diff --git a/wireshark-0001-enable-Lua-support.patch b/wireshark-0001-enable-Lua-support.patch new file mode 100644 index 0000000..6963c77 --- /dev/null +++ b/wireshark-0001-enable-Lua-support.patch @@ -0,0 +1,18 @@ +From: =?UTF-8?q?Radek=20Vok=C3=A1l?= +Date: Tue, 15 Dec 2009 08:36:27 +0000 +Subject: [PATCH] enable Lua support + + +diff --git a/epan/wslua/template-init.lua b/epan/wslua/template-init.lua +index 3fe2aca..2b48f9b 100644 +--- a/epan/wslua/template-init.lua ++++ b/epan/wslua/template-init.lua +@@ -41,7 +41,7 @@ if running_superuser then + local disabled_lib = {} + setmetatable(disabled_lib,{ __index = function() error("this package ".. hint) end } ); + +- dofile = function() error("dofile " .. hint) end ++-- dofile = function() error("dofile " .. hint) end + loadfile = function() error("loadfile " .. hint) end + loadlib = function() error("loadlib " .. hint) end + require = function() error("require " .. hint) end diff --git a/wireshark-0029-cve-2023-2858.patch b/wireshark-0029-cve-2023-2858.patch new file mode 100644 index 0000000..e34d1cb --- /dev/null +++ b/wireshark-0029-cve-2023-2858.patch @@ -0,0 +1,105 @@ +From 74017383c8c73f25d12ef847c96854641f88fae4 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + + +(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105) +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 8dcbd42a089..b94caca0869 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -641,6 +641,20 @@ static gboolean nstrace_dump(wtap_dumper *wdh, const wtap_rec *rec, + #define GET_READ_PAGE_SIZE(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE)?NSPR_PAGESIZE:remaining_file_size)) + #define GET_READ_PAGE_SIZEV3(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE_TRACE)?NSPR_PAGESIZE_TRACE:remaining_file_size)) + ++/* ++ * Check whether we have enough room to retrieve the data in the caller. ++ * If not, we have a malformed file. ++ */ ++static gboolean nstrace_ensure_buflen(nstrace_t* nstrace, guint offset, guint len, int *err, gchar** err_info) ++{ ++ if (offset > nstrace->nstrace_buflen || nstrace->nstrace_buflen - offset < len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("nstrace: malformed file"); ++ return FALSE; ++ } ++ return TRUE; ++} ++ + static guint64 ns_hrtime2nsec(guint32 tm) + { + guint32 val = tm & NSPR_HRTIME_MASKTM; +@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err, + + #define PACKET_DESCRIBE(rec,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +-- +GitLab diff --git a/wireshark-0030-cve-2023-2856.patch b/wireshark-0030-cve-2023-2856.patch new file mode 100644 index 0000000..a9c2336 --- /dev/null +++ b/wireshark-0030-cve-2023-2856.patch @@ -0,0 +1,67 @@ +From da017472e69453011ea28571f192cbc79cba7f5c Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + + +(cherry picked from commit db5135826de3a5fdb3618225c2ff02f4207012ca) +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 00da6ff359e..c21b26e6be0 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +GitLab + diff --git a/wireshark-0031-cve-2023-0666.patch b/wireshark-0031-cve-2023-0666.patch new file mode 100644 index 0000000..6acd25f --- /dev/null +++ b/wireshark-0031-cve-2023-0666.patch @@ -0,0 +1,64 @@ +From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Thu, 18 May 2023 13:52:48 -0700 +Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes + +Use the proper dest_size in various g_strlcpy calls. + +Fixes #19085 +--- + epan/dissectors/packet-rtps.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c +index 2884e86faa1..a39202952f6 100644 +--- a/epan/dissectors/packet-rtps.c ++++ b/epan/dissectors/packet-rtps.c +@@ -4944,7 +4944,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + ++tk_id; + } + +- g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40); ++ g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name)); + + /* Structure of the typecode data: + * +@@ -5115,7 +5115,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + member_name, -1, NULL, ndds_40_hack); + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + + } /* end of case UNION */ +@@ -5286,7 +5286,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + } + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + } + +@@ -5378,7 +5378,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + offset += 4; + alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII); + offset += alias_name_length; +- g_strlcpy(type_name, alias_name, 40); ++ g_strlcpy(type_name, alias_name, sizeof(type_name)); + break; + } + +@@ -5413,7 +5413,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + if (tk_id == RTI_CDR_TK_VALUE_PARAM) { + type_id_name = "valueparam"; + } +- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name); ++ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name); + break; + } + } /* switch(tk_id) */ +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 2c7e29b..76d64ad 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -6,7 +6,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 2.6.2 -Release: 15%{?dist} +Release: 16%{?dist} Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -63,6 +63,9 @@ Patch27: wireshark-0027-ibm-smc.patch #Change in libssh header files forces a different technique on finding definitons Patch28: wireshark-0028-find-libssh.patch +Patch29: wireshark-0029-cve-2023-2858.patch +Patch30: wireshark-0030-cve-2023-2856.patch +Patch31: wireshark-0031-cve-2023-0666.patch #install tshark together with wireshark GUI Requires: %{name}-cli = %{epoch}:%{version}-%{release} @@ -311,6 +314,11 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_libdir}/pkgconfig/%{name}.pc %changelog +* Wed Jun 14 2023 Michal Ruprich - 1:2.6.2-16 +- Resolves: #2210866 - VMS TCPIPtrace file parser crash +- Resolves: #2210867 - NetScaler file parser crash +- Resolves: #2210869 - RTPS dissector crash + * Wed Aug 24 2022 Michal Ruprich - 1:2.6.2-15 - Resolves: #2119126 - Wireshark source rpm fails to build due to looking for incorrect libssh header files