rpms/wireshark
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import wireshark-3.4.10-4.el9

Browse Source
This commit is contained in:
CentOS Sources 2023-05-09 05:23:27 +00:00 committed by Stepan Oksanichenko
parent c3e21f9fab
commit 301091cece
3 changed files with 223 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
SOURCES/wireshark-0010-fips-ripemd160.patch Normal file
View File

@ -0,0 +1,56 @@
diff --git a/capinfos.c b/capinfos.c
index 5536766..12b141e 100644
--- a/capinfos.c
+++ b/capinfos.c
@@ -739,7 +739,8 @@ print_stats(const gchar *filename, capture_info *cf_info)
}
if (cap_file_hashes) {
printf ("SHA256: %s\n", file_sha256);
- printf ("RIPEMD160: %s\n", file_rmd160);
+ if(!gcry_fips_mode_active())
+ printf ("RIPEMD160: %s\n", file_rmd160);
printf ("SHA1: %s\n", file_sha1);
}
if (cap_order) printf ("Strict time order: %s\n", order_string(cf_info->order));
@@ -851,7 +852,8 @@ print_stats_table_header(void)
if (cap_packet_rate) print_stats_table_header_label("Average packet rate (packets/sec)");
if (cap_file_hashes) {
print_stats_table_header_label("SHA256");
- print_stats_table_header_label("RIPEMD160");
+ if(!gcry_fips_mode_active())
+ print_stats_table_header_label("RIPEMD160");
print_stats_table_header_label("SHA1");
}
if (cap_order) print_stats_table_header_label("Strict time order");
@@ -1447,7 +1449,10 @@ print_usage(FILE *output)
fprintf(output, " -E display the capture file encapsulation\n");
fprintf(output, " -I display the capture file interface information\n");
fprintf(output, " -F display additional capture file information\n");
- fprintf(output, " -H display the SHA256, RMD160, and SHA1 hashes of the file\n");
+ if(!gcry_fips_mode_active())
+ fprintf(output, " -H display the SHA256 and SHA1 hashes of the file\n");
+ else
+ fprintf(output, " -H display the SHA256, RMD160, and SHA1 hashes of the file\n");
fprintf(output, " -k display the capture comment\n");
fprintf(output, "\n");
fprintf(output, "Size infos:\n");
@@ -1795,7 +1800,8 @@ main(int argc, char *argv[])
gcry_check_version(NULL);
gcry_md_open(&hd, GCRY_MD_SHA256, 0);
if (hd) {
- gcry_md_enable(hd, GCRY_MD_RMD160);
+ if(!gcry_fips_mode_active())
+ gcry_md_enable(hd, GCRY_MD_RMD160);
gcry_md_enable(hd, GCRY_MD_SHA1);
}
hash_buf = (char *)g_malloc(HASH_BUF_SIZE);
@@ -1817,7 +1823,8 @@ main(int argc, char *argv[])
}
gcry_md_final(hd);
hash_to_str(gcry_md_read(hd, GCRY_MD_SHA256), HASH_SIZE_SHA256, file_sha256);
- hash_to_str(gcry_md_read(hd, GCRY_MD_RMD160), HASH_SIZE_RMD160, file_rmd160);
+ if(!gcry_fips_mode_active())
+ hash_to_str(gcry_md_read(hd, GCRY_MD_RMD160), HASH_SIZE_RMD160, file_rmd160);
hash_to_str(gcry_md_read(hd, GCRY_MD_SHA1), HASH_SIZE_SHA1, file_sha1);
}
if (fh) fclose(fh);

142
SOURCES/wireshark-0011-cve-2022-3190.patch Normal file
View File

@ -0,0 +1,142 @@
From 0f27a83c5692b2afebe6e6934c1051f76aa2ecf9 Mon Sep 17 00:00:00 2001
From: Jason Cohen <kryojenik2@gmail.com>
Date: Wed, 31 Aug 2022 11:10:17 -0500
Subject: [PATCH] f5ethtrailer: Improve "old-style" heuristic
Remove a chance for an infinate loop in the disection heuristic.
---
epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
1 file changed, 56 insertions(+), 52 deletions(-)
diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
index b2ba8f899d..915348ea83 100644
--- a/epan/dissectors/packet-f5ethtrailer.c
+++ b/epan/dissectors/packet-f5ethtrailer.c
@@ -2751,69 +2751,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
static gint
dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
- proto_tree *type_tree = NULL;
- proto_item *ti = NULL;
guint offset = 0;
- guint processed = 0;
- f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
- guint8 type;
- guint8 len;
- guint8 ver;
/* While we still have data in the trailer. For old format trailers, this needs
* type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
* All old format trailers are at least 4 bytes long, so just check for length of magic.
*/
- while (tvb_reported_length_remaining(tvb, offset)) {
- type = tvb_get_guint8(tvb, offset);
- len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
- ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
-
- if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
- && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
- && ver <= F5TRAILER_VER_MAX) {
- /* Parse out the specified trailer. */
- switch (type) {
- case F5TYPE_LOW:
- ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
-
- processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
- if (processed > 0) {
- tdata->trailer_len += processed;
- tdata->noise_low = 1;
- }
- break;
- case F5TYPE_MED:
- ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
-
- processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
- if (processed > 0) {
- tdata->trailer_len += processed;
- tdata->noise_med = 1;
- }
- break;
- case F5TYPE_HIGH:
- ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
-
- processed =
- dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
- if (processed > 0) {
- tdata->trailer_len += processed;
- tdata->noise_high = 1;
- }
- break;
+ while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
+ /* length field does not include the type and length bytes. Add them back in */
+ guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+ if (len > tvb_reported_length_remaining(tvb, offset)
+ || len < F5_MIN_SANE || len > F5_MAX_SANE) {
+ /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
+ return offset;
+ }
+ guint8 type = tvb_get_guint8(tvb, offset);
+ guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+
+ /* Parse out the specified trailer. */
+ proto_tree *type_tree = NULL;
+ proto_item *ti = NULL;
+ f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+ guint processed = 0;
+
+ switch (type) {
+ case F5TYPE_LOW:
+ ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+
+ processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+ if (processed > 0) {
+ tdata->trailer_len += processed;
+ tdata->noise_low = 1;
}
- if (processed == 0) {
- proto_item_set_len(ti, 1);
- return offset;
+ break;
+ case F5TYPE_MED:
+ ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+
+ processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+ if (processed > 0) {
+ tdata->trailer_len += processed;
+ tdata->noise_med = 1;
+ }
+ break;
+ case F5TYPE_HIGH:
+ ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+
+ processed =
+ dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+ if (processed > 0) {
+ tdata->trailer_len += processed;
+ tdata->noise_high = 1;
}
+ break;
+ default:
+ /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
+ return offset;
+ }
+ if (processed == 0) {
+ /* couldn't process trailer - bali out */
+ proto_item_set_len(ti, 1);
+ return offset;
}
offset += processed;
}
-return offset;
+ return offset;
} /* dissect_old_trailer() */
/*---------------------------------------------------------------------------*/
--
GitLab

35
SPECS/wireshark.spec
View File

@ -6,7 +6,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 3.4.10 Version: 3.4.10
Release: 1%{?dist} Release: 4%{?dist}
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -16,18 +16,20 @@ Source1: https://www.wireshark.org/download/src/all-versions/SIGNATURES-%
Source2: 90-wireshark-usbmon.rules Source2: 90-wireshark-usbmon.rules
# Fedora-specific # Fedora-specific
Patch2: wireshark-0002-Customize-permission-denied-error.patch Patch0002: wireshark-0002-Customize-permission-denied-error.patch
# Will be proposed upstream # Will be proposed upstream
Patch3: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch Patch0003: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch
# Fedora-specific # Fedora-specific
Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch Patch0004: wireshark-0004-Restore-Fedora-specific-groups.patch
# Fedora-specific # Fedora-specific
Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch0005: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
# Fedora-specific # Fedora-specific
Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch0006: wireshark-0006-Move-tmp-to-var-tmp.patch
Patch7: wireshark-0007-cmakelists.patch Patch0007: wireshark-0007-cmakelists.patch
#Patch8: wireshark-0008-move-glib.patch #Patch0008: wireshark-0008-move-glib.patch
Patch9: wireshark-0009-smc-support.patch Patch0009: wireshark-0009-smc-support.patch
Patch0010: wireshark-0010-fips-ripemd160.patch
Patch0011: wireshark-0011-cve-2022-3190.patch
#install tshark together with wireshark GUI #install tshark together with wireshark GUI
Requires: %{name}-cli = %{epoch}:%{version}-%{release} Requires: %{name}-cli = %{epoch}:%{version}-%{release}
@ -104,7 +106,11 @@ Wireshark.
%package devel %package devel
Summary: Development headers and libraries for wireshark Summary: Development headers and libraries for wireshark
Requires: %{name} = %{epoch}:%{version}-%{release} glibc-devel glib2-devel Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: %{name}-cli = %{epoch}:%{version}-%{release}
Requires: glibc-devel
Requires: glib2-devel
%description devel %description devel
The wireshark-devel package contains the header files, developer The wireshark-devel package contains the header files, developer
@ -271,6 +277,15 @@ fi
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%changelog %changelog
* Fri Jan 20 2023 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-4
- Resolves: #2152064 - CVE-2022-3190 wireshark: f5ethtrailer Infinite loop in legacy style dissector
* Thu Jan 19 2023 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-3
- Resolves: #2083581 - capinfos aborts in FIPS
* Thu Jan 19 2023 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-2
- Resolves: #2160648 - Enhanced TMT testing for centos-stream
* Thu Dec 16 2021 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-1 * Thu Dec 16 2021 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-1
- Resolves: #2032966 - Rebase wireshark to fix multiple CVEs - Resolves: #2032966 - Rebase wireshark to fix multiple CVEs