wireshark: Fix Multiple CVEs

Backport fixes for: * CVE-2023-2855 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb * CVE-2023-2856 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca * CVE-2023-2858 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105 * CVE-2023-2952 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-06-27 11:58:32 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-07-14 07:08:54 -0400
commit: 8b5ce0d5243e695dd33ba7059303beea2a71abac (patch)
tree: 5a367220345e3e9097621d7e768701803bf2db99
parent: 00de17fa466b91de7bdbf8655929fb627aad18a8 (diff)
download: meta-openembedded-8b5ce0d5243e695dd33ba7059303beea2a71abac.tar.gz
5 files changed, 382 insertions, 2 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
new file mode 100644
index 0000000000..a6370f91cf
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@@ -0,0 +1,117 @@
+From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 16 May 2023 12:05:07 -0700
+Subject: [PATCH] candump: check for a too-long frame length.
+If the frame length is longer than the maximum, report an error in the
+file.
+Fixes #19062, preventing the overflow on a buffer on the stack (assuming
+your compiler doesn't call a bounds-checknig version of memcpy() if the
+size of the target space is known).
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
+CVE: CVE-2023-2855
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/candump.c | 47 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+diff --git a/wiretap/candump.c b/wiretap/candump.c
+index 3eb17dd..954b509 100644
+--- a/wiretap/candump.c
+++ b/wiretap/candump.c
+@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
+                                   wtap_rec *rec, Buffer *buf,
+                                   int *err, gchar **err_info);
+ 
+-static void
+-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+                     gchar **err_info)
+ {
+     static const char *can_proto_name    = "can-hostendian";
+     static const char *canfd_proto_name  = "canfd";
+@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ 
+     if (msg->is_fd)
+     {
+-        canfd_frame_t canfd_frame;
+        canfd_frame_t canfd_frame = {0};
+
+        /*
+         * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+         */
+        if (msg->data.length > CANFD_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+               *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+                                             msg->data.length, CANFD_MAX_DLEN);
+            }
+            return FALSE;
+        }
+ 
+-        memset(&canfd_frame, 0, sizeof(canfd_frame));
+         canfd_frame.can_id = msg->id;
+         canfd_frame.flags  = msg->flags;
+         canfd_frame.len    = msg->data.length;
+@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     }
+     else
+     {
+-        can_frame_t can_frame;
+        can_frame_t can_frame = {0};
+
+        /*
+         * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+         */
+        if (msg->data.length > CAN_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+               *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+                                             msg->data.length, CAN_MAX_DLEN);
+            }
+            return FALSE;
+        }
+ 
+-        memset(&can_frame, 0, sizeof(can_frame));
+-        can_frame.can_id  = msg->id;
+       can_frame.can_id  = msg->id;
+         can_frame.can_dlc = msg->data.length;
+         memcpy(can_frame.data, msg->data.data, msg->data.length);
+ 
+@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ 
+     rec->rec_header.packet_header.caplen = packet_length;
+     rec->rec_header.packet_header.len    = packet_length;
+
+    return TRUE;
+ }
+ 
+ static gboolean
+@@ -193,9 +218,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
+     ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
+ #endif
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ static gboolean
+@@ -219,9 +242,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
+     if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
+         return FALSE;
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ /*
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
new file mode 100644
index 0000000000..1fb75353b4
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
@@ -0,0 +1,68 @@
+From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 18 May 2023 15:03:23 -0700
+Subject: [PATCH] vms: fix the search for the packet length field.
+The packet length field is of the form
+    Total Length = DDD = ^xXXX
+where "DDD" is the length in decimal and "XXX" is the length in
+hexadecimal.
+Search for "length ". not just "Length", as we skip past "Length ", not
+just "Length", so if we assume we found "Length " but only found
+"Length", we'd skip past the end of the string.
+While we're at it, fail if we don't find a length field, rather than
+just blithely acting as if the packet length were zero.
+Fixes #19083.
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
+CVE: CVE-2023-2856
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/vms.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/wiretap/vms.c b/wiretap/vms.c
+index 84e3def..fa77689 100644
+--- a/wiretap/vms.c
+++ b/wiretap/vms.c
+@@ -310,6 +310,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ {
+     char    line[VMS_LINE_LENGTH + 1];
+     int     num_items_scanned;
+    gboolean have_pkt_len = FALSE;
+     guint32 pkt_len = 0;
+     int     pktnum;
+     int     csec = 101;
+@@ -366,7 +367,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 return FALSE;
+             }
+         }
+-        if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+        if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
+             p += sizeof("Length ");
+             while (*p && ! g_ascii_isdigit(*p))
+                 p++;
+@@ -382,9 +383,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 *err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
+                 return FALSE;
+             }
+            have_pkt_len = TRUE;
+             break;
+         }
+     } while (! isdumpline(line));
+    if (! have_pkt_len) {
+        *err = WTAP_ERR_BAD_FILE;
+        *err_info = g_strdup_printf("vms: Length field not found");
+        return FALSE;
+    }
+     if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+         /*
+          * Probably a corrupt capture file; return an error,
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch
new file mode 100644
index 0000000000..150b4609bb
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch
@@ -0,0 +1,94 @@
+From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Fri, 19 May 2023 16:29:45 -0700
+Subject: [PATCH] netscaler: add more checks to make sure the record is within
+ the page.
+Whie we're at it, restructure some other checks to test-before-casting -
+it's OK to test afterwards, but testing before makes it follow the
+pattern used elsewhere.
+Fixes #19081.
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105]
+CVE: CVE-2023-2858
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/netscaler.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
+index 93da9a2..f835dfa 100644
+--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
+@@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info)
+ 
+ #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
+     do {\
+-        nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
+         /* Make sure the record header is entirely contained in the page */\
+-        if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
+        if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
+             *err = WTAP_ERR_BAD_FILE;\
+             *err_info = g_strdup("nstrace: record header crosses page boundary");\
+             return FALSE;\
+         }\
+        nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
+         /* Check sanity of record size */\
+         if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
+             *err = WTAP_ERR_BAD_FILE;\
+@@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+                 case NSPR_ABSTIME_V10:
+                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+                        return FALSE;
+                     nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
+                     if (pletoh16(&fp->nsprRecordSize) == 0) {
+                         *err = WTAP_ERR_BAD_FILE;
+@@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+                 case NSPR_RELTIME_V10:
+                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+                        return FALSE;
+                     nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
+                     if (pletoh16(&fp->nsprRecordSize) == 0) {
+                         *err = WTAP_ERR_BAD_FILE;
+@@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+                 default:
+                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+                        return FALSE;
+                     nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
+                     if (pletoh16(&fp->nsprRecordSize) == 0) {
+                         *err = WTAP_ERR_BAD_FILE;
+@@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+ #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
+     do {\
+-        nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
+         /* Make sure the record header is entirely contained in the page */\
+-        if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
+        if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
+             *err = WTAP_ERR_BAD_FILE;\
+             *err_info = g_strdup("nstrace: record header crosses page boundary");\
+             g_free(nstrace_tmpbuff);\
+             return FALSE;\
+         }\
+        nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
+         (rec)->rec_type = REC_TYPE_PACKET;\
+         TIMEDEFV##ver((rec),fp,type);\
+         FULLPART##SIZEDEFV##ver((rec),fp,ver);\
+@@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf,
+                 g_free(nstrace_tmpbuff);
+                 return FALSE;
+             }
+-
+             hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
+             if (nspr_getv20recordsize(hdp) == 0) {
+                 *err = WTAP_ERR_BAD_FILE;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
new file mode 100644
index 0000000000..82098271ec
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
@@ -0,0 +1,97 @@
+From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 23 May 2023 13:52:03 -0700
+Subject: [PATCH] XRA: Fix an infinite loop
+C compilers don't care what size a value was on the wire. Use
+naturally-sized ints, including in dissect_message_channel_mb where we
+would otherwise overflow and loop infinitely.
+Fixes #19100
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
+CVE: CVE-2023-2952
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-xra.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
+index f59d899..6c1445f 100644
+--- a/epan/dissectors/packet-xra.c
+++ b/epan/dissectors/packet-xra.c
+@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
+   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
+   it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
+ 
+   while (tlv_index < tlv_length) {
+@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+   if(packet_start_pointer_field_present) {
+     proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
+ 
+-    guint16 docsis_start = 3 + packet_start_pointer;
+    unsigned docsis_start = 3 + packet_start_pointer;
+     while (docsis_start + 6 < remaining_length) {
+       /*DOCSIS header in packet*/
+       guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
+@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+         docsis_start += 1;
+         continue;
+       }
+-      guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+      unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+       if (docsis_start + 6 + docsis_length <= remaining_length) {
+         /*DOCSIS packet included in packet*/
+         tvbuff_t *docsis_tvb;
+@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
+ static int
+ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
+ 
+-  guint16 offset = 0;
+  int offset = 0;
+   proto_tree *plc_tree;
+   proto_item *plc_item;
+   tvbuff_t *mb_tvb;
+@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
+ 
+ static int
+ dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
+-  guint16 offset = 0;
+  int offset = 0;
+   proto_tree *ncp_tree;
+   proto_item *ncp_item;
+   tvbuff_t *ncp_mb_tvb;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index f9e22141c4..f80f287ab4 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -9,8 +9,12 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi
 DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native "
 SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \
-           file://fix_lemon_path.patch "
+           file://fix_lemon_path.patch \
+           file://CVE-2023-2855.patch \
+           file://CVE-2023-2856.patch \
+           file://CVE-2023-2858.patch \
+           file://CVE-2023-2952.patch \
+           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
 SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-06-27 11:58:32 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-07-14 07:08:54 -0400
commit	8b5ce0d5243e695dd33ba7059303beea2a71abac (patch)
tree	5a367220345e3e9097621d7e768701803bf2db99
parent	00de17fa466b91de7bdbf8655929fb627aad18a8 (diff)
download	meta-openembedded-8b5ce0d5243e695dd33ba7059303beea2a71abac.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..a6370f91cf --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@@ -0,0 +1,117 @@
		1	From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Tue, 16 May 2023 12:05:07 -0700
		4	Subject: [PATCH] candump: check for a too-long frame length.
		5
		6	If the frame length is longer than the maximum, report an error in the
		7	file.
		8
		9	Fixes #19062, preventing the overflow on a buffer on the stack (assuming
		10	your compiler doesn't call a bounds-checknig version of memcpy() if the
		11	size of the target space is known).
		12
		13	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
		14	CVE: CVE-2023-2855
		15	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		16	---
		17	wiretap/candump.c \| 47 ++++++++++++++++++++++++++++++++++-------------
		18	1 file changed, 34 insertions(+), 13 deletions(-)
		19
		20	diff --git a/wiretap/candump.c b/wiretap/candump.c
		21	index 3eb17dd..954b509 100644
		22	--- a/wiretap/candump.c
		23	+++ b/wiretap/candump.c
		24	@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
		25	wtap_rec rec, Buffer buf,
		26	int err, gchar *err_info);
		27
		28	-static void
		29	-candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		30	+static gboolean
		31	+candump_write_packet(wtap_rec rec, Buffer buf, const msg_t msg, int err,
		32	+ gchar **err_info)
		33	{
		34	static const char *can_proto_name = "can-hostendian";
		35	static const char *canfd_proto_name = "canfd";
		36	@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		37
		38	if (msg->is_fd)
		39	{
		40	- canfd_frame_t canfd_frame;
		41	+ canfd_frame_t canfd_frame = {0};
		42	+
		43	+ /*
		44	+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
		45	+ */
		46	+ if (msg->data.length > CANFD_MAX_DLEN) {
		47	+ *err = WTAP_ERR_BAD_FILE;
		48	+ if (err_info != NULL) {
		49	+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
		50	+ msg->data.length, CANFD_MAX_DLEN);
		51	+ }
		52	+ return FALSE;
		53	+ }
		54
		55	- memset(&canfd_frame, 0, sizeof(canfd_frame));
		56	canfd_frame.can_id = msg->id;
		57	canfd_frame.flags = msg->flags;
		58	canfd_frame.len = msg->data.length;
		59	@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		60	}
		61	else
		62	{
		63	- can_frame_t can_frame;
		64	+ can_frame_t can_frame = {0};
		65	+
		66	+ /*
		67	+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
		68	+ */
		69	+ if (msg->data.length > CAN_MAX_DLEN) {
		70	+ *err = WTAP_ERR_BAD_FILE;
		71	+ if (err_info != NULL) {
		72	+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
		73	+ msg->data.length, CAN_MAX_DLEN);
		74	+ }
		75	+ return FALSE;
		76	+ }
		77
		78	- memset(&can_frame, 0, sizeof(can_frame));
		79	- can_frame.can_id = msg->id;
		80	+ can_frame.can_id = msg->id;
		81	can_frame.can_dlc = msg->data.length;
		82	memcpy(can_frame.data, msg->data.data, msg->data.length);
		83
		84	@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		85
		86	rec->rec_header.packet_header.caplen = packet_length;
		87	rec->rec_header.packet_header.len = packet_length;
		88	+
		89	+ return TRUE;
		90	}
		91
		92	static gboolean
		93	@@ -193,9 +218,7 @@ candump_read(wtap wth, wtap_rec rec, Buffer buf, int err, gchar **err_info,
		94	ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
		95	#endif
		96
		97	- candump_write_packet(rec, buf, &msg);
		98	-
		99	- return TRUE;
		100	+ return candump_write_packet(rec, buf, &msg, err, err_info);
		101	}
		102
		103	static gboolean
		104	@@ -219,9 +242,7 @@ candump_seek_read(wtap wth , gint64 seek_off, wtap_rec rec,
		105	if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
		106	return FALSE;
		107
		108	- candump_write_packet(rec, buf, &msg);
		109	-
		110	- return TRUE;
		111	+ return candump_write_packet(rec, buf, &msg, err, err_info);
		112	}
		113
		114	/*
		115	--
		116	2.25.1
		117


diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..1fb75353b4 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
@@ -0,0 +1,68 @@
		1	From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Thu, 18 May 2023 15:03:23 -0700
		4	Subject: [PATCH] vms: fix the search for the packet length field.
		5
		6	The packet length field is of the form
		7
		8	Total Length = DDD = ^xXXX
		9
		10	where "DDD" is the length in decimal and "XXX" is the length in
		11	hexadecimal.
		12
		13	Search for "length ". not just "Length", as we skip past "Length ", not
		14	just "Length", so if we assume we found "Length " but only found
		15	"Length", we'd skip past the end of the string.
		16
		17	While we're at it, fail if we don't find a length field, rather than
		18	just blithely acting as if the packet length were zero.
		19
		20	Fixes #19083.
		21
		22	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
		23	CVE: CVE-2023-2856
		24	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		25	---
		26	wiretap/vms.c \| 9 ++++++++-
		27	1 file changed, 8 insertions(+), 1 deletion(-)
		28
		29	diff --git a/wiretap/vms.c b/wiretap/vms.c
		30	index 84e3def..fa77689 100644
		31	--- a/wiretap/vms.c
		32	+++ b/wiretap/vms.c
		33	@@ -310,6 +310,7 @@ parse_vms_packet(FILE_T fh, wtap_rec rec, Buffer buf, int err, gchar *err_in
		34	{
		35	char line[VMS_LINE_LENGTH + 1];
		36	int num_items_scanned;
		37	+ gboolean have_pkt_len = FALSE;
		38	guint32 pkt_len = 0;
		39	int pktnum;
		40	int csec = 101;
		41	@@ -366,7 +367,7 @@ parse_vms_packet(FILE_T fh, wtap_rec rec, Buffer buf, int err, gchar *err_in
		42	return FALSE;
		43	}
		44	}
		45	- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
		46	+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
		47	p += sizeof("Length ");
		48	while (p && ! g_ascii_isdigit(p))
		49	p++;
		50	@@ -382,9 +383,15 @@ parse_vms_packet(FILE_T fh, wtap_rec rec, Buffer buf, int err, gchar *err_in
		51	*err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
		52	return FALSE;
		53	}
		54	+ have_pkt_len = TRUE;
		55	break;
		56	}
		57	} while (! isdumpline(line));
		58	+ if (! have_pkt_len) {
		59	+ *err = WTAP_ERR_BAD_FILE;
		60	+ *err_info = g_strdup_printf("vms: Length field not found");
		61	+ return FALSE;
		62	+ }
		63	if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
		64	/*
		65	* Probably a corrupt capture file; return an error,
		66	--
		67	2.25.1
		68


diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..150b4609bb --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch
@@ -0,0 +1,94 @@
		1	From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Fri, 19 May 2023 16:29:45 -0700
		4	Subject: [PATCH] netscaler: add more checks to make sure the record is within
		5	the page.
		6
		7	Whie we're at it, restructure some other checks to test-before-casting -
		8	it's OK to test afterwards, but testing before makes it follow the
		9	pattern used elsewhere.
		10
		11	Fixes #19081.
		12
		13	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105]
		14	CVE: CVE-2023-2858
		15	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		16	---
		17	wiretap/netscaler.c \| 15 ++++++++++-----
		18	1 file changed, 10 insertions(+), 5 deletions(-)
		19
		20	diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
		21	index 93da9a2..f835dfa 100644
		22	--- a/wiretap/netscaler.c
		23	+++ b/wiretap/netscaler.c
		24	@@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap wth, int err, gchar **err_info)
		25
		26	#define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
		27	do {\
		28	- nspr_pktrace##fullpart##_v##ver##_t type = (nspr_pktrace##fullpart##_v##ver##_t ) &nstrace_buf[nstrace_buf_offset];\
		29	/* Make sure the record header is entirely contained in the page */\
		30	- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
		31	+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
		32	*err = WTAP_ERR_BAD_FILE;\
		33	*err_info = g_strdup("nstrace: record header crosses page boundary");\
		34	return FALSE;\
		35	}\
		36	+ nspr_pktrace##fullpart##_v##ver##_t type = (nspr_pktrace##fullpart##_v##ver##_t ) &nstrace_buf[nstrace_buf_offset];\
		37	/* Check sanity of record size */\
		38	if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
		39	*err = WTAP_ERR_BAD_FILE;\
		40	@@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap wth, wtap_rec rec, Buffer *buf,
		41
		42	case NSPR_ABSTIME_V10:
		43	{
		44	+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
		45	+ return FALSE;
		46	nspr_pktracefull_v10_t fp = (nspr_pktracefull_v10_t ) &nstrace_buf[nstrace_buf_offset];
		47	if (pletoh16(&fp->nsprRecordSize) == 0) {
		48	*err = WTAP_ERR_BAD_FILE;
		49	@@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap wth, wtap_rec rec, Buffer *buf,
		50
		51	case NSPR_RELTIME_V10:
		52	{
		53	+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
		54	+ return FALSE;
		55	nspr_pktracefull_v10_t fp = (nspr_pktracefull_v10_t ) &nstrace_buf[nstrace_buf_offset];
		56	if (pletoh16(&fp->nsprRecordSize) == 0) {
		57	*err = WTAP_ERR_BAD_FILE;
		58	@@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap wth, wtap_rec rec, Buffer *buf,
		59
		60	default:
		61	{
		62	+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
		63	+ return FALSE;
		64	nspr_pktracefull_v10_t fp = (nspr_pktracefull_v10_t ) &nstrace_buf[nstrace_buf_offset];
		65	if (pletoh16(&fp->nsprRecordSize) == 0) {
		66	*err = WTAP_ERR_BAD_FILE;
		67	@@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap wth, wtap_rec rec, Buffer *buf,
		68
		69	#define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
		70	do {\
		71	- nspr_##structname##_t fp = (nspr_##structname##_t ) &nstrace_buf[nstrace_buf_offset];\
		72	/* Make sure the record header is entirely contained in the page */\
		73	- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
		74	+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
		75	*err = WTAP_ERR_BAD_FILE;\
		76	*err_info = g_strdup("nstrace: record header crosses page boundary");\
		77	g_free(nstrace_tmpbuff);\
		78	return FALSE;\
		79	}\
		80	+ nspr_##structname##_t fp = (nspr_##structname##_t ) &nstrace_buf[nstrace_buf_offset];\
		81	(rec)->rec_type = REC_TYPE_PACKET;\
		82	TIMEDEFV##ver((rec),fp,type);\
		83	FULLPART##SIZEDEFV##ver((rec),fp,ver);\
		84	@@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap wth, wtap_rec rec, Buffer *buf,
		85	g_free(nstrace_tmpbuff);
		86	return FALSE;
		87	}
		88	-
		89	hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
		90	if (nspr_getv20recordsize(hdp) == 0) {
		91	*err = WTAP_ERR_BAD_FILE;
		92	--
		93	2.25.1
		94


diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..82098271ec --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
@@ -0,0 +1,97 @@
		1	From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
		2	From: Gerald Combs <gerald@wireshark.org>
		3	Date: Tue, 23 May 2023 13:52:03 -0700
		4	Subject: [PATCH] XRA: Fix an infinite loop
		5
		6	C compilers don't care what size a value was on the wire. Use
		7	naturally-sized ints, including in dissect_message_channel_mb where we
		8	would otherwise overflow and loop infinitely.
		9
		10	Fixes #19100
		11
		12	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
		13	CVE: CVE-2023-2952
		14	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		15	---
		16	epan/dissectors/packet-xra.c \| 16 ++++++++--------
		17	1 file changed, 8 insertions(+), 8 deletions(-)
		18
		19	diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
		20	index f59d899..6c1445f 100644
		21	--- a/epan/dissectors/packet-xra.c
		22	+++ b/epan/dissectors/packet-xra.c
		23	@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
		24	it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
		25	xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
		26
		27	- guint32 tlv_index =0;
		28	+ unsigned tlv_index = 0;
		29	while (tlv_index < tlv_length) {
		30	guint8 type = tvb_get_guint8 (tvb, tlv_index);
		31	++tlv_index;
		32	@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
		33	it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
		34	xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
		35
		36	- guint32 tlv_index =0;
		37	+ unsigned tlv_index = 0;
		38	while (tlv_index < tlv_length) {
		39	guint8 type = tvb_get_guint8 (tvb, tlv_index);
		40	++tlv_index;
		41	@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
		42	it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
		43	xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
		44
		45	- guint32 tlv_index =0;
		46	+ unsigned tlv_index = 0;
		47	while (tlv_index < tlv_length) {
		48	guint8 type = tvb_get_guint8 (tvb, tlv_index);
		49	++tlv_index;
		50	@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
		51	it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
		52	xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
		53
		54	- guint32 tlv_index =0;
		55	+ unsigned tlv_index = 0;
		56	tvbuff_t xra_tlv_cw_info_tvb, xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
		57
		58	while (tlv_index < tlv_length) {
		59	@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
		60	if(packet_start_pointer_field_present) {
		61	proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
		62
		63	- guint16 docsis_start = 3 + packet_start_pointer;
		64	+ unsigned docsis_start = 3 + packet_start_pointer;
		65	while (docsis_start + 6 < remaining_length) {
		66	/DOCSIS header in packet/
		67	guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
		68	@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
		69	docsis_start += 1;
		70	continue;
		71	}
		72	- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
		73	+ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
		74	if (docsis_start + 6 + docsis_length <= remaining_length) {
		75	/DOCSIS packet included in packet/
		76	tvbuff_t *docsis_tvb;
		77	@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
		78	static int
		79	dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
		80
		81	- guint16 offset = 0;
		82	+ int offset = 0;
		83	proto_tree *plc_tree;
		84	proto_item *plc_item;
		85	tvbuff_t *mb_tvb;
		86	@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
		87
		88	static int
		89	dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
		90	- guint16 offset = 0;
		91	+ int offset = 0;
		92	proto_tree *ncp_tree;
		93	proto_item *ncp_item;
		94	tvbuff_t *ncp_mb_tvb;
		95	--
		96	2.25.1
		97


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index f9e22141c4..f80f287ab4 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -9,8 +9,12 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi
9	DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native "	9	DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native "
10		10
11	SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \	11	SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \
12	file://fix_lemon_path.patch "	12	file://fix_lemon_path.patch \
13		13	file://CVE-2023-2855.patch \
		14	file://CVE-2023-2856.patch \
		15	file://CVE-2023-2858.patch \
		16	file://CVE-2023-2952.patch \
		17	"
14	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	18	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
15		19
16	SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887"	20	SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887"