3 files changed, 134 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch
new file mode 100644
index 0000000000..7174e9155c
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch
@@ -0,0 +1,95 @@
+From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Fri, 19 May 2023 16:29:45 -0700
+Subject: [PATCH] netscaler: add more checks to make sure the record is within
+ the page.
+Whie we're at it, restructure some other checks to test-before-casting -
+it's OK to test afterwards, but testing before makes it follow the
+pattern used elsewhere.
+Fixes #19081.
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105]
+CVE: CVE-2023-2858
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/netscaler.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
+index 01a7f6d..4fa020b 100644
+--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
+@@ -1091,13 +1091,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info)
+ 
+ #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
+     do {\
+-        nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
+         /* Make sure the record header is entirely contained in the page */\
+-        if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
+        if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
+             *err = WTAP_ERR_BAD_FILE;\
+             *err_info = g_strdup("nstrace: record header crosses page boundary");\
+             return FALSE;\
+         }\
+        nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
+         /* Check sanity of record size */\
+         if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
+             *err = WTAP_ERR_BAD_FILE;\
+@@ -1162,6 +1162,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+                 case NSPR_ABSTIME_V10:
+                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+                        return FALSE;
+                     nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
+                     if (pletoh16(&fp->nsprRecordSize) == 0) {
+                         *err = WTAP_ERR_BAD_FILE;
+@@ -1175,6 +1177,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+                 case NSPR_RELTIME_V10:
+                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+                        return FALSE;
+                     nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
+                     if (pletoh16(&fp->nsprRecordSize) == 0) {
+                         *err = WTAP_ERR_BAD_FILE;
+@@ -1192,6 +1196,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+                 default:
+                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+                        return FALSE;
+                     nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
+                     if (pletoh16(&fp->nsprRecordSize) == 0) {
+                         *err = WTAP_ERR_BAD_FILE;
+@@ -1475,14 +1481,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
+ 
+ #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
+     do {\
+-        nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
+         /* Make sure the record header is entirely contained in the page */\
+-        if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
+        if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
+             *err = WTAP_ERR_BAD_FILE;\
+             *err_info = g_strdup("nstrace: record header crosses page boundary");\
+             g_free(nstrace_tmpbuff);\
+             return FALSE;\
+         }\
+        nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
+         (rec)->rec_type = REC_TYPE_PACKET;\
+         TIMEDEFV##ver((rec),fp,type);\
+         FULLPART##SIZEDEFV##ver((rec),fp,ver);\
+@@ -1589,7 +1595,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf,
+                 g_free(nstrace_tmpbuff);
+                 return FALSE;
+             }
+-
+             hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
+             if (nspr_getv20recordsize(hdp) == 0) {
+                 *err = WTAP_ERR_BAD_FILE;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch
new file mode 100644
index 0000000000..0a8247923e
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch
@@ -0,0 +1,37 @@
+From 118815ca7c9f82c1f83f8f64d9e0e54673f31677 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 13 May 2023 21:45:16 -0400
+Subject: [PATCH] GDSDB: Make sure our offset advances.
+add_uint_string() returns the next offset to use, not the number
+of bytes consumed. So to consume all the bytes and make sure the
+offset advances, return the entire reported tvb length, not the
+number of bytes remaining.
+Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
+Fixes #19068
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
+CVE: CVE-2023-2879
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-gdsdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
+index 75bcfb9..950d68f 100644
+--- a/epan/dissectors/packet-gdsdb.c
+++ b/epan/dissectors/packet-gdsdb.c
+@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
+        int ret_offset = offset + length;
+        if (length < 4 || ret_offset < offset) {
+                expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
+-               return tvb_reported_length_remaining(tvb, offset);
+               return tvb_reported_length(tvb);
+        }
+        return ret_offset;
+ }
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index f99669a624..9550546e70 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -18,6 +18,8 @@ SRC_URI += " \
    file://CVE-2022-3190.patch \
    file://CVE-2023-2855.patch \
    file://CVE-2023-2856.patch \
+    file://CVE-2023-2858.patch \
+    file://CVE-2023-2879.patch \
 "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..7174e9155c --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch
@@ -0,0 +1,95 @@
		1	From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Fri, 19 May 2023 16:29:45 -0700
		4	Subject: [PATCH] netscaler: add more checks to make sure the record is within
		5	the page.
		6
		7	Whie we're at it, restructure some other checks to test-before-casting -
		8	it's OK to test afterwards, but testing before makes it follow the
		9	pattern used elsewhere.
		10
		11	Fixes #19081.
		12
		13	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105]
		14	CVE: CVE-2023-2858
		15
		16	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		17	---
		18	wiretap/netscaler.c \| 15 ++++++++++-----
		19	1 file changed, 10 insertions(+), 5 deletions(-)
		20
		21	diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
		22	index 01a7f6d..4fa020b 100644
		23	--- a/wiretap/netscaler.c
		24	+++ b/wiretap/netscaler.c
		25	@@ -1091,13 +1091,13 @@ static gboolean nstrace_set_start_time(wtap wth, int err, gchar **err_info)
		26
		27	#define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
		28	do {\
		29	- nspr_pktrace##fullpart##_v##ver##_t type = (nspr_pktrace##fullpart##_v##ver##_t ) &nstrace_buf[nstrace_buf_offset];\
		30	/* Make sure the record header is entirely contained in the page */\
		31	- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
		32	+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
		33	*err = WTAP_ERR_BAD_FILE;\
		34	*err_info = g_strdup("nstrace: record header crosses page boundary");\
		35	return FALSE;\
		36	}\
		37	+ nspr_pktrace##fullpart##_v##ver##_t type = (nspr_pktrace##fullpart##_v##ver##_t ) &nstrace_buf[nstrace_buf_offset];\
		38	/* Check sanity of record size */\
		39	if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
		40	*err = WTAP_ERR_BAD_FILE;\
		41	@@ -1162,6 +1162,8 @@ static gboolean nstrace_read_v10(wtap wth, wtap_rec rec, Buffer *buf,
		42
		43	case NSPR_ABSTIME_V10:
		44	{
		45	+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
		46	+ return FALSE;
		47	nspr_pktracefull_v10_t fp = (nspr_pktracefull_v10_t ) &nstrace_buf[nstrace_buf_offset];
		48	if (pletoh16(&fp->nsprRecordSize) == 0) {
		49	*err = WTAP_ERR_BAD_FILE;
		50	@@ -1175,6 +1177,8 @@ static gboolean nstrace_read_v10(wtap wth, wtap_rec rec, Buffer *buf,
		51
		52	case NSPR_RELTIME_V10:
		53	{
		54	+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
		55	+ return FALSE;
		56	nspr_pktracefull_v10_t fp = (nspr_pktracefull_v10_t ) &nstrace_buf[nstrace_buf_offset];
		57	if (pletoh16(&fp->nsprRecordSize) == 0) {
		58	*err = WTAP_ERR_BAD_FILE;
		59	@@ -1192,6 +1196,8 @@ static gboolean nstrace_read_v10(wtap wth, wtap_rec rec, Buffer *buf,
		60
		61	default:
		62	{
		63	+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
		64	+ return FALSE;
		65	nspr_pktracefull_v10_t fp = (nspr_pktracefull_v10_t ) &nstrace_buf[nstrace_buf_offset];
		66	if (pletoh16(&fp->nsprRecordSize) == 0) {
		67	*err = WTAP_ERR_BAD_FILE;
		68	@@ -1475,14 +1481,14 @@ static gboolean nstrace_read_v20(wtap wth, wtap_rec rec, Buffer *buf,
		69
		70	#define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
		71	do {\
		72	- nspr_##structname##_t fp = (nspr_##structname##_t ) &nstrace_buf[nstrace_buf_offset];\
		73	/* Make sure the record header is entirely contained in the page */\
		74	- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
		75	+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
		76	*err = WTAP_ERR_BAD_FILE;\
		77	*err_info = g_strdup("nstrace: record header crosses page boundary");\
		78	g_free(nstrace_tmpbuff);\
		79	return FALSE;\
		80	}\
		81	+ nspr_##structname##_t fp = (nspr_##structname##_t ) &nstrace_buf[nstrace_buf_offset];\
		82	(rec)->rec_type = REC_TYPE_PACKET;\
		83	TIMEDEFV##ver((rec),fp,type);\
		84	FULLPART##SIZEDEFV##ver((rec),fp,ver);\
		85	@@ -1589,7 +1595,6 @@ static gboolean nstrace_read_v30(wtap wth, wtap_rec rec, Buffer *buf,
		86	g_free(nstrace_tmpbuff);
		87	return FALSE;
		88	}
		89	-
		90	hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
		91	if (nspr_getv20recordsize(hdp) == 0) {
		92	*err = WTAP_ERR_BAD_FILE;
		93	--
		94	2.25.1
		95


diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch new file mode 100644 index 0000000000..0a8247923e --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch
@@ -0,0 +1,37 @@
		1	From 118815ca7c9f82c1f83f8f64d9e0e54673f31677 Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Sat, 13 May 2023 21:45:16 -0400
		4	Subject: [PATCH] GDSDB: Make sure our offset advances.
		5
		6	add_uint_string() returns the next offset to use, not the number
		7	of bytes consumed. So to consume all the bytes and make sure the
		8	offset advances, return the entire reported tvb length, not the
		9	number of bytes remaining.
		10
		11	Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
		12	Fixes #19068
		13
		14	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
		15	CVE: CVE-2023-2879
		16
		17	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		18	---
		19	epan/dissectors/packet-gdsdb.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
		23	index 75bcfb9..950d68f 100644
		24	--- a/epan/dissectors/packet-gdsdb.c
		25	+++ b/epan/dissectors/packet-gdsdb.c
		26	@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree tree, int hf_string, tvbuff_t tvb, int o
		27	int ret_offset = offset + length;
		28	if (length < 4 \|\| ret_offset < offset) {
		29	expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
		30	- return tvb_reported_length_remaining(tvb, offset);
		31	+ return tvb_reported_length(tvb);
		32	}
		33	return ret_offset;
		34	}
		35	--
		36	2.25.1
		37


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index f99669a624..9550546e70 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -18,6 +18,8 @@ SRC_URI += " \
18	file://CVE-2022-3190.patch \	18	file://CVE-2022-3190.patch \
19	file://CVE-2023-2855.patch \	19	file://CVE-2023-2855.patch \
20	file://CVE-2023-2856.patch \	20	file://CVE-2023-2856.patch \
		21	file://CVE-2023-2858.patch \
		22	file://CVE-2023-2879.patch \
21	"	23	"
22		24
23	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	25	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"