wireshark: Fix CVE-2023-2855 & CVE-2023-2856

Backport fixes for: * CVE-2023-2855 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb * CVE-2023-2856 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-06-07 14:06:53 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-06-07 07:46:50 -0400
commit: 147b663d8340d87084468309c9fd08f30177fd92 (patch)
tree: bc0a86044920ccd7a378ddb62d8a18eb81931682
parent: df5a73dfe324b1cf177bfbaa56f5326f69715960 (diff)
download: meta-openembedded-147b663d8340d87084468309c9fd08f30177fd92.tar.gz
3 files changed, 179 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
new file mode 100644
index 0000000000..b4718f4607
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@@ -0,0 +1,108 @@
+From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 16 May 2023 12:05:07 -0700
+Subject: [PATCH] candump: check for a too-long frame length.
+If the frame length is longer than the maximum, report an error in the
+file.
+Fixes #19062, preventing the overflow on a buffer on the stack (assuming
+your compiler doesn't call a bounds-checknig version of memcpy() if the
+size of the target space is known).
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
+CVE: CVE-2023-2855
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/candump.c | 39 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+diff --git a/wiretap/candump.c b/wiretap/candump.c
+index 0def7bc..3f7c2b2 100644
+--- a/wiretap/candump.c
+++ b/wiretap/candump.c
+@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
+                                   wtap_rec *rec, Buffer *buf,
+                                   int *err, gchar **err_info);
+ 
+-static void
+-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+                     gchar **err_info)
+ {
+     static const char *can_proto_name    = "can-hostendian";
+     static const char *canfd_proto_name  = "canfd";
+@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     {
+         canfd_frame_t canfd_frame = {0};
+ 
+        /*
+         * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+         */
+        if (msg->data.length > CANFD_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+               *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+                                             msg->data.length, CANFD_MAX_DLEN);
+            }
+            return FALSE;
+        }
+
+         canfd_frame.can_id = msg->id;
+         canfd_frame.flags  = msg->flags;
+         canfd_frame.len    = msg->data.length;
+@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     {
+         can_frame_t can_frame = {0};
+ 
+        /*
+         * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+         */
+        if (msg->data.length > CAN_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+               *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+                                             msg->data.length, CAN_MAX_DLEN);
+            }
+            return FALSE;
+        }
+
+         can_frame.can_id  = msg->id;
+         can_frame.can_dlc = msg->data.length;
+         memcpy(can_frame.data, msg->data.data, msg->data.length);
+@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ 
+     rec->rec_header.packet_header.caplen = packet_length;
+     rec->rec_header.packet_header.len    = packet_length;
+
+    return TRUE;
+ }
+ 
+ static gboolean
+@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
+     ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
+ #endif
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ static gboolean
+@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
+     if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
+         return FALSE;
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ /*
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
new file mode 100644
index 0000000000..863421f986
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
@@ -0,0 +1,69 @@
+From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 18 May 2023 15:03:23 -0700
+Subject: [PATCH] vms: fix the search for the packet length field.
+The packet length field is of the form
+    Total Length = DDD = ^xXXX
+where "DDD" is the length in decimal and "XXX" is the length in
+hexadecimal.
+Search for "length ". not just "Length", as we skip past "Length ", not
+just "Length", so if we assume we found "Length " but only found
+"Length", we'd skip past the end of the string.
+While we're at it, fail if we don't find a length field, rather than
+just blithely acting as if the packet length were zero.
+Fixes #19083.
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
+CVE: CVE-2023-2856
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/vms.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/wiretap/vms.c b/wiretap/vms.c
+index 0aa83ea..5f5fdbb 100644
+--- a/wiretap/vms.c
+++ b/wiretap/vms.c
+@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ {
+     char    line[VMS_LINE_LENGTH + 1];
+     int     num_items_scanned;
+    gboolean have_pkt_len = FALSE;
+     guint32 pkt_len = 0;
+     int     pktnum;
+     int     csec = 101;
+@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 return FALSE;
+             }
+         }
+-        if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+        if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
+             p += sizeof("Length ");
+             while (*p && ! g_ascii_isdigit(*p))
+                 p++;
+@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 *err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
+                 return FALSE;
+             }
+            have_pkt_len = TRUE;
+             break;
+         }
+     } while (! isdumpline(line));
+    if (! have_pkt_len) {
+        *err = WTAP_ERR_BAD_FILE;
+        *err_info = g_strdup_printf("vms: Length field not found");
+        return FALSE;
+    }
+     if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+         /*
+          * Probably a corrupt capture file; return an error,
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 693a167938..ff99a7508f 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -16,6 +16,8 @@ SRC_URI += " \
    file://0003-bison-Remove-line-directives.patch \
    file://0004-lemon-Remove-line-directives.patch \
    file://CVE-2022-3190.patch \
+    file://CVE-2023-2855.patch \
+    file://CVE-2023-2856.patch \
 "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-06-07 14:06:53 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-06-07 07:46:50 -0400
commit	147b663d8340d87084468309c9fd08f30177fd92 (patch)
tree	bc0a86044920ccd7a378ddb62d8a18eb81931682
parent	df5a73dfe324b1cf177bfbaa56f5326f69715960 (diff)
download	meta-openembedded-147b663d8340d87084468309c9fd08f30177fd92.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..b4718f4607 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@@ -0,0 +1,108 @@
		1	From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Tue, 16 May 2023 12:05:07 -0700
		4	Subject: [PATCH] candump: check for a too-long frame length.
		5
		6	If the frame length is longer than the maximum, report an error in the
		7	file.
		8
		9	Fixes #19062, preventing the overflow on a buffer on the stack (assuming
		10	your compiler doesn't call a bounds-checknig version of memcpy() if the
		11	size of the target space is known).
		12
		13	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
		14	CVE: CVE-2023-2855
		15
		16	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		17	---
		18	wiretap/candump.c \| 39 +++++++++++++++++++++++++++++++--------
		19	1 file changed, 31 insertions(+), 8 deletions(-)
		20
		21	diff --git a/wiretap/candump.c b/wiretap/candump.c
		22	index 0def7bc..3f7c2b2 100644
		23	--- a/wiretap/candump.c
		24	+++ b/wiretap/candump.c
		25	@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
		26	wtap_rec rec, Buffer buf,
		27	int err, gchar *err_info);
		28
		29	-static void
		30	-candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		31	+static gboolean
		32	+candump_write_packet(wtap_rec rec, Buffer buf, const msg_t msg, int err,
		33	+ gchar **err_info)
		34	{
		35	static const char *can_proto_name = "can-hostendian";
		36	static const char *canfd_proto_name = "canfd";
		37	@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		38	{
		39	canfd_frame_t canfd_frame = {0};
		40
		41	+ /*
		42	+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
		43	+ */
		44	+ if (msg->data.length > CANFD_MAX_DLEN) {
		45	+ *err = WTAP_ERR_BAD_FILE;
		46	+ if (err_info != NULL) {
		47	+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
		48	+ msg->data.length, CANFD_MAX_DLEN);
		49	+ }
		50	+ return FALSE;
		51	+ }
		52	+
		53	canfd_frame.can_id = msg->id;
		54	canfd_frame.flags = msg->flags;
		55	canfd_frame.len = msg->data.length;
		56	@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		57	{
		58	can_frame_t can_frame = {0};
		59
		60	+ /*
		61	+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
		62	+ */
		63	+ if (msg->data.length > CAN_MAX_DLEN) {
		64	+ *err = WTAP_ERR_BAD_FILE;
		65	+ if (err_info != NULL) {
		66	+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
		67	+ msg->data.length, CAN_MAX_DLEN);
		68	+ }
		69	+ return FALSE;
		70	+ }
		71	+
		72	can_frame.can_id = msg->id;
		73	can_frame.can_dlc = msg->data.length;
		74	memcpy(can_frame.data, msg->data.data, msg->data.length);
		75	@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		76
		77	rec->rec_header.packet_header.caplen = packet_length;
		78	rec->rec_header.packet_header.len = packet_length;
		79	+
		80	+ return TRUE;
		81	}
		82
		83	static gboolean
		84	@@ -190,9 +217,7 @@ candump_read(wtap wth, wtap_rec rec, Buffer buf, int err, gchar **err_info,
		85	ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
		86	#endif
		87
		88	- candump_write_packet(rec, buf, &msg);
		89	-
		90	- return TRUE;
		91	+ return candump_write_packet(rec, buf, &msg, err, err_info);
		92	}
		93
		94	static gboolean
		95	@@ -216,9 +241,7 @@ candump_seek_read(wtap wth , gint64 seek_off, wtap_rec rec,
		96	if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
		97	return FALSE;
		98
		99	- candump_write_packet(rec, buf, &msg);
		100	-
		101	- return TRUE;
		102	+ return candump_write_packet(rec, buf, &msg, err, err_info);
		103	}
		104
		105	/*
		106	--
		107	2.25.1
		108


diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..863421f986 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
@@ -0,0 +1,69 @@
		1	From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Thu, 18 May 2023 15:03:23 -0700
		4	Subject: [PATCH] vms: fix the search for the packet length field.
		5
		6	The packet length field is of the form
		7
		8	Total Length = DDD = ^xXXX
		9
		10	where "DDD" is the length in decimal and "XXX" is the length in
		11	hexadecimal.
		12
		13	Search for "length ". not just "Length", as we skip past "Length ", not
		14	just "Length", so if we assume we found "Length " but only found
		15	"Length", we'd skip past the end of the string.
		16
		17	While we're at it, fail if we don't find a length field, rather than
		18	just blithely acting as if the packet length were zero.
		19
		20	Fixes #19083.
		21
		22	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
		23	CVE: CVE-2023-2856
		24
		25	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		26	---
		27	wiretap/vms.c \| 9 ++++++++-
		28	1 file changed, 8 insertions(+), 1 deletion(-)
		29
		30	diff --git a/wiretap/vms.c b/wiretap/vms.c
		31	index 0aa83ea..5f5fdbb 100644
		32	--- a/wiretap/vms.c
		33	+++ b/wiretap/vms.c
		34	@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec rec, Buffer buf, int err, gchar *err_in
		35	{
		36	char line[VMS_LINE_LENGTH + 1];
		37	int num_items_scanned;
		38	+ gboolean have_pkt_len = FALSE;
		39	guint32 pkt_len = 0;
		40	int pktnum;
		41	int csec = 101;
		42	@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec rec, Buffer buf, int err, gchar *err_in
		43	return FALSE;
		44	}
		45	}
		46	- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
		47	+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
		48	p += sizeof("Length ");
		49	while (p && ! g_ascii_isdigit(p))
		50	p++;
		51	@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec rec, Buffer buf, int err, gchar *err_in
		52	*err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
		53	return FALSE;
		54	}
		55	+ have_pkt_len = TRUE;
		56	break;
		57	}
		58	} while (! isdumpline(line));
		59	+ if (! have_pkt_len) {
		60	+ *err = WTAP_ERR_BAD_FILE;
		61	+ *err_info = g_strdup_printf("vms: Length field not found");
		62	+ return FALSE;
		63	+ }
		64	if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
		65	/*
		66	* Probably a corrupt capture file; return an error,
		67	--
		68	2.25.1
		69


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 693a167938..ff99a7508f 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -16,6 +16,8 @@ SRC_URI += " \
16	file://0003-bison-Remove-line-directives.patch \	16	file://0003-bison-Remove-line-directives.patch \
17	file://0004-lemon-Remove-line-directives.patch \	17	file://0004-lemon-Remove-line-directives.patch \
18	file://CVE-2022-3190.patch \	18	file://CVE-2022-3190.patch \
		19	file://CVE-2023-2855.patch \
		20	file://CVE-2023-2856.patch \
19	"	21	"
20		22
21	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	23	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"