diff --git a/wireshark-0032-cve-2023-2952.patch b/wireshark-0032-cve-2023-2952.patch new file mode 100644 index 0000000..9ada247 --- /dev/null +++ b/wireshark-0032-cve-2023-2952.patch @@ -0,0 +1,97 @@ +From e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +(cherry picked from commit ce87eac0325581b600b3093fcd75080df14ccfda) + +Conflicts: + epan/dissectors/packet-xra.c +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index ef8437e9382..4c3713db94b 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -445,7 +445,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -500,7 +500,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -534,7 +534,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -574,7 +574,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -620,14 +620,14 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + + /*If not present, this contains stuff from other packet. We can't do much in this case*/ + if(packet_start_pointer_field_present) { +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + if(docsis_start +6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); + if (fc == 0xFF) { + return; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -797,7 +797,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -857,7 +857,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 76d64ad..f5c8acc 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -6,7 +6,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 2.6.2 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -66,6 +66,7 @@ Patch28: wireshark-0028-find-libssh.patch Patch29: wireshark-0029-cve-2023-2858.patch Patch30: wireshark-0030-cve-2023-2856.patch Patch31: wireshark-0031-cve-2023-0666.patch +Patch32: wireshark-0032-cve-2023-2952.patch #install tshark together with wireshark GUI Requires: %{name}-cli = %{epoch}:%{version}-%{release} @@ -314,6 +315,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_libdir}/pkgconfig/%{name}.pc %changelog +* Fri Jun 30 2023 Michal Ruprich - 1:2.6.2-17 +- Resolves: #2211412 - XRA dissector infinite loop + * Wed Jun 14 2023 Michal Ruprich - 1:2.6.2-16 - Resolves: #2210866 - VMS TCPIPtrace file parser crash - Resolves: #2210867 - NetScaler file parser crash