Resolves: RHEL-80274 - Uncontrolled Recursion in Wireshark

Resolves: RHEL-93153 - wireshark-cli's %post uses /usr/bin/udevadm but missing systemd-udev

wireshark-0009-cve-2025-1492.patch

@@ -0,0 +1,88 @@
+From 83c73a83ad9ec7baa4bbf06d6da9cdd91009d5ed Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Wed, 5 Feb 2025 19:55:12 -0800
+Subject: [PATCH] wscbor: Add a recursion check
+
+Blind-ish attempt at fixing #20373
+---
+ epan/wscbor.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/epan/wscbor.c b/epan/wscbor.c
+index 2e2873c5900..f1ac2baaa25 100644
+--- a/epan/wscbor.c
++++ b/epan/wscbor.c
+@@ -16,6 +16,7 @@
+ #include <wsutil/array.h>
+ #include <epan/exceptions.h>
+ #include <epan/expert.h>
++#include <epan/prefs.h>
+ #include <stdio.h>
+ #include <inttypes.h>
+ #include "wscbor.h"
+@@ -365,7 +366,12 @@ bool wscbor_is_indefinite_break(const wscbor_chunk_t *chunk) {
+  * an indefinite break.
+  * @return True if the skipped item was fully valid.
+  */
+-static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tvb, int *offset, bool *is_break) {
++// NOLINTNEXTLINE(misc-no-recursion)
++static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tvb, int *offset, bool *is_break, unsigned depth) {
++    if (depth > prefs.gui_max_tree_depth) {
++
++        return false;
++    }
+     wscbor_chunk_t *chunk = wscbor_chunk_read(alloc, tvb, offset);
+     if (wscbor_has_errors(chunk)) {
+         wscbor_chunk_free(chunk);
+@@ -386,7 +392,7 @@ static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tv
+                 // wait for indefinite break
+                 bool was_break = false;
+                 do {
+-                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, &was_break)) {
++                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, &was_break, depth + 1)) {
+                         return false;
+                     }
+                 }
+@@ -395,7 +401,7 @@ static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tv
+             else {
+                 const uint64_t count = chunk->head_value;
+                 for (uint64_t ix = 0; ix < count; ++ix) {
+-                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, NULL)) {
++                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, NULL, depth + 1)) {
+                         return false;
+                     }
+                 }
+@@ -407,7 +413,7 @@ static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tv
+                 // wait for indefinite break
+                 bool was_break = false;
+                 do {
+-                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, &was_break)) {
++                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, &was_break, depth + 1)) {
+                         return false;
+                     }
+                 }
+@@ -416,10 +422,10 @@ static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tv
+             else {
+                 const uint64_t count = chunk->head_value;
+                 for (uint64_t ix = 0; ix < count; ++ix) {
+-                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, NULL)) {
++                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, NULL, depth + 1)) {
+                         return false;
+                     }
+-                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, NULL)) {
++                    if (!wscbor_skip_next_item_internal(alloc, tvb, offset, NULL, depth + 1)) {
+                         return false;
+                     }
+                 }
+@@ -438,7 +444,7 @@ static bool wscbor_skip_next_item_internal(wmem_allocator_t *alloc, tvbuff_t *tv
+ }
+ 
+ bool wscbor_skip_next_item(wmem_allocator_t *alloc, tvbuff_t *tvb, int *offset) {
+-    return wscbor_skip_next_item_internal(alloc, tvb, offset, NULL);
++    return wscbor_skip_next_item_internal(alloc, tvb, offset, NULL, 0);
+ }
+ 
+ bool wscbor_skip_if_errors(wmem_allocator_t *alloc, tvbuff_t *tvb, int *offset, const wscbor_chunk_t *chunk) {
+-- 
+GitLab
+

wireshark.spec

@@ -6,7 +6,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	4.4.2
-Release:	1%{?dist}
+Release:	2%{?dist}
 Epoch:		1
 License:	BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause AND MIT AND GPL-2.0-or-later AND LGPL-2.0-or-later AND Zlib AND ISC AND (BSD-3-Clause OR GPL-2.0-only) AND (GPL-2.0-or-later AND Zlib)
 Url:		http://www.wireshark.org/
@@ -28,6 +28,7 @@ Patch5:   wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
 Patch6:   wireshark-0006-Move-tmp-to-var-tmp.patch
 Patch7:   wireshark-0007-cmakelists.patch
 Patch8:   wireshark-0008-pkgconfig.patch
+Patch9:   wireshark-0009-cve-2025-1492.patch
 
 #install tshark together with wireshark GUI
 Requires:	%{name}-cli = %{epoch}:%{version}-%{release}
@@ -191,7 +192,7 @@ find %{buildroot} -type f -name "*.la" -delete
 # skip triggering if udevd isn't even accessible, e.g. containers or
 # rpm-ostree-based systems
 if [ -S /run/udev/control ]; then
-    /usr/bin/udevadm trigger --subsystem-match=usbmon
+    /usr/bin/udevadm trigger --subsystem-match=usbmon || :
 fi
 
 %ldconfig_postun cli
@@ -280,6 +281,10 @@ fi
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Tue Jun 03 2025 Michal Ruprich <mruprich@redhat.com> - 1:4.4.2-2
+- Resolves: RHEL-80274 - Uncontrolled Recursion in Wireshark
+- Resolves: RHEL-93153 - wireshark-cli's %post uses /usr/bin/udevadm but missing systemd-udev
+
 * Thu Nov 28 2024 Michal Ruprich <mruprich@redhat.com> - 1:4.4.2-1
 - Resolves: RHEL-69442 - Rebase wireshark to 4.4.2
 - Resolves: RHEL-68453 - Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark