diff --git a/wireshark-1.2.1-CVE-2009-3241.patch b/wireshark-1.2.1-CVE-2009-3241.patch new file mode 100644 index 0000000..bf75459 --- /dev/null +++ b/wireshark-1.2.1-CVE-2009-3241.patch @@ -0,0 +1,293 @@ +Index: plugins/opcua/opcua_simpletypes.c +=================================================================== +--- plugins/opcua/opcua_simpletypes.c (revision 29812) ++++ plugins/opcua/opcua_simpletypes.c (revision 29813) +@@ -34,9 +34,6 @@ + #include + #include + +-/* string buffer */ +-#define MAX_BUFFER 256 +- + #define DIAGNOSTICINFO_ENCODINGMASK_SYMBOLICID_FLAG 0x01 + #define DIAGNOSTICINFO_ENCODINGMASK_NAMESPACE_FLAG 0x02 + #define DIAGNOSTICINFO_ENCODINGMASK_LOCALIZEDTEXT_FLAG 0x04 +@@ -56,6 +53,9 @@ + #define EXTOBJ_ENCODINGMASK_BINBODY_FLAG 0x01 + #define EXTOBJ_ENCODINGMASK_XMLBODY_FLAG 0x02 + ++/* Chosen arbitrarily */ ++#define MAX_ARRAY_LEN 10000 ++ + static int hf_opcua_diag_mask_symbolicflag = -1; + static int hf_opcua_diag_mask_namespaceflag = -1; + static int hf_opcua_diag_mask_localizedtextflag = -1; +@@ -338,35 +338,28 @@ + + void parseString(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) + { +- char *szValue = ep_alloc(MAX_BUFFER); ++ char *szValue; + gint iOffset = *pOffset; + gint32 iLen = tvb_get_letohl(tvb, *pOffset); + iOffset+=4; + +- if (szValue) ++ if (iLen == -1) + { +- if (iLen == -1) +- { +- g_snprintf(szValue, MAX_BUFFER, "[OpcUa Null String]"); +- } +- else if (iLen >= 0) +- { +- int iStrLen = iLen; +- if (iStrLen > (MAX_BUFFER-1)) iStrLen = MAX_BUFFER - 1; +- /* copy non null terminated string of length iStrlen */ +- strncpy(szValue, (char*)&tvb->real_data[iOffset], iStrLen); +- /* set null terminator */ +- szValue[iStrLen] = 0; +- iOffset += iLen; /* eat the whole string */ +- } +- else +- { +- g_snprintf(szValue, MAX_BUFFER, "[Invalid String] Ups, something is wrong with this message."); +- } +- ++ proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), ++ "[OpcUa Null String]"); ++ } ++ else if (iLen >= 0) ++ { ++ iOffset += iLen; /* eat the whole string */ ++ proto_tree_add_item(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), TRUE); ++ } ++ else ++ { ++ szValue = ep_strdup_printf("[Invalid String] Invalid length: %d", iLen); + proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), szValue); +- *pOffset = iOffset; + } ++ ++ *pOffset = iOffset; + } + + void parseStatusCode(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) +@@ -644,10 +637,18 @@ + proto_tree *subtree = proto_item_add_subtree(ti, ett_opcua_array); + int i; + +- for (i=0; i MAX_ARRAY_LEN) ++ { ++ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen)); ++ return; ++ } ++ ++ *pOffset += 4; + for (i=0; i MAX_ARRAY_LEN) ++ { ++ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen)); ++ return; ++ } ++ ++ *pOffset += 4; + for (i=0; i MAX_ARRAY_LEN) ++ { ++ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen)); ++ return; ++ } ++ ++ *pOffset += 4; + for (i=0; icinfo, COL_PROTOCOL, "OpcUa"); + + /* parse message type */ +- if (tvb->real_data[0] == 'H' && tvb->real_data[1] == 'E' && tvb->real_data[2] == 'L') ++ if (tvb_memeql(tvb, 0, "HEL", 3)) + { + msgtype = MSG_HELLO; + pfctParse = parseHello; + } +- else if (tvb->real_data[0] == 'A' && tvb->real_data[1] == 'C' && tvb->real_data[2] == 'K') ++ else if (tvb_memeql(tvb, 0, "ACK", 3)) + { + msgtype = MSG_ACKNOWLEDGE; + pfctParse = parseAcknowledge; + } +- else if (tvb->real_data[0] == 'E' && tvb->real_data[1] == 'R' && tvb->real_data[2] == 'R') ++ else if (tvb_memeql(tvb, 0, "ERR", 3)) + { + msgtype = MSG_ERROR; + pfctParse = parseError; + } +- else if (tvb->real_data[0] == 'M' && tvb->real_data[1] == 'S' && tvb->real_data[2] == 'G') ++ else if (tvb_memeql(tvb, 0, "MSG", 3)) + { + msgtype = MSG_MESSAGE; + pfctParse = parseMessage; + } +- else if (tvb->real_data[0] == 'O' && tvb->real_data[1] == 'P' && tvb->real_data[2] == 'N') ++ else if (tvb_memeql(tvb, 0, "OPN", 3)) + { + msgtype = MSG_OPENSECURECHANNEL; + pfctParse = parseOpenSecureChannel; + } +- else if (tvb->real_data[0] == 'C' && tvb->real_data[1] == 'L' && tvb->real_data[2] == 'O') ++ else if (tvb_memeql(tvb, 0, "CLO", 3)) + { + msgtype = MSG_CLOSESECURECHANNEL; + pfctParse = parseCloseSecureChannel; +Index: plugins/opcua/opcua_transport_layer.c +=================================================================== +--- plugins/opcua/opcua_transport_layer.c (revision 29812) ++++ plugins/opcua/opcua_transport_layer.c (revision 29813) +@@ -126,35 +126,11 @@ + proto_register_field_array(proto, hf, array_length(hf)); + } + +-/** helper functions for adding strings, +- * that are not zero terminated. +- */ +-void addString(proto_tree *tree, +- int hfindex, +- tvbuff_t *tvb, +- gint start, +- gint length, +- const char *value) +-{ +- char *szValue = ep_alloc(256); +- +- if (szValue) +- { +- if (length > 255) length = 255; +- /* copy non null terminated string data */ +- strncpy(szValue, value, length); +- /* set null terminator */ +- szValue[length] = 0; +- +- proto_tree_add_string(tree, hfindex, tvb, start, length, szValue); +- } +-} +- + /* Transport Layer: message parsers */ + void parseHello(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_rbs, tvb, *pOffset, 4, TRUE); *pOffset+=4; +@@ -166,8 +142,8 @@ + + void parseAcknowledge(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_rbs, tvb, *pOffset, 4, TRUE); *pOffset+=4; +@@ -178,8 +154,8 @@ + + void parseError(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_error, tvb, *pOffset, 4, TRUE); *pOffset+=4; + parseString(tree, tvb, pOffset, hf_opcua_transport_reason); +@@ -192,8 +168,8 @@ + proto_tree *nodeid_tree; + int ServiceId = 0; + +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4; + +@@ -223,8 +199,8 @@ + proto_tree *nodeid_tree; + int ServiceId = 0; + +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4; + parseString(tree, tvb, pOffset, hf_opcua_transport_spu); +@@ -247,8 +223,8 @@ + + void parseCloseSecureChannel(proto_tree *tree, tvbuff_t *tvb, gint *pOffset) + { +- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3; +- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1; ++ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3; ++ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1; + proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4; + proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4; + } diff --git a/wireshark-1.2.1-CVE-2009-3242.patch b/wireshark-1.2.1-CVE-2009-3242.patch new file mode 100644 index 0000000..5f5f59e --- /dev/null +++ b/wireshark-1.2.1-CVE-2009-3242.patch @@ -0,0 +1,12 @@ +Index: epan/dissectors/packet-gsm_a_rr.c +=================================================================== +--- epan/dissectors/packet-gsm_a_rr.c (revision 29402) ++++ epan/dissectors/packet-gsm_a_rr.c (revision 29403) +@@ -10154,6 +10154,7 @@ + void + proto_reg_handoff_gsm_a_rr(void) + { ++ data_handle = find_dissector("data"); + rrc_irat_ho_info_handle = find_dissector("rrc.irat.irat_ho_info"); + rrc_irat_ho_to_utran_cmd_handle = find_dissector("rrc.irat.ho_to_utran_cmd"); + } diff --git a/wireshark-1.2.1-CVE-2009-3243.patch b/wireshark-1.2.1-CVE-2009-3243.patch new file mode 100644 index 0000000..d241844 --- /dev/null +++ b/wireshark-1.2.1-CVE-2009-3243.patch @@ -0,0 +1,67 @@ +Index: epan/dissectors/packet-ssl-utils.c +=================================================================== +--- epan/dissectors/packet-ssl-utils.c (revision 29905) ++++ epan/dissectors/packet-ssl-utils.c (revision 29906) +@@ -43,6 +43,17 @@ + * Lookup tables + * + */ ++const gchar* ssl_version_short_names[] = { ++ "SSL", ++ "SSLv2", ++ "SSLv3", ++ "TLSv1", ++ "TLSv1.1", ++ "DTLSv1.0", ++ "PCT", ++ "TLSv1.2" ++}; ++ + const value_string ssl_20_msg_types[] = { + { SSL2_HND_ERROR, "Error" }, + { SSL2_HND_CLIENT_HELLO, "Client Hello" }, +Index: epan/dissectors/packet-ssl-utils.h +=================================================================== +--- epan/dissectors/packet-ssl-utils.h (revision 29905) ++++ epan/dissectors/packet-ssl-utils.h (revision 29906) +@@ -150,6 +150,7 @@ + * Lookup tables + * + */ ++extern const gchar* ssl_version_short_names[]; + extern const value_string ssl_20_msg_types[]; + extern const value_string ssl_20_cipher_suites[]; + extern const value_string ssl_20_certificate_type[]; +Index: epan/dissectors/packet-dtls.c +=================================================================== +--- epan/dissectors/packet-dtls.c (revision 29905) ++++ epan/dissectors/packet-dtls.c (revision 29906) +@@ -74,8 +74,6 @@ + #include "inet_v6defs.h" + #include "packet-ssl-utils.h" + +-extern const gchar *ssl_version_short_names[]; +- + /* we need to remember the top tree so that subdissectors we call are created + * at the root and not deep down inside the DTLS decode + */ +Index: epan/dissectors/packet-ssl.c +=================================================================== +--- epan/dissectors/packet-ssl.c (revision 29905) ++++ epan/dissectors/packet-ssl.c (revision 29906) +@@ -272,15 +272,6 @@ + static gchar* ssl_debug_file_name = NULL; + #endif + +-const gchar* ssl_version_short_names[] = { +- "SSL", +- "SSLv2", +- "SSLv3", +- "TLSv1", +- "TLSv1.1", +- "DTLSv1.0", +- "PCT" +-}; + + /* Forward declaration we need below */ + void proto_reg_handoff_ssl(void); diff --git a/wireshark.changes b/wireshark.changes index 41ce1e4..35bc29f 100644 --- a/wireshark.changes +++ b/wireshark.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Oct 2 18:19:09 CEST 2009 - prusnak@suse.cz + +- fix CVE-2009-3241 (CVE-2009-3241.patch) [bnc#541654] +- fix CVE-2009-3242 (CVE-2009-3242.patch) [bnc#541659] +- fix CVE-2009-3243 (CVE-2009-3243.patch) [bnc#541655] + ------------------------------------------------------------------- Wed Aug 5 12:45:38 CEST 2009 - prusnak@suse.cz diff --git a/wireshark.spec b/wireshark.spec index 84c1fcf..cf21e88 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -23,7 +23,7 @@ License: GPL v2 or later Group: Productivity/Networking/Diagnostic Summary: A Network Traffic Analyser Version: 1.2.1 -Release: 1 +Release: 2 Url: http://www.wireshark.org/ Source: http://www.wireshark.org/download/src/%{name}-%{version}.tar.bz2 Source1: include.filelist @@ -35,6 +35,12 @@ Patch1: %{name}-1.2.0-disable-warning-dialog.patch Patch2: %{name}-1.2.0-asneeded.patch # PATCH-FEATURE-OPENSUSE wireshark-1.2.0-geoip.patch prusnak@suse.cz -- search in /var/lib/GeoIP if user hasn't set any GeoIP folders Patch3: %{name}-1.2.0-geoip.patch +# PATCH-FIX-UPSTREAM wireshark-1.2.1-CVE-2009-3241.patch prusnak@suse.cz - secfix [bnc#541654] +Patch4: %{name}-1.2.1-CVE-2009-3241.patch +# PATCH-FIX-UPSTREAM wireshark-1.2.1-CVE-2009-3242.patch prusnak@suse.cz - secfix [bnc#541659] +Patch5: %{name}-1.2.1-CVE-2009-3242.patch +# PATCH-FIX-UPSTREAM wireshark-1.2.1-CVE-2009-3243.patch prusnak@suse.cz - secfix [bnc#541655] +Patch6: %{name}-1.2.1-CVE-2009-3243.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: xdg-utils Provides: ethereal = %{version} @@ -151,6 +157,9 @@ Authors: %patch1 %patch2 %patch3 +%patch4 +%patch5 +%patch6 %build %configure