From bd7bf7f8c23b203dbe5dd56770787eb87a65b783f87def3c4210a4428747e2ed Mon Sep 17 00:00:00 2001 From: Chunyan Liu Date: Wed, 20 Jul 2011 03:05:04 +0000 Subject: [PATCH 1/3] Accepting request 76454 from home:cyliu:branches:network:utilities fix bnc#697516 OBS-URL: https://build.opensuse.org/request/show/76454 OBS-URL: https://build.opensuse.org/package/show/network:utilities/wireshark?expand=0&rev=42 --- wireshark-1.2.17-CVE-2011-1957.patch | 24 +++++++++++++++++++++++ wireshark-1.2.17-CVE-2011-1958.patch | 29 ++++++++++++++++++++++++++++ wireshark-1.2.17-CVE-2011-1959.patch | 19 ++++++++++++++++++ wireshark-1.2.17-CVE-2011-2174.patch | 13 +++++++++++++ wireshark-1.2.17-CVE-2011-2175.patch | 18 +++++++++++++++++ wireshark.changes | 11 +++++++++++ wireshark.spec | 10 ++++++++++ 7 files changed, 124 insertions(+) create mode 100644 wireshark-1.2.17-CVE-2011-1957.patch create mode 100644 wireshark-1.2.17-CVE-2011-1958.patch create mode 100644 wireshark-1.2.17-CVE-2011-1959.patch create mode 100644 wireshark-1.2.17-CVE-2011-2174.patch create mode 100644 wireshark-1.2.17-CVE-2011-2175.patch diff --git a/wireshark-1.2.17-CVE-2011-1957.patch b/wireshark-1.2.17-CVE-2011-1957.patch new file mode 100644 index 0000000..37ef2bf --- /dev/null +++ b/wireshark-1.2.17-CVE-2011-1957.patch @@ -0,0 +1,24 @@ +--- trunk/epan/dissectors/packet-dcm.c 2011/04/30 08:36:00 36957 ++++ trunk/epan/dissectors/packet-dcm.c 2011/04/30 17:43:05 36958 +@@ -6519,6 +6519,7 @@ + + /* Process all PDUs in the buffer */ + while (pdu_start < tlen) { ++ guint32 old_pdu_start; + + if ((pdu_len+6) > (tlen-offset)) { + +@@ -6539,7 +6540,13 @@ + offset=dissect_dcm_pdu(tvb, pinfo, tree, pdu_start); + + /* Next PDU */ ++ old_pdu_start = pdu_start; + pdu_start = pdu_start + pdu_len + 6; ++ if (pdu_start <= old_pdu_start) { ++ expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR, ++ "Invalid PDU length (%u)", pdu_len); ++ THROW(ReportedBoundsError); ++ } + + if (pdu_start < tlen - 6) { + /* we got at least 6 bytes of the next PDU still in the buffer */ diff --git a/wireshark-1.2.17-CVE-2011-1958.patch b/wireshark-1.2.17-CVE-2011-1958.patch new file mode 100644 index 0000000..ed7a6af --- /dev/null +++ b/wireshark-1.2.17-CVE-2011-1958.patch @@ -0,0 +1,29 @@ +--- trunk/epan/diam_dict.l 2011/05/06 15:05:51 37010 ++++ trunk/epan/diam_dict.l 2011/05/06 19:39:47 37011 +@@ -269,9 +269,6 @@ + yyterminate(); + } + +- include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER; +- +- + for (e = ents.next; e; e = e->next) { + if (strcmp(e->name,yytext) == 0) { + yyin = ddict_open(sys_dir,e->file); +@@ -282,6 +279,7 @@ + yyterminate(); + } + } else { ++ include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER; + yy_switch_to_buffer(yy_create_buffer( yyin, YY_BUF_SIZE ) ); + BEGIN LOADING; + } +@@ -290,7 +288,7 @@ + } + + if (!e) { +- fprintf(stderr, "Could not find entity: '%s'", e->name ); ++ fprintf(stderr, "Could not find entity: '%s'\n", yytext ); + yyterminate(); + } + diff --git a/wireshark-1.2.17-CVE-2011-1959.patch b/wireshark-1.2.17-CVE-2011-1959.patch new file mode 100644 index 0000000..e5892cd --- /dev/null +++ b/wireshark-1.2.17-CVE-2011-1959.patch @@ -0,0 +1,19 @@ +--- trunk/wiretap/snoop.c 2011/05/11 20:40:14 37067 ++++ trunk/wiretap/snoop.c 2011/05/11 22:36:59 37068 +@@ -473,6 +473,16 @@ + rec_size = g_ntohl(hdr.rec_len); + orig_size = g_ntohl(hdr.orig_len); + packet_size = g_ntohl(hdr.incl_len); ++ if (orig_size > WTAP_MAX_PACKET_SIZE) { ++ /* ++ * Probably a corrupt capture file; don't blow up trying ++ * to allocate space for an immensely-large packet. ++ */ ++ *err = WTAP_ERR_BAD_RECORD; ++ *err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u", ++ orig_size, WTAP_MAX_PACKET_SIZE); ++ return FALSE; ++ } + if (packet_size > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying diff --git a/wireshark-1.2.17-CVE-2011-2174.patch b/wireshark-1.2.17-CVE-2011-2174.patch new file mode 100644 index 0000000..c9d7c6c --- /dev/null +++ b/wireshark-1.2.17-CVE-2011-2174.patch @@ -0,0 +1,13 @@ +--- trunk/epan/tvbuff.c 2011/05/12 15:48:51 37080 ++++ trunk/epan/tvbuff.c 2011/05/12 16:31:42 37081 +@@ -3425,9 +3425,9 @@ + inflateEnd(strm); + g_free(strm); + g_free(strmbuf); +- g_free(compr); + + if (uncompr == NULL) { ++ g_free(compr); + return NULL; + } + diff --git a/wireshark-1.2.17-CVE-2011-2175.patch b/wireshark-1.2.17-CVE-2011-2175.patch new file mode 100644 index 0000000..c523e38 --- /dev/null +++ b/wireshark-1.2.17-CVE-2011-2175.patch @@ -0,0 +1,18 @@ +--- trunk/wiretap/visual.c 2011/05/13 17:05:05 37127 ++++ trunk/wiretap/visual.c 2011/05/13 17:12:44 37128 +@@ -420,6 +420,15 @@ + break; + } + ++ if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) { ++ /* Check if wth->phdr.len is sane, small values of wth.phdr.len before ++ the case loop above can cause integer underflows */ ++ *err = WTAP_ERR_BAD_RECORD; ++ *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u", ++ wth->phdr.len, WTAP_MAX_PACKET_SIZE); ++ return FALSE; ++ } ++ + /* Sanity check */ + if (wth->phdr.len < wth->phdr.caplen) + { diff --git a/wireshark.changes b/wireshark.changes index 334217b..c1e3789 100644 --- a/wireshark.changes +++ b/wireshark.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Jul 18 07:43:08 UTC 2011 - cyliu@novell.com + +- security fixes [#bnc 697516] + * CVE-2011-1957: Large/infinite loop in the DICOM dissector + * CVE-2011-1959: A corrupted snoop file could crash Wireshark + * CVE-2011-2174: Malformed compressed capture data could crash Wireshark + * CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark + * CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter + dictionary + ------------------------------------------------------------------- Tue May 24 16:40:30 CEST 2011 - dimstar@opensuse.org diff --git a/wireshark.spec b/wireshark.spec index 1c9d4f0..b04ac5e 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -38,6 +38,11 @@ Patch3: %{name}-corosync-packet-dissector.patch Patch4: %{name}-1.2.4-enable_lua.patch # PATCH-FEATURE-OPENSUSE wireshark-nfsv4-opts.patch -- add NFSv4 options Patch5: %{name}-nfsv4-opts.patch +Patch6: %{name}-1.2.17-CVE-2011-1957.patch +Patch7: %{name}-1.2.17-CVE-2011-1959.patch +Patch8: %{name}-1.2.17-CVE-2011-2174.patch +Patch9: %{name}-1.2.17-CVE-2011-2175.patch +Patch10: %{name}-1.2.17-CVE-2011-1958.patch BuildRequires: bison BuildRequires: cairo-devel BuildRequires: flex @@ -100,6 +105,11 @@ view the reconstructed stream of a TCP session. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 sed -i 's/^Icon=wireshark.png$/Icon=wireshark/' wireshark.desktop # run as root on 11.3 and older - bnc#349782 From 429cb1351724b0f68d01965584cc98e8c5e8dedc3b763beaf964439296c2f279 Mon Sep 17 00:00:00 2001 From: Chunyan Liu Date: Thu, 18 Aug 2011 09:12:15 +0000 Subject: [PATCH 2/3] Accepting request 79207 from home:cyliu:branches:network:utilities security fixes (#bnc 706728) OBS-URL: https://build.opensuse.org/request/show/79207 OBS-URL: https://build.opensuse.org/package/show/network:utilities/wireshark?expand=0&rev=43 --- wireshark-1.4.8-CVE-2011-2597.patch | 120 ++++++++++++++++++++++++++++ wireshark-1.4.8-CVE-2011-2698.patch | 15 ++++ wireshark.changes | 7 ++ wireshark.spec | 4 + 4 files changed, 146 insertions(+) create mode 100644 wireshark-1.4.8-CVE-2011-2597.patch create mode 100644 wireshark-1.4.8-CVE-2011-2698.patch diff --git a/wireshark-1.4.8-CVE-2011-2597.patch b/wireshark-1.4.8-CVE-2011-2597.patch new file mode 100644 index 0000000..a3e69f9 --- /dev/null +++ b/wireshark-1.4.8-CVE-2011-2597.patch @@ -0,0 +1,120 @@ +--- trunk/wiretap/ascend_scanner.l 2011/06/08 18:26:50 37624 ++++ trunk/wiretap/ascend_scanner.l 2011/06/08 20:58:44 37625 +@@ -16,17 +16,17 @@ + * + * Wiretap Library + * Copyright (c) 1998 by Gilbert Ramirez +- * ++ * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. +- * ++ * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. +- * ++ * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +@@ -55,7 +55,7 @@ + extern char *ascend_ra_ptr; + extern char *ascend_ra_last; + #define YY_INPUT(buf,result,max_size) { int c = file_getc(yy_fh); \ +-result = (c==EOF) ? YY_NULL : (buf[0] = c, 1); } ++result = (c==EOF) ? YY_NULL : (buf[0] = c, 1); } + + int at_eof; + int mul, scratch; +@@ -159,17 +159,17 @@ + return WDS_PREFIX; + } + +-[^\(]+ { ++[^\(]{2,20} { + BEGIN(sc_gen_task); +- return STRING; ++ return STRING; + } + +-[^\/\(:]+ { ++[^\/\(:]{2,20} { + BEGIN(sc_gen_task); + return DECNUM; + } + +-[^:]+ { ++[^:]{2,20} { + char *atcopy = g_strdup(ascendtext); + char colon = input(); + char after = input(); +@@ -200,7 +200,7 @@ + return DECNUM; + } + +-(0x|0X)?{H}+ { ++(0x|0X)?{H}{2,8} { + BEGIN(sc_gen_time_s); + ascendlval.d = strtoul(ascendtext, NULL, 16); + return HEXNUM; +@@ -210,13 +210,13 @@ + return STRING; + } + +-{D}+ { ++{D}{1,10} { + BEGIN(sc_gen_time_u); + ascendlval.d = strtol(ascendtext, NULL, 10); + return DECNUM; + } + +-{D}+ { ++{D}{1,6} { + char *atcopy = g_strdup(ascendtext); + BEGIN(sc_gen_octets); + /* only want the most significant 2 digits. convert to usecs */ +@@ -227,7 +227,7 @@ + return DECNUM; + } + +-{D}+ { ++{D}{1,10} { + BEGIN(sc_gen_counter); + ascendlval.d = strtol(ascendtext, NULL, 10); + return DECNUM; +@@ -243,11 +243,11 @@ + return HEXBYTE; + } + +-" "{4} { ++" "{4} { + BEGIN(sc_chardisp); + } + +-.* { ++.* { + BEGIN(sc_gen_byte); + } + +@@ -315,7 +315,7 @@ + return WDD_CHUNK; + } + +-{H}+ { ++{H}{1,8} { + BEGIN(sc_wdd_type); + ascendlval.d = strtoul(ascendtext, NULL, 16); + return HEXNUM; +@@ -349,7 +349,7 @@ + + /* + * We want to stop processing when we get to the end of the input. +- * (%option noyywrap is not used because if used then ++ * (%option noyywrap is not used because if used then + * some flex versions (eg: 2.5.35) generate code which causes + * warnings by the Windows VC compiler). + */ diff --git a/wireshark-1.4.8-CVE-2011-2698.patch b/wireshark-1.4.8-CVE-2011-2698.patch new file mode 100644 index 0000000..44f4627 --- /dev/null +++ b/wireshark-1.4.8-CVE-2011-2698.patch @@ -0,0 +1,15 @@ +--- trunk/epan/dissectors/packet-ansi_a.c 2011/07/07 13:57:08 37929 ++++ trunk/epan/dissectors/packet-ansi_a.c 2011/07/07 16:37:33 37930 +@@ -2682,10 +2682,10 @@ + break; + + default: +- proto_tree_add_text(tree, tvb, curr_offset, len - 1, ++ proto_tree_add_text(tree, tvb, curr_offset, len, + "Cell ID - Non IOS format"); + +- curr_offset += (len - 1); ++ curr_offset += len; + break; + } + diff --git a/wireshark.changes b/wireshark.changes index c1e3789..0745ff0 100644 --- a/wireshark.changes +++ b/wireshark.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Aug 10 06:25:28 UTC 2011 - cyliu@novell.com + +- security fixes (#bnc 706728) + * CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop + * CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop + ------------------------------------------------------------------- Mon Jul 18 07:43:08 UTC 2011 - cyliu@novell.com diff --git a/wireshark.spec b/wireshark.spec index b04ac5e..8254de9 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -43,6 +43,8 @@ Patch7: %{name}-1.2.17-CVE-2011-1959.patch Patch8: %{name}-1.2.17-CVE-2011-2174.patch Patch9: %{name}-1.2.17-CVE-2011-2175.patch Patch10: %{name}-1.2.17-CVE-2011-1958.patch +Patch11: %{name}-1.4.8-CVE-2011-2597.patch +Patch12: %{name}-1.4.8-CVE-2011-2698.patch BuildRequires: bison BuildRequires: cairo-devel BuildRequires: flex @@ -110,6 +112,8 @@ view the reconstructed stream of a TCP session. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 sed -i 's/^Icon=wireshark.png$/Icon=wireshark/' wireshark.desktop # run as root on 11.3 and older - bnc#349782 From c87cef8c949017e6e8a9b671d25d5608da917e2272845e5f84d96741ef580597 Mon Sep 17 00:00:00 2001 From: Pavol Rusnak Date: Tue, 11 Oct 2011 15:51:00 +0000 Subject: [PATCH 3/3] Accepting request 87344 from home:cyliu:branches:network:utilities - security fixes (#bnc 718032) * CVE-2011-3266: Wireshark IKE dissector vulnerability * CVE-2011-3360: Wireshark Lua script execution vulnerability * CVE-2011-3483: Wireshark buffer exception handling vulnerability OBS-URL: https://build.opensuse.org/request/show/87344 OBS-URL: https://build.opensuse.org/package/show/network:utilities/wireshark?expand=0&rev=44 --- wireshark-1.6.2-CVE-2011-3266.patch | 19 +++++++++++++++++++ wireshark-1.6.2-CVE-2011-3360.patch | 10 ++++++++++ wireshark-1.6.2-CVE-2011-3483.patch | 12 ++++++++++++ wireshark.changes | 8 ++++++++ wireshark.spec | 6 ++++++ 5 files changed, 55 insertions(+) create mode 100644 wireshark-1.6.2-CVE-2011-3266.patch create mode 100644 wireshark-1.6.2-CVE-2011-3360.patch create mode 100644 wireshark-1.6.2-CVE-2011-3483.patch diff --git a/wireshark-1.6.2-CVE-2011-3266.patch b/wireshark-1.6.2-CVE-2011-3266.patch new file mode 100644 index 0000000..c583a45 --- /dev/null +++ b/wireshark-1.6.2-CVE-2011-3266.patch @@ -0,0 +1,19 @@ +--- trunk/epan/dissectors/packet-isakmp.c 2011/07/28 18:17:16 38246 ++++ trunk/epan/dissectors/packet-isakmp.c 2011/07/28 22:19:46 38247 +@@ -3880,12 +3880,13 @@ + offset += 2; + length -= 2; + +- +- while (length > 0) { ++ if (spi_size > 0) { ++ while (length > 0) { + proto_tree_add_item(tree, hf_isakmp_delete_spi, tvb, offset, spi_size, FALSE); + offset+=spi_size; + length-=spi_size; +- } ++ } ++ } + } + + diff --git a/wireshark-1.6.2-CVE-2011-3360.patch b/wireshark-1.6.2-CVE-2011-3360.patch new file mode 100644 index 0000000..28b5a6a --- /dev/null +++ b/wireshark-1.6.2-CVE-2011-3360.patch @@ -0,0 +1,10 @@ +--- trunk/epan/wslua/template-init.lua 2011/08/08 17:59:32 38413 ++++ trunk/epan/wslua/template-init.lua 2011/08/08 19:10:19 38414 +@@ -73,5 +73,5 @@ + DATA_DIR = datafile_path() + USER_DIR = persconffile_path() + +-dofile("console.lua") +---dofile("dtd_gen.lua") ++dofile(DATA_DIR.."console.lua") ++--dofile(DATA_DIR.."dtd_gen.lua") diff --git a/wireshark-1.6.2-CVE-2011-3483.patch b/wireshark-1.6.2-CVE-2011-3483.patch new file mode 100644 index 0000000..75a8efb --- /dev/null +++ b/wireshark-1.6.2-CVE-2011-3483.patch @@ -0,0 +1,12 @@ +Index: wireshark-1.4.4/epan/packet.c +=================================================================== +--- wireshark-1.4.4.orig/epan/packet.c ++++ wireshark-1.4.4/epan/packet.c +@@ -321,6 +321,7 @@ dissect_packet(epan_dissect_t *edt, unio + edt->pi.annex_a_used = MTP2_ANNEX_A_USED_UNKNOWN; + edt->pi.dcerpc_procedure_name=""; + edt->pi.link_dir = LINK_DIR_UNKNOWN; ++ edt->tvb = NULL; + + /* to enable decode as for ethertype=0x0000 (fix for bug 4721) */ + edt->pi.ethertype = G_MAXINT; diff --git a/wireshark.changes b/wireshark.changes index 0745ff0..9b95651 100644 --- a/wireshark.changes +++ b/wireshark.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Sep 26 14:07:31 CST 2011 - cyliu@novell.com + +- security fixes (#bnc 718032) + * CVE-2011-3266: Wireshark IKE dissector vulnerability + * CVE-2011-3360: Wireshark Lua script execution vulnerability + * CVE-2011-3483: Wireshark buffer exception handling vulnerability + ------------------------------------------------------------------- Wed Aug 10 06:25:28 UTC 2011 - cyliu@novell.com diff --git a/wireshark.spec b/wireshark.spec index 8254de9..b935190 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -45,6 +45,9 @@ Patch9: %{name}-1.2.17-CVE-2011-2175.patch Patch10: %{name}-1.2.17-CVE-2011-1958.patch Patch11: %{name}-1.4.8-CVE-2011-2597.patch Patch12: %{name}-1.4.8-CVE-2011-2698.patch +Patch13: %{name}-1.6.2-CVE-2011-3266.patch +Patch14: %{name}-1.6.2-CVE-2011-3360.patch +Patch15: %{name}-1.6.2-CVE-2011-3483.patch BuildRequires: bison BuildRequires: cairo-devel BuildRequires: flex @@ -114,6 +117,9 @@ view the reconstructed stream of a TCP session. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 sed -i 's/^Icon=wireshark.png$/Icon=wireshark/' wireshark.desktop # run as root on 11.3 and older - bnc#349782