Accepting request 87415 from network:utilities

- security fixes (#bnc 718032)
  * CVE-2011-3266: Wireshark IKE dissector vulnerability
  * CVE-2011-3360: Wireshark Lua script execution vulnerability
  * CVE-2011-3483: Wireshark buffer exception handling vulnerability (forwarded request 87344 from cyliu)

OBS-URL: https://build.opensuse.org/request/show/87415
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wireshark?expand=0&rev=44

wireshark-1.2.17-CVE-2011-1957.patch

@@ -0,0 +1,24 @@
+--- trunk/epan/dissectors/packet-dcm.c	2011/04/30 08:36:00	36957
++++ trunk/epan/dissectors/packet-dcm.c	2011/04/30 17:43:05	36958
+@@ -6519,6 +6519,7 @@
+ 
+      /* Process all PDUs in the buffer */
+     while (pdu_start < tlen) {
++	guint32 old_pdu_start;
+ 
+ 	if ((pdu_len+6) > (tlen-offset)) {
+ 
+@@ -6539,7 +6540,13 @@
+ 	offset=dissect_dcm_pdu(tvb, pinfo, tree, pdu_start);
+ 
+ 	/* Next PDU */
++	old_pdu_start = pdu_start;
+ 	pdu_start =  pdu_start + pdu_len + 6;
++	if (pdu_start <= old_pdu_start) {
++	    expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR,
++		"Invalid PDU length (%u)", pdu_len);
++	    THROW(ReportedBoundsError);
++	}
+ 
+ 	if (pdu_start < tlen - 6) {
+ 	    /* we got at least 6 bytes of the next PDU still in the buffer */

wireshark-1.2.17-CVE-2011-1958.patch

@@ -0,0 +1,29 @@
+--- trunk/epan/diam_dict.l	2011/05/06 15:05:51	37010
++++ trunk/epan/diam_dict.l	2011/05/06 19:39:47	37011
+@@ -269,9 +269,6 @@
+ 		yyterminate();
+ 	}
+ 
+-	include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER;
+-
+-
+ 	for (e = ents.next; e; e = e->next) {
+ 		if (strcmp(e->name,yytext) == 0) {
+ 			yyin = ddict_open(sys_dir,e->file);
+@@ -282,6 +279,7 @@
+ 					yyterminate();
+ 				}
+ 			} else {
++				include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER;
+ 				yy_switch_to_buffer(yy_create_buffer( yyin, YY_BUF_SIZE ) );
+ 				BEGIN LOADING;
+ 			}
+@@ -290,7 +288,7 @@
+ 	}
+ 
+ 	if (!e) {
+-		fprintf(stderr, "Could not find entity: '%s'", e->name );
++		fprintf(stderr, "Could not find entity: '%s'\n", yytext );
+ 		yyterminate();
+ 	}
+

wireshark-1.2.17-CVE-2011-1959.patch

@@ -0,0 +1,19 @@
+--- trunk/wiretap/snoop.c	2011/05/11 20:40:14	37067
++++ trunk/wiretap/snoop.c	2011/05/11 22:36:59	37068
+@@ -473,6 +473,16 @@
+ 	rec_size = g_ntohl(hdr.rec_len);
+ 	orig_size = g_ntohl(hdr.orig_len);
+ 	packet_size = g_ntohl(hdr.incl_len);
++	if (orig_size > WTAP_MAX_PACKET_SIZE) {
++		/*
++		 * Probably a corrupt capture file; don't blow up trying
++		 * to allocate space for an immensely-large packet.
++		 */
++		*err = WTAP_ERR_BAD_RECORD;
++		*err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u",
++		    orig_size, WTAP_MAX_PACKET_SIZE);
++		return FALSE;
++	}
+ 	if (packet_size > WTAP_MAX_PACKET_SIZE) {
+ 		/*
+ 		 * Probably a corrupt capture file; don't blow up trying

wireshark-1.2.17-CVE-2011-2174.patch

@@ -0,0 +1,13 @@
+--- trunk/epan/tvbuff.c	2011/05/12 15:48:51	37080
++++ trunk/epan/tvbuff.c	2011/05/12 16:31:42	37081
+@@ -3425,9 +3425,9 @@
+ 			inflateEnd(strm);
+ 			g_free(strm);
+ 			g_free(strmbuf);
+-			g_free(compr);
+ 
+ 			if (uncompr == NULL) {
++				g_free(compr);
+ 				return NULL;
+ 			}
+ 

wireshark-1.2.17-CVE-2011-2175.patch

@@ -0,0 +1,18 @@
+--- trunk/wiretap/visual.c	2011/05/13 17:05:05	37127
++++ trunk/wiretap/visual.c	2011/05/13 17:12:44	37128
+@@ -420,6 +420,15 @@
+        break;
+     }
+ 
++    if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) {
++    /* Check if wth->phdr.len is sane, small values of wth.phdr.len before
++       the case loop above can cause integer underflows */ 
++        *err = WTAP_ERR_BAD_RECORD;
++        *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u",
++                    wth->phdr.len, WTAP_MAX_PACKET_SIZE);
++        return FALSE;
++    }
++
+     /* Sanity check */
+     if (wth->phdr.len < wth->phdr.caplen)
+     {

wireshark-1.4.8-CVE-2011-2597.patch

@@ -0,0 +1,120 @@
+--- trunk/wiretap/ascend_scanner.l	2011/06/08 18:26:50	37624
++++ trunk/wiretap/ascend_scanner.l	2011/06/08 20:58:44	37625
+@@ -16,17 +16,17 @@
+  *
+  * Wiretap Library
+  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+- * 
++ *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License
+  * as published by the Free Software Foundation; either version 2
+  * of the License, or (at your option) any later version.
+- * 
++ *
+  * This program is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  * GNU General Public License for more details.
+- * 
++ *
+  * You should have received a copy of the GNU General Public License
+  * along with this program; if not, write to the Free Software
+  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+@@ -55,7 +55,7 @@
+ extern char *ascend_ra_ptr;
+ extern char *ascend_ra_last;
+ #define YY_INPUT(buf,result,max_size) { int c = file_getc(yy_fh);  \
+-result = (c==EOF) ? YY_NULL : (buf[0] = c, 1); } 
++result = (c==EOF) ? YY_NULL : (buf[0] = c, 1); }
+ 
+ int at_eof;
+ int mul, scratch;
+@@ -159,17 +159,17 @@
+   return WDS_PREFIX;
+ }
+ 
+-<sc_ether_direction>[^\(]+ {
++<sc_ether_direction>[^\(]{2,20} {
+   BEGIN(sc_gen_task);
+-  return STRING; 
++  return STRING;
+ }
+ 
+-<sc_isdn_call>[^\/\(:]+ {
++<sc_isdn_call>[^\/\(:]{2,20} {
+   BEGIN(sc_gen_task);
+   return DECNUM;
+ }
+ 
+-<sc_wds_user>[^:]+ {
++<sc_wds_user>[^:]{2,20} {
+   char *atcopy = g_strdup(ascendtext);
+   char colon = input();
+   char after = input();
+@@ -200,7 +200,7 @@
+   return DECNUM;
+ }
+ 
+-<sc_gen_task>(0x|0X)?{H}+ {
++<sc_gen_task>(0x|0X)?{H}{2,8} {
+   BEGIN(sc_gen_time_s);
+   ascendlval.d = strtoul(ascendtext, NULL, 16);
+   return HEXNUM;
+@@ -210,13 +210,13 @@
+   return STRING;
+ }
+ 
+-<sc_gen_time_s>{D}+ {
++<sc_gen_time_s>{D}{1,10} {
+   BEGIN(sc_gen_time_u);
+   ascendlval.d = strtol(ascendtext, NULL, 10);
+   return DECNUM;
+ }
+ 
+-<sc_gen_time_u>{D}+ {
++<sc_gen_time_u>{D}{1,6} {
+   char *atcopy = g_strdup(ascendtext);
+   BEGIN(sc_gen_octets);
+   /* only want the most significant 2 digits. convert to usecs */
+@@ -227,7 +227,7 @@
+   return DECNUM;
+ }
+ 
+-<sc_gen_octets>{D}+ {
++<sc_gen_octets>{D}{1,10} {
+   BEGIN(sc_gen_counter);
+   ascendlval.d = strtol(ascendtext, NULL, 10);
+   return DECNUM;
+@@ -243,11 +243,11 @@
+   return HEXBYTE;
+ }
+ 
+-<sc_gen_byte>" "{4} { 
++<sc_gen_byte>" "{4} {
+   BEGIN(sc_chardisp);
+ }
+ 
+-<sc_chardisp>.*	{ 
++<sc_chardisp>.*	{
+   BEGIN(sc_gen_byte);
+ }
+ 
+@@ -315,7 +315,7 @@
+   return WDD_CHUNK;
+ }
+ 
+-<sc_wdd_chunknum>{H}+ {
++<sc_wdd_chunknum>{H}{1,8} {
+   BEGIN(sc_wdd_type);
+   ascendlval.d = strtoul(ascendtext, NULL, 16);
+   return HEXNUM;
+@@ -349,7 +349,7 @@
+ 
+ /*
+  * We want to stop processing when we get to the end of the input.
+- * (%option noyywrap is not used because if used then 
++ * (%option noyywrap is not used because if used then
+  * some flex versions (eg: 2.5.35) generate code which causes
+  * warnings by the Windows VC compiler).
+  */

wireshark-1.4.8-CVE-2011-2698.patch

@@ -0,0 +1,15 @@
+--- trunk/epan/dissectors/packet-ansi_a.c	2011/07/07 13:57:08	37929
++++ trunk/epan/dissectors/packet-ansi_a.c	2011/07/07 16:37:33	37930
+@@ -2682,10 +2682,10 @@
+         break;
+ 
+     default:
+-        proto_tree_add_text(tree, tvb, curr_offset, len - 1,
++        proto_tree_add_text(tree, tvb, curr_offset, len,
+             "Cell ID - Non IOS format");
+ 
+-        curr_offset += (len - 1);
++        curr_offset += len;
+         break;
+     }
+ 

wireshark-1.6.2-CVE-2011-3266.patch

@@ -0,0 +1,19 @@
+--- trunk/epan/dissectors/packet-isakmp.c	2011/07/28 18:17:16	38246
++++ trunk/epan/dissectors/packet-isakmp.c	2011/07/28 22:19:46	38247
+@@ -3880,12 +3880,13 @@
+   offset += 2;
+   length -= 2;
+ 
+-
+-  while (length > 0) {
++  if (spi_size > 0) {
++    while (length > 0) {
+          proto_tree_add_item(tree, hf_isakmp_delete_spi, tvb, offset, spi_size, FALSE);
+          offset+=spi_size;
+          length-=spi_size;
+- }
++    }
++  }
+ }
+ 
+ 

wireshark-1.6.2-CVE-2011-3360.patch

@@ -0,0 +1,10 @@
+--- trunk/epan/wslua/template-init.lua	2011/08/08 17:59:32	38413
++++ trunk/epan/wslua/template-init.lua	2011/08/08 19:10:19	38414
+@@ -73,5 +73,5 @@
+ DATA_DIR = datafile_path()
+ USER_DIR = persconffile_path()
+ 
+-dofile("console.lua")
+---dofile("dtd_gen.lua")
++dofile(DATA_DIR.."console.lua")
++--dofile(DATA_DIR.."dtd_gen.lua")

wireshark-1.6.2-CVE-2011-3483.patch

@@ -0,0 +1,12 @@
+Index: wireshark-1.4.4/epan/packet.c
+===================================================================
+--- wireshark-1.4.4.orig/epan/packet.c
++++ wireshark-1.4.4/epan/packet.c
+@@ -321,6 +321,7 @@ dissect_packet(epan_dissect_t *edt, unio
+ 	edt->pi.annex_a_used = MTP2_ANNEX_A_USED_UNKNOWN;
+ 	edt->pi.dcerpc_procedure_name="";
+ 	edt->pi.link_dir = LINK_DIR_UNKNOWN;
++	edt->tvb = NULL;
+ 
+         /* to enable decode as for ethertype=0x0000 (fix for bug 4721) */
+         edt->pi.ethertype = G_MAXINT;

wireshark.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Mon Sep 26 14:07:31 CST 2011 - cyliu@novell.com
+
+- security fixes (#bnc 718032)
+  * CVE-2011-3266: Wireshark IKE dissector vulnerability
+  * CVE-2011-3360: Wireshark Lua script execution vulnerability
+  * CVE-2011-3483: Wireshark buffer exception handling vulnerability     
+
+-------------------------------------------------------------------
+Wed Aug 10 06:25:28 UTC 2011 - cyliu@novell.com
+
+- security fixes (#bnc 706728)
+  * CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop
+  * CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop
+
+-------------------------------------------------------------------
+Mon Jul 18 07:43:08 UTC 2011 - cyliu@novell.com
+
+- security fixes [#bnc 697516] 
+  * CVE-2011-1957: Large/infinite loop in the DICOM dissector
+  * CVE-2011-1959: A corrupted snoop file could crash Wireshark
+  * CVE-2011-2174: Malformed compressed capture data could crash Wireshark
+  * CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark
+  * CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter
+  dictionary
+
 -------------------------------------------------------------------
 Tue May 24 16:40:30 CEST 2011 - dimstar@opensuse.org
 

wireshark.spec

@@ -38,6 +38,16 @@ Patch3:         %{name}-corosync-packet-dissector.patch
 Patch4:         %{name}-1.2.4-enable_lua.patch
 # PATCH-FEATURE-OPENSUSE wireshark-nfsv4-opts.patch -- add NFSv4 options
 Patch5:         %{name}-nfsv4-opts.patch
+Patch6:         %{name}-1.2.17-CVE-2011-1957.patch
+Patch7:        %{name}-1.2.17-CVE-2011-1959.patch
+Patch8:        %{name}-1.2.17-CVE-2011-2174.patch
+Patch9:        %{name}-1.2.17-CVE-2011-2175.patch
+Patch10:        %{name}-1.2.17-CVE-2011-1958.patch
+Patch11:        %{name}-1.4.8-CVE-2011-2597.patch
+Patch12:        %{name}-1.4.8-CVE-2011-2698.patch
+Patch13:        %{name}-1.6.2-CVE-2011-3266.patch
+Patch14:        %{name}-1.6.2-CVE-2011-3360.patch
+Patch15:        %{name}-1.6.2-CVE-2011-3483.patch
 BuildRequires:  bison
 BuildRequires:  cairo-devel
 BuildRequires:  flex
@@ -100,6 +110,16 @@ view the reconstructed stream of a TCP session.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
 
 sed -i 's/^Icon=wireshark.png$/Icon=wireshark/' wireshark.desktop
 # run as root on 11.3 and older - bnc#349782