei_checksum_bad = EI_INIT;
++static expert_field ei_illegal_seq_no = EI_INIT;
+ static expert_field ei_tot_miss_seq_no = EI_INIT;
+ static expert_field ei_miss_seq_no = EI_INIT;
+ static expert_field ei_analysis_ack_missing = EI_INIT;
+@@ -368,6 +369,11 @@ static p_mul_seq_val *register_p_mul_id (packet_info *pinfo, address *addr, guin
+     return NULL;
+   }
+ 
++  if (pdu_type == Data_PDU && seq_no == 0) {
++    /* Illegal sequence number for Data PDU */
++    return NULL;
++  }
++
+   nstime_set_zero(&addr_time);
+   nstime_set_zero(&prev_time);
+ 
+@@ -877,7 +883,10 @@ static int dissect_p_mul (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, v
+   case Data_PDU:
+     /* Sequence Number of PDUs */
+     seq_no = tvb_get_ntohs (tvb, offset);
+-    proto_tree_add_item (p_mul_tree, hf_seq_no, tvb, offset, 2, ENC_BIG_ENDIAN);
++    en = proto_tree_add_item (p_mul_tree, hf_seq_no, tvb, offset, 2, ENC_BIG_ENDIAN);
++    if (seq_no == 0) {
++      expert_add_info(pinfo, en, &ei_illegal_seq_no);
++    }
+     proto_item_append_text (ti, ", Seq no: %u", seq_no);
+     break;
+ 
+@@ -1548,6 +1557,7 @@ void proto_register_p_mul (void)
+       { &ei_miss_seq_range, { "p_mul.missing_seq_range.invalid", PI_UNDECODED, PI_WARN, "Invalid missing sequence range", EXPFILL }},
+       { &ei_miss_seq_no, { "p_mul.missing_seq_no.invalid", PI_UNDECODED, PI_WARN, "Invalid missing seq number", EXPFILL }},
+       { &ei_tot_miss_seq_no, { "p_mul.no_missing_seq_no.expert", PI_RESPONSE_CODE, PI_NOTE, "Missing seq numbers", EXPFILL }},
++      { &ei_illegal_seq_no, { "p_mul.seq_no.illegal", PI_PROTOCOL, PI_WARN, "Illegal seq number", EXPFILL }},
+       { &ei_length, { "p_mul.length.invalid", PI_MALFORMED, PI_WARN, "Incorrect length field", EXPFILL }},
+       { &ei_more_data, { "p_mul.more_data", PI_MALFORMED, PI_WARN, "More data in packet", EXPFILL }},
+   };
+-- 
+2.7.4

wireshark.spec

@@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        4
+Release:        5
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+
@@ -33,6 +33,8 @@ Patch6018:      CVE-2019-10899.patch
 Patch6019:      CVE-2019-10901.patch
 Patch6020:      CVE-2019-10903.patch
 Patch6021:      CVE-2019-10895.patch
+Patch6022:      CVE-2019-5716.patch
+Patch6023:      CVE-2019-5717.patch
 
 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@@ -139,6 +141,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*
 
 %changelog
+* Sun Feb 2 2020 gulining<gulining1@huawei.com> - 2.2.2-5
+- Type:cves
+- ID: CVE-2019-5716 CVE-2019-5717
+- SUG:restart
+- DESC: fix CVE-2019-5716 CVE-2019-5717
+
 * Wed Dec 25 2019 gulining <gulining1@huawei.com> - 2.6.2-4
 - Type:cves
 - ID: CVE-2019-10894 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-10895