wireshark: Backport fix for CVE-2024-2955

Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Ashish Sharma <asharma@mvista.com> 2024-03-28 16:05:02 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-04-25 08:27:27 -0400
commit: 6e702707c320a12a91c85a4627f99db607d42f55 (patch)
tree: bcddab422df9a86c00b2066ceab59d5212268a88
parent: 850da18f9cf3aeb8416e4bb22917053b8709d69f (diff)
download: meta-openembedded-6e702707c320a12a91c85a4627f99db607d42f55.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch
new file mode 100644
index 000000000..347943d42
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch
@@ -0,0 +1,52 @@
+From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Wed, 6 Mar 2024 20:40:42 -0500
+Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope
+Fragment data can't be allocated in pinfo->pool scope, as it
+outlives the frame. Set it to be freed when the associated tvb
+is freed, as done in the main reassemble.c code.
+Fix #19695
+CVE: CVE-2024-2955
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++-
+ epan/dissectors/packet-t38.c                   | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c
+index 7b856626865..526b313d054 100644
+--- a/epan/dissectors/asn1/t38/packet-t38-template.c
+++ b/epan/dissectors/asn1/t38/packet-t38-template.c
+@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
+          last_fd=fd_i;
+        }
+ 
+-       data = (guint8 *) wmem_alloc(pinfo->pool, size);
+       data = (guint8 *) g_malloc(size);
+        fd_head->tvb_data = tvb_new_real_data(data, size, size);
+        tvb_set_free_cb(fd_head->tvb_data, g_free);
+        fd_head->len = size;            /* record size for caller       */
+ 
+        /* add all data fragments */
+diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c
+index ca95ae8b64e..5083c936c5a 100644
+--- a/epan/dissectors/packet-t38.c
+++ b/epan/dissectors/packet-t38.c
+@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
+          last_fd=fd_i;
+        }
+ 
+-       data = (guint8 *) wmem_alloc(pinfo->pool, size);
+       data = (guint8 *) g_malloc(size);
+        fd_head->tvb_data = tvb_new_real_data(data, size, size);
+        tvb_set_free_cb(fd_head->tvb_data, g_free);
+        fd_head->len = size;            /* record size for caller       */
+ 
+        /* add all data fragments */
+-- 
+GitLab
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index 8af0e6aa5..534b1a2f3 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://CVE-2024-0208.patch \
           file://CVE-2023-1992.patch \
           file://CVE-2023-4511.patch \
+           file://CVE-2024-2955.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Ashish Sharma <asharma@mvista.com>	2024-03-28 16:05:02 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-04-25 08:27:27 -0400
commit	6e702707c320a12a91c85a4627f99db607d42f55 (patch)
tree	bcddab422df9a86c00b2066ceab59d5212268a88
parent	850da18f9cf3aeb8416e4bb22917053b8709d69f (diff)
download	meta-openembedded-6e702707c320a12a91c85a4627f99db607d42f55.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch new file mode 100644 index 000000000..347943d42 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch
@@ -0,0 +1,52 @@
		1	From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Wed, 6 Mar 2024 20:40:42 -0500
		4	Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope
		5
		6	Fragment data can't be allocated in pinfo->pool scope, as it
		7	outlives the frame. Set it to be freed when the associated tvb
		8	is freed, as done in the main reassemble.c code.
		9
		10	Fix #19695
		11
		12	CVE: CVE-2024-2955
		13	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341]
		14	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		15
		16	epan/dissectors/asn1/t38/packet-t38-template.c \| 3 ++-
		17	epan/dissectors/packet-t38.c \| 3 ++-
		18	2 files changed, 4 insertions(+), 2 deletions(-)
		19
		20	diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c
		21	index 7b856626865..526b313d054 100644
		22	--- a/epan/dissectors/asn1/t38/packet-t38-template.c
		23	+++ b/epan/dissectors/asn1/t38/packet-t38-template.c
		24	@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table table, packet_info pinfo, guint32 id)
		25	last_fd=fd_i;
		26	}
		27
		28	- data = (guint8 *) wmem_alloc(pinfo->pool, size);
		29	+ data = (guint8 *) g_malloc(size);
		30	fd_head->tvb_data = tvb_new_real_data(data, size, size);
		31	+ tvb_set_free_cb(fd_head->tvb_data, g_free);
		32	fd_head->len = size; /* record size for caller */
		33
		34	/* add all data fragments */
		35	diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c
		36	index ca95ae8b64e..5083c936c5a 100644
		37	--- a/epan/dissectors/packet-t38.c
		38	+++ b/epan/dissectors/packet-t38.c
		39	@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table table, packet_info pinfo, guint32 id)
		40	last_fd=fd_i;
		41	}
		42
		43	- data = (guint8 *) wmem_alloc(pinfo->pool, size);
		44	+ data = (guint8 *) g_malloc(size);
		45	fd_head->tvb_data = tvb_new_real_data(data, size, size);
		46	+ tvb_set_free_cb(fd_head->tvb_data, g_free);
		47	fd_head->len = size; /* record size for caller */
		48
		49	/* add all data fragments */
		50	--
		51	GitLab
		52


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 8af0e6aa5..534b1a2f3 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
24	file://CVE-2024-0208.patch \	24	file://CVE-2024-0208.patch \
25	file://CVE-2023-1992.patch \	25	file://CVE-2023-1992.patch \
26	file://CVE-2023-4511.patch \	26	file://CVE-2023-4511.patch \
		27	file://CVE-2024-2955.patch \
27	"	28	"
28	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	29	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
29		30