diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/wireshark-1.2.1-CVE-2009-3241.patch b/wireshark-1.2.1-CVE-2009-3241.patch new file mode 100644 index 0000000..bf75459 --- /dev/null +++ b/wireshark-1.2.1-CVE-2009-3241.patch @@ -0,0 +1,293 @@ +Index: plugins/opcua/opcua_simpletypes.c +=================================================================== +--- plugins/opcua/opcua_simpletypes.c (revision 29812) ++++ plugins/opcua/opcua_simpletypes.c (revision 29813) +@@ -34,9 +34,6 @@ + #include + #include + +-/* string buffer */ +-#define MAX_BUFFER 256 +- + #define DIAGNOSTICINFO_ENCODINGMASK_SYMBOLICID_FLAG 0x01 + #define DIAGNOSTICINFO_ENCODINGMASK_NAMESPACE_FLAG 0x02 + #define DIAGNOSTICINFO_ENCODINGMASK_LOCALIZEDTEXT_FLAG 0x04 +@@ -56,6 +53,9 @@ + #define EXTOBJ_ENCODINGMASK_BINBODY_FLAG 0x01 + #define EXTOBJ_ENCODINGMASK_XMLBODY_FLAG 0x02 + ++/* Chosen arbitrarily */ ++#define MAX_ARRAY_LEN 10000 ++ + static int hf_opcua_diag_mask_symbolicflag = -1; + static int hf_opcua_diag_mask_namespaceflag = -1; + static int hf_opcua_diag_mask_localizedtextflag = -1; +@@ -338,35 +338,28 @@ + + void parseString(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) + { +- char *szValue = ep_alloc(MAX_BUFFER); ++ char *szValue; + gint iOffset = *pOffset; + gint32 iLen = tvb_get_letohl(tvb, *pOffset); + iOffset+=4; + +- if (szValue) ++ if (iLen == -1) + { +- if (iLen == -1) +- { +- g_snprintf(szValue, MAX_BUFFER, "[OpcUa Null String]"); +- } +- else if (iLen >= 0) +- { +- int iStrLen = iLen; +- if (iStrLen > (MAX_BUFFER-1)) iStrLen = MAX_BUFFER - 1; +- /* copy non null terminated string of length iStrlen */ +- strncpy(szValue, (char*)&tvb->real_data[iOffset], iStrLen); +- /* set null terminator */ +- szValue[iStrLen] = 0; +- iOffset += iLen; /* eat the whole string */ +- } +- else +- { +- g_snprintf(szValue, MAX_BUFFER, "[Invalid String] Ups, something is wrong with this message."); +- } +- ++ proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), ++ "[OpcUa Null String]"); ++ } ++ else if (iLen >= 0) ++ { ++ iOffset += iLen; /* eat the whole string */ ++ proto_tree_add_item(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), TRUE); ++ } ++ else ++ { ++ szValue = ep_strdup_printf("[Invalid String] Invalid length: %d", iLen); + proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), szValue); +- *pOffset = iOffset; + } ++ ++ *pOffset = iOffset; + } + + void parseStatusCode(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) +@@ -644,10 +637,18 @@ + proto_tree *subtree = proto_item_add_subtree(ti, ett_opcua_array); + int i; + +- for (i=0; i MAX_ARRAY_LEN) ++ { ++ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen)); ++ return; ++ } ++ ++ *pOffset += 4; + for (i=0; i MAX_ARRAY_LEN) ++ { ++ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen)); ++ return; ++ } ++ ++ *pOffset += 4; + for (i=0; i MAX_ARRAY_LEN) ++ { ++ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen)); ++ return; ++ } ++ ++ *pOffset += 4; + for (i=0; icinfo, COL_PROTOCOL, "OpcUa"); + + /* parse message type */ +- if (tvb->real_data[0] == 'H' && tvb->real_data[1] == 'E' && tvb->real_data[2] == 'L') ++ if (tvb_memeql(tvb, 0, "HEL", 3)) + { + msgtype = MSG_HELLO; + pfctParse = parseHello; + } +- else if (tvb->real_data[0] == 'A' && tvb->real_data[1] == 'C' && tvb->real_data[2] == 'K') ++ else if (tvb_memeql(tvb, 0, "ACK", 3)) + { + msgtype = MSG_ACKNOWLEDGE; + pfctParse = parseAcknowledge; + } +- else if (tvb->real_data[0] == 'E' && tvb->real_data[1] == 'R' && tvb->real_data[2] == 'R') ++ else if (tvb_memeql(tvb, 0, "ERR", 3)) + { + msgtype = MSG_ERROR; + pfctParse = parseError; + } +- else if (tvb->real_data[0] == 'M' && tvb->real_data[1] == 'S' && tvb->real_data[2] == 'G') ++ else if (tvb_memeql(tvb, 0, "MSG", 3)) + { + msgtype = MSG_MESSAGE; + pfctParse = parseMessage; + } +- else if (tvb->real_data[0] == 'O' && tvb->real_data[1] == 'P' && tvb->real_data[2] == 'N') ++ else if (tvb_memeql(tvb, 0, "OPN", 3)) + { + msgtype = MSG_OPENSECURECHANNEL; + pfctParse = parseOpenSecureChannel; + } +- else if (tvb->real_data[0] == 'C' && tvb->real_data[1] == 'L' && tvb->real_data[2] == 'O') ++ else if (tvb_memeql(tvb, 0, "CLO", 3)) + { + msgtype = MSG_CLOSESECURECHANNEL; + pfctParse = parseCloseSecureChannel; +Index: plugins/opcua/opcua_transport_layer.c +=================================================================== +--- plugins/opcua/opcua_transport_layer.c (revision 29812) ++++ plugins/opcua/opcua_transport_layer.c (revision 29813) +@@ -126,35 +126,11 @@ + proto_register_field_array(proto, hf, array_length(hf)); + } + +-/** helper functions for adding strings, +- * that are not zero terminated. +- */ +-void addString(proto_tree *tree, +- int hfindex, +- tvbuff_t *tvb, +- gint start, +- gint length, +- const char *value) +-{ +- char *szValue = ep_alloc(256); +- +- if (szValue) +- { +- if (length > 255) length = 255; +- /* copy non null terminated string data */ +- strncpy(szValue, value, length); +- /* set null terminator */ +- szValue[length] = 0; +- +- proto_tree_add_string(tree, hfindex, tvb, start, length, szValue); +- } +-} +- + /* Transport Layer: message parsers */ + void parseHello(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_rbs, tvb, *pOffset, 4, TRUE); *pOffset+=4; +@@ -166,8 +142,8 @@ + + void parseAcknowledge(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_rbs, tvb, *pOffset, 4, TRUE); *pOffset+=4; +@@ -178,8 +154,8 @@ + + void parseError(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_error, tvb, *pOffset, 4, TRUE); *pOffset+=4; + parseString(tree, tvb, pOffset, hf_opcua_transport_reason); +@@ -192,8 +168,8 @@ + proto_tree *nodeid_tree; + int ServiceId = 0; + +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4; + +@@ -223,8 +199,8 @@ + proto_tree *nodeid_tree; + int ServiceId = 0; + +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4; + parseString(tree, tvb, pOffset, hf_opcua_transport_spu); +@@ -247,8 +223,8 @@ + + void parseCloseSecureChannel(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4; + } diff --git a/wireshark-1.2.1-CVE-2009-3242.patch b/wireshark-1.2.1-CVE-2009-3242.patch new file mode 100644 index 0000000..5f5f59e --- /dev/null +++ b/wireshark-1.2.1-CVE-2009-3242.patch @@ -0,0 +1,12 @@ +Index: epan/dissectors/packet-gsm_a_rr.c +=================================================================== +--- epan/dissectors/packet-gsm_a_rr.c (revision 29402) ++++ epan/dissectors/packet-gsm_a_rr.c (revision 29403) +@@ -10154,6 +10154,7 @@ + void + proto_reg_handoff_gsm_a_rr(void) + { ++ data_handle = find_dissector("data"); + rrc_irat_ho_info_handle = find_dissector("rrc.irat.irat_ho_info"); + rrc_irat_ho_to_utran_cmd_handle = find_dissector("rrc.irat.ho_to_utran_cmd"); + } diff --git a/wireshark-1.2.1-CVE-2009-3243.patch b/wireshark-1.2.1-CVE-2009-3243.patch new file mode 100644 index 0000000..d241844 --- /dev/null +++ b/wireshark-1.2.1-CVE-2009-3243.patch @@ -0,0 +1,67 @@ +Index: epan/dissectors/packet-ssl-utils.c +=================================================================== +--- epan/dissectors/packet-ssl-utils.c (revision 29905) ++++ epan/dissectors/packet-ssl-utils.c (revision 29906) +@@ -43,6 +43,17 @@ + * Lookup tables + * + */ ++const gchar* ssl_version_short_names[] = { ++ "SSL", ++ "SSLv2", ++ "SSLv3", ++ "TLSv1", ++ "TLSv1.1", ++ "DTLSv1.0", ++ "PCT", ++ "TLSv1.2" ++}; ++ + const value_string ssl_20_msg_types[] = { + { SSL2_HND_ERROR, "Error" }, + { SSL2_HND_CLIENT_HELLO, "Client Hello" }, +Index: epan/dissectors/packet-ssl-utils.h +=================================================================== +--- epan/dissectors/packet-ssl-utils.h (revision 29905) ++++ epan/dissectors/packet-ssl-utils.h (revision 29906) +@@ -150,6 +150,7 @@ + * Lookup tables + * + */ ++extern const gchar* ssl_version_short_names[]; + extern const value_string ssl_20_msg_types[]; + extern const value_string ssl_20_cipher_suites[]; + extern const value_string ssl_20_certificate_type[]; +Index: epan/dissectors/packet-dtls.c +=================================================================== +--- epan/dissectors/packet-dtls.c (revision 29905) ++++ epan/dissectors/packet-dtls.c (revision 29906) +@@ -74,8 +74,6 @@ + #include "inet_v6defs.h" + #include "packet-ssl-utils.h" + +-extern const gchar *ssl_version_short_names[]; +- + /* we need to remember the top tree so that subdissectors we call are created + * at the root and not deep down inside the DTLS decode + */ +Index: epan/dissectors/packet-ssl.c +=================================================================== +--- epan/dissectors/packet-ssl.c (revision 29905) ++++ epan/dissectors/packet-ssl.c (revision 29906) +@@ -272,15 +272,6 @@ + static gchar* ssl_debug_file_name = NULL; + #endif + +-const gchar* ssl_version_short_names[] = { +- "SSL", +- "SSLv2", +- "SSLv3", +- "TLSv1", +- "TLSv1.1", +- "DTLSv1.0", +- "PCT" +-}; + + /* Forward declaration we need below */ + void proto_reg_handoff_ssl(void); diff --git a/wireshark-1.2.1.tar.bz2 b/wireshark-1.2.1.tar.bz2 new file mode 100644 index 0000000..67bccfd --- /dev/null +++ b/wireshark-1.2.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3e1f4ec8385747e8aaf7aa33fe971df5e598b5bab6c8d106b90ea802e16b399 +size 15129422 diff --git a/wireshark-1.2.3.tar.bz2 b/wireshark-1.2.3.tar.bz2 deleted file mode 100644 index 3a0bb33..0000000 --- a/wireshark-1.2.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5515ba01277773a2f9c97599d4d28d0898d8b1d7afd5c8942cab087306c28703 -size 15215978 diff --git a/wireshark.changes b/wireshark.changes index c7b114c..35bc29f 100644 --- a/wireshark.changes +++ b/wireshark.changes @@ -1,69 +1,3 @@ -------------------------------------------------------------------- -Fri Oct 30 15:47:50 CET 2009 - prusnak@suse.cz - -- updated to 1.2.3 - * Security fixes: - - The Paltalk dissector could crash on alignment-sensitive processors. - - The DCERPC/NT dissector could crash. - - The SMB dissector could crash. - * Bug fixes: - - Wireshark memory leak with each file open and/or display filter change. - - DHCP Dissector displays negative lease time. - - Invalid advertised window line on tcptrace style graph. - - SMB get_dfs_referral referral entry is not dissected correctly. - - Error dissecting eMule sourceOBFU message. - - Typos in Diameter XML files. - - RSL dissector for MS Power IE is broken. - - FIP dissector throws assertion. - - TCAP problem with indefinite length 'components' SEQ OF. - - GSM MAP: an-APDU not decoded. - - Add "Drag and Drop entries..." message on Columns preferences page. - - Editcap -t and -w option parses fractional digits incorrectly. - * Updated Protocol Support - - DCERPC NT, DHCP, Diameter, E.212, eDonkey, FIP, IPsec, MGCP, NCP, - Paltalk, RADIUS, RSL, SBus, SMB, SNMP, SSL, TCP, Teamspeak2, WPS - -- updated to 1.2.2 - * Security fixes: - - The GSM A RR dissector could crash. (Bug 3893) - - The OpcUa dissector could use excessive CPU and memory. (Bug 3986) - - The TLS dissector could crash on some platforms. (Bug 4008) - * Bug fixes: - - The "Capture->Interfaces" window can't be closed. - - tshark-1.0.2 (dumpcap) signal abort core saved. - - Memory leak fixes. - - Display filter autocompletion doesn't work for some RADIUS and WiMAX ASNCP fields. - - Wireshark Portable includes wrong WinPcap installer. - - Crash when loading a profile. - - The proto,colinfo tap doesn't work if the INFO column isn't being printed. - - Flow Graph adds too much unnecessary garbage. - - The EAP Diameter dictionary file was missing in the distribution. - - Graph analysis window is behind other window. - - IKEv2 Cert Request payload dissection error. - - DNS NAPTR RR (RFC 3403) replacement MUST be a fully qualified domain-name. - - Malformed RTCP Packet error while sending Payload specific RTCP feedback packet (as per RFC 4585). - - 802.11n Block Ack packet Bitmap field missing. - - Wireshark doesn't decode WBXML/ActiveSync information correctly. - - Malformed packet when IPv6 packet has Next Header == 59. - - Wireshark could crash while reading an ERF file. - - Minor errors in gsm rr dissectors. - - WPA Decryption Issues. - - GSM A RR sys info dissection problem. - - GSM A RR inverts MEAS-VALID values. - - PDML output leaks ~300 bytes / packet. - - Incorrect station identifier parsing in Kingfisher dissector. - - DHCPv6, Vendor-Specific Informantion, SubOption"Option Request" parser incorrect. - - Wireshark could leak memory while analyzing SSL. - - Wireshark could crash while updating menu items after reading a file in some cases. - * Updated Protocol Support - - DCERPC, DHCPv6, DNS, E.212, GSM A RR, GTPv2, H.248, IEEE 802.11, - IPMI, ISAKMP/IKE, ISUP, Kingfisher, LDAP, OpcUA, RTCP, SCTP, SIP, - SSL, TCP, WBXML, ZRTP - * Updated Capture File Support - - ERF - -- dropped obsoleted 3 CVE patches (see previous entry) - ------------------------------------------------------------------- Fri Oct 2 18:19:09 CEST 2009 - prusnak@suse.cz diff --git a/wireshark.spec b/wireshark.spec index 28253ee..cf21e88 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -22,7 +22,7 @@ Name: wireshark License: GPL v2 or later Group: Productivity/Networking/Diagnostic Summary: A Network Traffic Analyser -Version: 1.2.3 +Version: 1.2.1 Release: 2 Url: http://www.wireshark.org/ Source: http://www.wireshark.org/download/src/%{name}-%{version}.tar.bz2 @@ -35,6 +35,12 @@ Patch1: %{name}-1.2.0-disable-warning-dialog.patch Patch2: %{name}-1.2.0-asneeded.patch # PATCH-FEATURE-OPENSUSE wireshark-1.2.0-geoip.patch prusnak@suse.cz -- search in /var/lib/GeoIP if user hasn't set any GeoIP folders Patch3: %{name}-1.2.0-geoip.patch +# PATCH-FIX-UPSTREAM wireshark-1.2.1-CVE-2009-3241.patch prusnak@suse.cz - secfix [bnc#541654] +Patch4: %{name}-1.2.1-CVE-2009-3241.patch +# PATCH-FIX-UPSTREAM wireshark-1.2.1-CVE-2009-3242.patch prusnak@suse.cz - secfix [bnc#541659] +Patch5: %{name}-1.2.1-CVE-2009-3242.patch +# PATCH-FIX-UPSTREAM wireshark-1.2.1-CVE-2009-3243.patch prusnak@suse.cz - secfix [bnc#541655] +Patch6: %{name}-1.2.1-CVE-2009-3243.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: xdg-utils Provides: ethereal = %{version} @@ -151,6 +157,9 @@ Authors: %patch1 %patch2 %patch3 +%patch4 +%patch5 +%patch6 %build %configure