diff --git a/SOURCES/wireshark-0012-cve-2023-0668.patch b/SOURCES/wireshark-0012-cve-2023-0668.patch new file mode 100644 index 0000000..86dd8e5 --- /dev/null +++ b/SOURCES/wireshark-0012-cve-2023-0668.patch @@ -0,0 +1,29 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 536847f7502..fdc9e282b3a 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1211,7 +1211,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +GitLab + diff --git a/SOURCES/wireshark-0013-cve-2023-0666.patch b/SOURCES/wireshark-0013-cve-2023-0666.patch new file mode 100644 index 0000000..b5894a5 --- /dev/null +++ b/SOURCES/wireshark-0013-cve-2023-0666.patch @@ -0,0 +1,116 @@ +From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Thu, 18 May 2023 13:52:48 -0700 +Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes + +Use the proper dest_size in various g_strlcpy calls. + +Fixes #19085 +--- + epan/dissectors/packet-rtps.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c +index 2884e86faa1..a39202952f6 100644 +--- a/epan/dissectors/packet-rtps.c ++++ b/epan/dissectors/packet-rtps.c +@@ -4944,7 +4944,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + ++tk_id; + } + +- g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40); ++ g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name)); + + /* Structure of the typecode data: + * +@@ -5115,7 +5115,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + member_name, -1, NULL, ndds_40_hack); + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + + } /* end of case UNION */ +@@ -5286,7 +5286,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + } + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + } + +@@ -5378,7 +5378,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + offset += 4; + alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII); + offset += alias_name_length; +- g_strlcpy(type_name, alias_name, 40); ++ g_strlcpy(type_name, alias_name, sizeof(type_name)); + break; + } + +@@ -5413,7 +5413,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + if (tk_id == RTI_CDR_TK_VALUE_PARAM) { + type_id_name = "valueparam"; + } +- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name); ++ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name); + break; + } + } /* switch(tk_id) */ +@@ -5577,7 +5577,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree, + long_number = tvb_get_guint32(tvb, offset_tmp, encoding); + name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII); + if (info) +- g_strlcpy(info->member_name, name, long_number); ++ g_strlcpy(info->member_name, name, sizeof(info->member_name)); + + proto_item_append_text(tree, " %s", name); + offset += member_length; +@@ -5753,13 +5753,13 @@ static gint rtps_util_add_type_member(proto_tree *tree, + proto_item_append_text(tree, " %s (ID: %d)", name, member_id); + if (member_object) { + member_object->member_id = member_id; +- g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256); ++ g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name)); + member_object->type_id = member_type_id; + } + if (info && info->extensibility == EXTENSIBILITY_MUTABLE) { + mutable_member_mapping * mutable_mapping = NULL; + mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping); +- g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256); ++ g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name)); + mutable_mapping->struct_type_id = info->type_id; + mutable_mapping->member_type_id = member_type_id; + mutable_mapping->member_id = member_id; +@@ -5814,7 +5814,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -5827,7 +5827,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = -1; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -5847,7 +5847,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding); + offset_tmp += 4; + +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = discriminator_case; + mapping->union_type_id = union_type_id + discriminator_case; +-- +GitLab + diff --git a/SOURCES/wireshark-0014-cve-2023-2858.patch b/SOURCES/wireshark-0014-cve-2023-2858.patch new file mode 100644 index 0000000..1d10d4b --- /dev/null +++ b/SOURCES/wireshark-0014-cve-2023-2858.patch @@ -0,0 +1,93 @@ +From 74017383c8c73f25d12ef847c96854641f88fae4 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + + +(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105) +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 8dcbd42a089..b94caca0869 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1615,7 +1621,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +GitLab + diff --git a/SOURCES/wireshark-0015-cve-2023-2856.patch b/SOURCES/wireshark-0015-cve-2023-2856.patch new file mode 100644 index 0000000..a9c2336 --- /dev/null +++ b/SOURCES/wireshark-0015-cve-2023-2856.patch @@ -0,0 +1,67 @@ +From da017472e69453011ea28571f192cbc79cba7f5c Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + + +(cherry picked from commit db5135826de3a5fdb3618225c2ff02f4207012ca) +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 00da6ff359e..c21b26e6be0 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +GitLab + diff --git a/SOURCES/wireshark-0016-cve-2023-2855.patch b/SOURCES/wireshark-0016-cve-2023-2855.patch new file mode 100644 index 0000000..f2018fb --- /dev/null +++ b/SOURCES/wireshark-0016-cve-2023-2855.patch @@ -0,0 +1,103 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). +--- + wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 62f89e7b564..43863b45cf7 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -34,8 +34,9 @@ void register_candump(void); + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -56,6 +57,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + canfd_frame_t canfd_frame = {0}; + ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -67,6 +80,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + can_frame_t can_frame = {0}; + ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); +@@ -82,6 +107,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -188,9 +215,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -214,9 +239,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +GitLab + diff --git a/SOURCES/wireshark-0017-cve-2023-2952.patch b/SOURCES/wireshark-0017-cve-2023-2952.patch new file mode 100644 index 0000000..e84660b --- /dev/null +++ b/SOURCES/wireshark-0017-cve-2023-2952.patch @@ -0,0 +1,98 @@ +From e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +(cherry picked from commit ce87eac0325581b600b3093fcd75080df14ccfda) + +Conflicts: + epan/dissectors/packet-xra.c +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index ef8437e9382..4c3713db94b 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -445,7 +445,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -500,7 +500,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -534,7 +534,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -574,7 +574,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -718,7 +718,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -727,7 +727,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -797,7 +797,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -857,7 +857,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +GitLab + diff --git a/SPECS/wireshark.spec b/SPECS/wireshark.spec index 2324913..8b80d7b 100644 --- a/SPECS/wireshark.spec +++ b/SPECS/wireshark.spec @@ -6,7 +6,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.4.10 -Release: 4%{?dist} +Release: 6%{?dist} Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -30,6 +30,12 @@ Patch0007: wireshark-0007-cmakelists.patch Patch0009: wireshark-0009-smc-support.patch Patch0010: wireshark-0010-fips-ripemd160.patch Patch0011: wireshark-0011-cve-2022-3190.patch +Patch0012: wireshark-0012-cve-2023-0668.patch +Patch0013: wireshark-0013-cve-2023-0666.patch +Patch0014: wireshark-0014-cve-2023-2858.patch +Patch0015: wireshark-0015-cve-2023-2856.patch +Patch0016: wireshark-0016-cve-2023-2855.patch +Patch0017: wireshark-0017-cve-2023-2952.patch #install tshark together with wireshark GUI Requires: %{name}-cli = %{epoch}:%{version}-%{release} @@ -277,6 +283,16 @@ fi %{_libdir}/pkgconfig/%{name}.pc %changelog +* Mon Jun 19 2023 Michal Ruprich - 1:3.4.10-6 +- Resolves: #2211413 - XRA dissector infinite loop + +* Wed Jun 07 2023 Michal Ruprich - 1:3.4.10-5 +- Resolves: #2210864 - Candump log file parser crash + Resolves: #2210865 - VMS TCPIPtrace file parser crash + Resolves: #2210868 - NetScaler file parser crash + Resolves: #2210870 - RTPS dissector crash + Resolves: #2210871 - IEEE C37.118 Synchrophasor dissector crash + * Fri Jan 20 2023 Michal Ruprich - 1:3.4.10-4 - Resolves: #2152064 - CVE-2022-3190 wireshark: f5ethtrailer Infinite loop in legacy style dissector