diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-06-26 11:34:40 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-06-27 07:05:40 -0400 |
commit | b3acca0eb15e57ea3284d98cba126dd8e5cd5901 (patch) | |
tree | 943da585f064fd5e921317bf7c05c5df2c574a67 | |
parent | 30b2c1c064dc9f3a9cf3c974e18e6f5c5c0c964e (diff) | |
download | meta-openembedded-b3acca0eb15e57ea3284d98cba126dd8e5cd5901.tar.gz |
wireshark: Fix Multiple CVEs
Backport fixes for:
* CVE-2023-0666 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/265cbf15a418b629c3c8f02c0ba901913b1c8fd2
* CVE-2023-0667 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a
* CVE-2023-0668 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
4 files changed, 224 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch new file mode 100644 index 000000000..773291682 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | From 265cbf15a418b629c3c8f02c0ba901913b1c8fd2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerald Combs <gerald@wireshark.org> | ||
3 | Date: Thu, 18 May 2023 13:52:48 -0700 | ||
4 | Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes | ||
5 | |||
6 | Use the proper dest_size in various g_strlcpy calls. | ||
7 | |||
8 | Fixes #19085 | ||
9 | |||
10 | (cherry picked from commit 28fdce547c417b868c521f87fb58f71ca6b1e3f7) | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/265cbf15a418b629c3c8f02c0ba901913b1c8fd2] | ||
13 | CVE: CVE-2023-0666 | ||
14 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
15 | --- | ||
16 | epan/dissectors/packet-rtps.c | 22 +++++++++++----------- | ||
17 | 1 file changed, 11 insertions(+), 11 deletions(-) | ||
18 | |||
19 | diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c | ||
20 | index 5c2d1c1..ef592d7 100644 | ||
21 | --- a/epan/dissectors/packet-rtps.c | ||
22 | +++ b/epan/dissectors/packet-rtps.c | ||
23 | @@ -3025,7 +3025,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, | ||
24 | ++tk_id; | ||
25 | } | ||
26 | |||
27 | - g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40); | ||
28 | + g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name)); | ||
29 | |||
30 | /* Structure of the typecode data: | ||
31 | * | ||
32 | @@ -3196,7 +3196,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, | ||
33 | member_name, -1, NULL, ndds_40_hack); | ||
34 | } | ||
35 | /* Finally prints the name of the struct (if provided) */ | ||
36 | - g_strlcpy(type_name, "}", 40); | ||
37 | + g_strlcpy(type_name, "}", sizeof(type_name)); | ||
38 | break; | ||
39 | |||
40 | } /* end of case UNION */ | ||
41 | @@ -3367,7 +3367,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, | ||
42 | } | ||
43 | } | ||
44 | /* Finally prints the name of the struct (if provided) */ | ||
45 | - g_strlcpy(type_name, "}", 40); | ||
46 | + g_strlcpy(type_name, "}", sizeof(type_name)); | ||
47 | break; | ||
48 | } | ||
49 | |||
50 | @@ -3459,7 +3459,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, | ||
51 | offset += 4; | ||
52 | alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII); | ||
53 | offset += alias_name_length; | ||
54 | - g_strlcpy(type_name, alias_name, 40); | ||
55 | + g_strlcpy(type_name, alias_name, sizeof(type_name)); | ||
56 | break; | ||
57 | } | ||
58 | |||
59 | @@ -3494,7 +3494,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, | ||
60 | if (tk_id == RTI_CDR_TK_VALUE_PARAM) { | ||
61 | type_id_name = "valueparam"; | ||
62 | } | ||
63 | - g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name); | ||
64 | + g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name); | ||
65 | break; | ||
66 | } | ||
67 | } /* switch(tk_id) */ | ||
68 | @@ -3673,7 +3673,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree, | ||
69 | long_number = tvb_get_guint32(tvb, offset_tmp, encoding); | ||
70 | name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII); | ||
71 | if (info) | ||
72 | - g_strlcpy(info->member_name, name, long_number); | ||
73 | + g_strlcpy(info->member_name, name, sizeof(info->member_name)); | ||
74 | |||
75 | proto_item_append_text(tree, " %s", name); | ||
76 | offset += member_length; | ||
77 | @@ -3848,13 +3848,13 @@ static gint rtps_util_add_type_member(proto_tree *tree, | ||
78 | proto_item_append_text(tree, " %s (ID: %d)", name, member_id); | ||
79 | if (member_object) { | ||
80 | member_object->member_id = member_id; | ||
81 | - g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256); | ||
82 | + g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name)); | ||
83 | member_object->type_id = member_type_id; | ||
84 | } | ||
85 | if (info && info->extensibility == EXTENSIBILITY_MUTABLE) { | ||
86 | mutable_member_mapping * mutable_mapping = NULL; | ||
87 | mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping); | ||
88 | - g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256); | ||
89 | + g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name)); | ||
90 | mutable_mapping->struct_type_id = info->type_id; | ||
91 | mutable_mapping->member_type_id = member_type_id; | ||
92 | mutable_mapping->member_id = member_id; | ||
93 | @@ -3909,7 +3909,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, | ||
94 | union_member_mapping * mapping = NULL; | ||
95 | |||
96 | mapping = wmem_new(wmem_file_scope(), union_member_mapping); | ||
97 | - g_strlcpy(mapping->member_name, object.member_name, 256); | ||
98 | + g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); | ||
99 | mapping->member_type_id = object.type_id; | ||
100 | mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT; | ||
101 | mapping->union_type_id = union_type_id + mapping->discriminator; | ||
102 | @@ -3922,7 +3922,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, | ||
103 | union_member_mapping * mapping = NULL; | ||
104 | |||
105 | mapping = wmem_new(wmem_file_scope(), union_member_mapping); | ||
106 | - g_strlcpy(mapping->member_name, object.member_name, 256); | ||
107 | + g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); | ||
108 | mapping->member_type_id = object.type_id; | ||
109 | mapping->discriminator = -1; | ||
110 | mapping->union_type_id = union_type_id + mapping->discriminator; | ||
111 | @@ -3942,7 +3942,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, | ||
112 | ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding); | ||
113 | offset_tmp += 4; | ||
114 | |||
115 | - g_strlcpy(mapping->member_name, object.member_name, 256); | ||
116 | + g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); | ||
117 | mapping->member_type_id = object.type_id; | ||
118 | mapping->discriminator = discriminator_case; | ||
119 | mapping->union_type_id = union_type_id + discriminator_case; | ||
120 | -- | ||
121 | 2.25.1 | ||
122 | |||
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 000000000..cd07395aa --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 | ||
2 | From: John Thacker <johnthacker@gmail.com> | ||
3 | Date: Thu, 18 May 2023 18:06:36 -0400 | ||
4 | Subject: [PATCH] MS-MMS: Use format_text_string() | ||
5 | |||
6 | The length of a string transcoded from UTF-16 to UTF-8 can be | ||
7 | shorter (or longer) than the original length in bytes in the packet. | ||
8 | Use the new string length, not the original length. | ||
9 | |||
10 | Use format_text_string, which is a convenience function that | ||
11 | calls strlen. | ||
12 | |||
13 | Fix #19086 | ||
14 | |||
15 | (cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] | ||
18 | CVE: CVE-2023-0667 | ||
19 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
20 | --- | ||
21 | epan/dissectors/packet-ms-mms.c | 8 ++++---- | ||
22 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
23 | |||
24 | diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c | ||
25 | index f4dbcd0..092a64b 100644 | ||
26 | --- a/epan/dissectors/packet-ms-mms.c | ||
27 | +++ b/epan/dissectors/packet-ms-mms.c | ||
28 | @@ -740,7 +740,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro | ||
29 | transport_info, "Transport: (%s)", transport_info); | ||
30 | |||
31 | col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", | ||
32 | - format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); | ||
33 | + format_text_string(pinfo->pool, (const guchar*)transport_info)); | ||
34 | |||
35 | |||
36 | /* Try to extract details from this string */ | ||
37 | @@ -837,7 +837,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t | ||
38 | ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); | ||
39 | |||
40 | col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", | ||
41 | - format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); | ||
42 | + format_text_string(pinfo->pool, (const guchar*)server_version)); | ||
43 | } | ||
44 | offset += (server_version_length*2); | ||
45 | |||
46 | @@ -891,7 +891,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ | ||
47 | ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); | ||
48 | |||
49 | col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", | ||
50 | - format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); | ||
51 | + format_text_string(pinfo->pool, (const guchar*)player_info)); | ||
52 | } | ||
53 | |||
54 | /* Dissect info about where client wants to start playing from */ | ||
55 | @@ -966,7 +966,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto | ||
56 | ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); | ||
57 | |||
58 | col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", | ||
59 | - format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); | ||
60 | + format_text_string(pinfo->pool, (const guchar*)server_file)); | ||
61 | } | ||
62 | |||
63 | /* Dissect media details from server */ | ||
64 | -- | ||
65 | 2.25.1 | ||
66 | |||
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 000000000..000993933 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: John Thacker <johnthacker@gmail.com> | ||
3 | Date: Sat, 20 May 2023 23:08:08 -0400 | ||
4 | Subject: [PATCH] synphasor: Use val_to_str_const | ||
5 | |||
6 | Don't use a value from packet data to directly index a value_string, | ||
7 | particularly when the value string doesn't cover all possible values. | ||
8 | |||
9 | Fix #19087 | ||
10 | |||
11 | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] | ||
12 | CVE: CVE-2023-0668 | ||
13 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
14 | --- | ||
15 | epan/dissectors/packet-synphasor.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c | ||
19 | index 12b388b..fbde875 100644 | ||
20 | --- a/epan/dissectors/packet-synphasor.c | ||
21 | +++ b/epan/dissectors/packet-synphasor.c | ||
22 | @@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c | ||
23 | |||
24 | data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, | ||
25 | ett_conf_phflags, NULL, "Phasor Data flags: %s", | ||
26 | - conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); | ||
27 | + val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); | ||
28 | |||
29 | /* first and second bytes - phasor modification flags*/ | ||
30 | phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, | ||
31 | -- | ||
32 | 2.25.1 | ||
33 | |||
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 96603710f..025559193 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb | |||
@@ -21,6 +21,9 @@ SRC_URI += " \ | |||
21 | file://CVE-2023-2858.patch \ | 21 | file://CVE-2023-2858.patch \ |
22 | file://CVE-2023-2879.patch \ | 22 | file://CVE-2023-2879.patch \ |
23 | file://CVE-2023-2952.patch \ | 23 | file://CVE-2023-2952.patch \ |
24 | file://CVE-2023-0666.patch \ | ||
25 | file://CVE-2023-0667.patch \ | ||
26 | file://CVE-2023-0668.patch \ | ||
24 | " | 27 | " |
25 | 28 | ||
26 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" | 29 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" |