From bd7bf7f8c23b203dbe5dd56770787eb87a65b783f87def3c4210a4428747e2ed Mon Sep 17 00:00:00 2001
From: Chunyan Liu <cyliu@suse.com>
Date: Wed, 20 Jul 2011 03:05:04 +0000
Subject: [PATCH] Accepting request 76454 from
 home:cyliu:branches:network:utilities

fix bnc#697516

OBS-URL: https://build.opensuse.org/request/show/76454
OBS-URL: https://build.opensuse.org/package/show/network:utilities/wireshark?expand=0&rev=42
---
 wireshark-1.2.17-CVE-2011-1957.patch | 24 +++++++++++++++++++++++
 wireshark-1.2.17-CVE-2011-1958.patch | 29 ++++++++++++++++++++++++++++
 wireshark-1.2.17-CVE-2011-1959.patch | 19 ++++++++++++++++++
 wireshark-1.2.17-CVE-2011-2174.patch | 13 +++++++++++++
 wireshark-1.2.17-CVE-2011-2175.patch | 18 +++++++++++++++++
 wireshark.changes                    | 11 +++++++++++
 wireshark.spec                       | 10 ++++++++++
 7 files changed, 124 insertions(+)
 create mode 100644 wireshark-1.2.17-CVE-2011-1957.patch
 create mode 100644 wireshark-1.2.17-CVE-2011-1958.patch
 create mode 100644 wireshark-1.2.17-CVE-2011-1959.patch
 create mode 100644 wireshark-1.2.17-CVE-2011-2174.patch
 create mode 100644 wireshark-1.2.17-CVE-2011-2175.patch

diff --git a/wireshark-1.2.17-CVE-2011-1957.patch b/wireshark-1.2.17-CVE-2011-1957.patch
new file mode 100644
index 0000000..37ef2bf
--- /dev/null
+++ b/wireshark-1.2.17-CVE-2011-1957.patch
@@ -0,0 +1,24 @@
+--- trunk/epan/dissectors/packet-dcm.c	2011/04/30 08:36:00	36957
++++ trunk/epan/dissectors/packet-dcm.c	2011/04/30 17:43:05	36958
+@@ -6519,6 +6519,7 @@
+ 
+      /* Process all PDUs in the buffer */
+     while (pdu_start < tlen) {
++	guint32 old_pdu_start;
+ 
+ 	if ((pdu_len+6) > (tlen-offset)) {
+ 
+@@ -6539,7 +6540,13 @@
+ 	offset=dissect_dcm_pdu(tvb, pinfo, tree, pdu_start);
+ 
+ 	/* Next PDU */
++	old_pdu_start = pdu_start;
+ 	pdu_start =  pdu_start + pdu_len + 6;
++	if (pdu_start <= old_pdu_start) {
++	    expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR,
++		"Invalid PDU length (%u)", pdu_len);
++	    THROW(ReportedBoundsError);
++	}
+ 
+ 	if (pdu_start < tlen - 6) {
+ 	    /* we got at least 6 bytes of the next PDU still in the buffer */
diff --git a/wireshark-1.2.17-CVE-2011-1958.patch b/wireshark-1.2.17-CVE-2011-1958.patch
new file mode 100644
index 0000000..ed7a6af
--- /dev/null
+++ b/wireshark-1.2.17-CVE-2011-1958.patch
@@ -0,0 +1,29 @@
+--- trunk/epan/diam_dict.l	2011/05/06 15:05:51	37010
++++ trunk/epan/diam_dict.l	2011/05/06 19:39:47	37011
+@@ -269,9 +269,6 @@
+ 		yyterminate();
+ 	}
+ 
+-	include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER;
+-
+-
+ 	for (e = ents.next; e; e = e->next) {
+ 		if (strcmp(e->name,yytext) == 0) {
+ 			yyin = ddict_open(sys_dir,e->file);
+@@ -282,6 +279,7 @@
+ 					yyterminate();
+ 				}
+ 			} else {
++				include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER;
+ 				yy_switch_to_buffer(yy_create_buffer( yyin, YY_BUF_SIZE ) );
+ 				BEGIN LOADING;
+ 			}
+@@ -290,7 +288,7 @@
+ 	}
+ 
+ 	if (!e) {
+-		fprintf(stderr, "Could not find entity: '%s'", e->name );
++		fprintf(stderr, "Could not find entity: '%s'\n", yytext );
+ 		yyterminate();
+ 	}
+
diff --git a/wireshark-1.2.17-CVE-2011-1959.patch b/wireshark-1.2.17-CVE-2011-1959.patch
new file mode 100644
index 0000000..e5892cd
--- /dev/null
+++ b/wireshark-1.2.17-CVE-2011-1959.patch
@@ -0,0 +1,19 @@
+--- trunk/wiretap/snoop.c	2011/05/11 20:40:14	37067
++++ trunk/wiretap/snoop.c	2011/05/11 22:36:59	37068
+@@ -473,6 +473,16 @@
+ 	rec_size = g_ntohl(hdr.rec_len);
+ 	orig_size = g_ntohl(hdr.orig_len);
+ 	packet_size = g_ntohl(hdr.incl_len);
++	if (orig_size > WTAP_MAX_PACKET_SIZE) {
++		/*
++		 * Probably a corrupt capture file; don't blow up trying
++		 * to allocate space for an immensely-large packet.
++		 */
++		*err = WTAP_ERR_BAD_RECORD;
++		*err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u",
++		    orig_size, WTAP_MAX_PACKET_SIZE);
++		return FALSE;
++	}
+ 	if (packet_size > WTAP_MAX_PACKET_SIZE) {
+ 		/*
+ 		 * Probably a corrupt capture file; don't blow up trying
diff --git a/wireshark-1.2.17-CVE-2011-2174.patch b/wireshark-1.2.17-CVE-2011-2174.patch
new file mode 100644
index 0000000..c9d7c6c
--- /dev/null
+++ b/wireshark-1.2.17-CVE-2011-2174.patch
@@ -0,0 +1,13 @@
+--- trunk/epan/tvbuff.c	2011/05/12 15:48:51	37080
++++ trunk/epan/tvbuff.c	2011/05/12 16:31:42	37081
+@@ -3425,9 +3425,9 @@
+ 			inflateEnd(strm);
+ 			g_free(strm);
+ 			g_free(strmbuf);
+-			g_free(compr);
+ 
+ 			if (uncompr == NULL) {
++				g_free(compr);
+ 				return NULL;
+ 			}
+ 
diff --git a/wireshark-1.2.17-CVE-2011-2175.patch b/wireshark-1.2.17-CVE-2011-2175.patch
new file mode 100644
index 0000000..c523e38
--- /dev/null
+++ b/wireshark-1.2.17-CVE-2011-2175.patch
@@ -0,0 +1,18 @@
+--- trunk/wiretap/visual.c	2011/05/13 17:05:05	37127
++++ trunk/wiretap/visual.c	2011/05/13 17:12:44	37128
+@@ -420,6 +420,15 @@
+        break;
+     }
+ 
++    if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) {
++    /* Check if wth->phdr.len is sane, small values of wth.phdr.len before
++       the case loop above can cause integer underflows */ 
++        *err = WTAP_ERR_BAD_RECORD;
++        *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u",
++                    wth->phdr.len, WTAP_MAX_PACKET_SIZE);
++        return FALSE;
++    }
++
+     /* Sanity check */
+     if (wth->phdr.len < wth->phdr.caplen)
+     {
diff --git a/wireshark.changes b/wireshark.changes
index 334217b..c1e3789 100644
--- a/wireshark.changes
+++ b/wireshark.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Jul 18 07:43:08 UTC 2011 - cyliu@novell.com
+
+- security fixes [#bnc 697516] 
+  * CVE-2011-1957: Large/infinite loop in the DICOM dissector
+  * CVE-2011-1959: A corrupted snoop file could crash Wireshark
+  * CVE-2011-2174: Malformed compressed capture data could crash Wireshark
+  * CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark
+  * CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter
+  dictionary
+
 -------------------------------------------------------------------
 Tue May 24 16:40:30 CEST 2011 - dimstar@opensuse.org
 
diff --git a/wireshark.spec b/wireshark.spec
index 1c9d4f0..b04ac5e 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -38,6 +38,11 @@ Patch3:         %{name}-corosync-packet-dissector.patch
 Patch4:         %{name}-1.2.4-enable_lua.patch
 # PATCH-FEATURE-OPENSUSE wireshark-nfsv4-opts.patch -- add NFSv4 options
 Patch5:         %{name}-nfsv4-opts.patch
+Patch6:         %{name}-1.2.17-CVE-2011-1957.patch
+Patch7:        %{name}-1.2.17-CVE-2011-1959.patch
+Patch8:        %{name}-1.2.17-CVE-2011-2174.patch
+Patch9:        %{name}-1.2.17-CVE-2011-2175.patch
+Patch10:        %{name}-1.2.17-CVE-2011-1958.patch
 BuildRequires:  bison
 BuildRequires:  cairo-devel
 BuildRequires:  flex
@@ -100,6 +105,11 @@ view the reconstructed stream of a TCP session.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 sed -i 's/^Icon=wireshark.png$/Icon=wireshark/' wireshark.desktop
 # run as root on 11.3 and older - bnc#349782