wireshark: Fix CVE-2022-0585-CVE-2023-2879

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-11-14 11:14:16 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-12-17 15:36:41 -0500
commit: d9ba954b6a0aa4ece40c2e3e52ea1bd9c0f4a5b6 (patch)
tree: 29d13b363404e8215cc380e3ddb9f27957060513
parent: 9135c7ea7350d5d241f4afc3b28087122ebe2d19 (diff)
download: meta-openembedded-d9ba954b6a0aa4ece40c2e3e52ea1bd9c0f4a5b6.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch
new file mode 100644
index 000000000..1fc4a5fe3
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch
@@ -0,0 +1,93 @@
+From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 13 May 2023 21:45:16 -0400
+Subject: GDSDB: Make sure our offset advances.
+add_uint_string() returns the next offset to use, not the number
+of bytes consumed. So to consume all the bytes and make sure the
+offset advances, return the entire reported tvb length, not the
+number of bytes remaining.
+Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
+Fixes #19068
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
+CVE: CVE-2022-0585 & CVE-2023-2879
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
+index 95fed7e..950d68f 100644
+--- a/epan/dissectors/packet-gdsdb.c
+++ b/epan/dissectors/packet-gdsdb.c
+@@ -15,6 +15,7 @@
+ #include "config.h"
+ 
+ #include <epan/packet.h>
+#include <epan/expert.h>
+ 
+ void proto_register_gdsdb(void);
+ void proto_reg_handoff_gdsdb(void);
+@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
+ static int hf_gdsdb_sqlresponse_messages = -1;
+ #endif
+ 
+static expert_field ei_gdsdb_invalid_length = EI_INIT;
+
+ enum
+ {
+        op_void                   = 0,
+@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
+                                                offset, 4, ENC_ASCII|ENC_BIG_ENDIAN);
+        length = dword_align(tvb_get_ntohl(tvb, offset))+4;
+        proto_item_set_len(ti, length);
+-       return offset + length;
+       int ret_offset = offset + length;
+       if (length < 4 || ret_offset < offset) {
+               expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
+               return tvb_reported_length(tvb);
+       }
+       return ret_offset;
+ }
+ 
+ static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset)
+@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U
+                                                                offset, 4, ENC_BIG_ENDIAN);
+ 
+                /* opcode < op_max */
+               int old_offset = offset;
+                offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4);
+               if (offset <= old_offset) {
+                       expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
+                       return tvb_reported_length_remaining(tvb, old_offset);
+               }
+                if (offset < 0)
+                {
+                        /* But at this moment we don't know how much we will need */
+@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
+                &ett_gdsdb_connect_pref
+        };
+ 
+/* Expert info */
+       static ei_register_info ei[] = {
+               { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR,
+                       "Invalid length", EXPFILL }},
+       };
+
+        proto_gdsdb = proto_register_protocol(
+                "Firebird SQL Database Remote Protocol",
+                "FB/IB GDS DB", "gdsdb");
+ 
+        proto_register_field_array(proto_gdsdb, hf, array_length(hf));
+        proto_register_subtree_array(ett, array_length(ett));
+       expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
+       expert_register_field_array(expert_gdsdb, ei, array_length(ei));
+ }
+ 
+ void
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index b4425cb66..b35c24328 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://CVE-2023-0668.patch \
           file://CVE-2023-2906.patch \
           file://CVE-2023-3649.patch \
+           file://CVE-2022-0585-CVE-2023-2879.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-11-14 11:14:16 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-12-17 15:36:41 -0500
commit	d9ba954b6a0aa4ece40c2e3e52ea1bd9c0f4a5b6 (patch)
tree	29d13b363404e8215cc380e3ddb9f27957060513
parent	9135c7ea7350d5d241f4afc3b28087122ebe2d19 (diff)
download	meta-openembedded-d9ba954b6a0aa4ece40c2e3e52ea1bd9c0f4a5b6.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch new file mode 100644 index 000000000..1fc4a5fe3 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch
@@ -0,0 +1,93 @@
		1	From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Sat, 13 May 2023 21:45:16 -0400
		4	Subject: GDSDB: Make sure our offset advances.
		5
		6	add_uint_string() returns the next offset to use, not the number
		7	of bytes consumed. So to consume all the bytes and make sure the
		8	offset advances, return the entire reported tvb length, not the
		9	number of bytes remaining.
		10
		11	Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
		12
		13	Fixes #19068
		14
		15	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
		16	CVE: CVE-2022-0585 & CVE-2023-2879
		17	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		18	---
		19	epan/dissectors/packet-gdsdb.c \| 23 ++++++++++++++++++++++-
		20	1 file changed, 22 insertions(+), 1 deletion(-)
		21
		22	diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
		23	index 95fed7e..950d68f 100644
		24	--- a/epan/dissectors/packet-gdsdb.c
		25	+++ b/epan/dissectors/packet-gdsdb.c
		26	@@ -15,6 +15,7 @@
		27	#include "config.h"
		28
		29	#include <epan/packet.h>
		30	+#include <epan/expert.h>
		31
		32	void proto_register_gdsdb(void);
		33	void proto_reg_handoff_gdsdb(void);
		34	@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
		35	static int hf_gdsdb_sqlresponse_messages = -1;
		36	#endif
		37
		38	+static expert_field ei_gdsdb_invalid_length = EI_INIT;
		39	+
		40	enum
		41	{
		42	op_void = 0,
		43	@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree tree, int hf_string, tvbuff_t tvb, int o
		44	offset, 4, ENC_ASCII\|ENC_BIG_ENDIAN);
		45	length = dword_align(tvb_get_ntohl(tvb, offset))+4;
		46	proto_item_set_len(ti, length);
		47	- return offset + length;
		48	+ int ret_offset = offset + length;
		49	+ if (length < 4 \|\| ret_offset < offset) {
		50	+ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
		51	+ return tvb_reported_length(tvb);
		52	+ }
		53	+ return ret_offset;
		54	}
		55
		56	static int add_byte_array(proto_tree tree, int hf_len, int hf_byte, tvbuff_t tvb, int offset)
		57	@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data _U
		58	offset, 4, ENC_BIG_ENDIAN);
		59
		60	/* opcode < op_max */
		61	+ int old_offset = offset;
		62	offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4);
		63	+ if (offset <= old_offset) {
		64	+ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
		65	+ return tvb_reported_length_remaining(tvb, old_offset);
		66	+ }
		67	if (offset < 0)
		68	{
		69	/* But at this moment we don't know how much we will need */
		70	@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
		71	&ett_gdsdb_connect_pref
		72	};
		73
		74	+/* Expert info */
		75	+ static ei_register_info ei[] = {
		76	+ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR,
		77	+ "Invalid length", EXPFILL }},
		78	+ };
		79	+
		80	proto_gdsdb = proto_register_protocol(
		81	"Firebird SQL Database Remote Protocol",
		82	"FB/IB GDS DB", "gdsdb");
		83
		84	proto_register_field_array(proto_gdsdb, hf, array_length(hf));
		85	proto_register_subtree_array(ett, array_length(ett));
		86	+ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
		87	+ expert_register_field_array(expert_gdsdb, ei, array_length(ei));
		88	}
		89
		90	void
		91	--
		92	2.25.1
		93


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index b4425cb66..b35c24328 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
19	file://CVE-2023-0668.patch \	19	file://CVE-2023-0668.patch \
20	file://CVE-2023-2906.patch \	20	file://CVE-2023-2906.patch \
21	file://CVE-2023-3649.patch \	21	file://CVE-2023-3649.patch \
		22	file://CVE-2022-0585-CVE-2023-2879.patch \
22	"	23	"
23	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	24	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
24		25