From cd1aa14313b5ade98613b7d349f320fd44e78bc9 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Mon, 17 Mar 2025 14:46:38 +0530 Subject: wireshark: upgrade 4.2.7 -> 4.2.9 Fixes CVE-2024-11595 CVE-2024-11596 Removed CVE-2024-9781.patch which is already fixed in 4.2.8 version Release notes: https://www.wireshark.org/docs/relnotes/wireshark-4.2.8.html https://www.wireshark.org/docs/relnotes/wireshark-4.2.9.html Reference: https://www.wireshark.org/security/wnpa-sec-2024-15.html https://www.wireshark.org/security/wnpa-sec-2024-14.html https://www.wireshark.org/security/wnpa-sec-2024-13.html Signed-off-by: Vijay Anusuri Signed-off-by: Armin Kuster --- .../wireshark/files/CVE-2024-9781.patch | 133 --------------------- .../recipes-support/wireshark/wireshark_4.2.7.bb | 100 ---------------- .../recipes-support/wireshark/wireshark_4.2.9.bb | 99 +++++++++++++++ 3 files changed, 99 insertions(+), 233 deletions(-) delete mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch delete mode 100644 meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb create mode 100644 meta-networking/recipes-support/wireshark/wireshark_4.2.9.bb diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch deleted file mode 100644 index eb8c733da7..0000000000 --- a/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch +++ /dev/null @@ -1,133 +0,0 @@ -From f32965be7c80ca6eb330d0e9b34f0c563db7d869 Mon Sep 17 00:00:00 2001 -From: Gerald Combs -Date: Tue, 8 Oct 2024 11:56:28 -0700 -Subject: [PATCH] AppleTalk: Make sure we have valid addresses - -Make sure ATP, ZIP, and ASP have valid addresses. Use sizeof instead of -a hard-coded value in a few places. - -Fixes #20114 - -(cherry picked from commit 3de741321f85c205c0a8266c40f33cb0013bd1d2) - -Conflicts: - epan/dissectors/packet-atalk.c - -CVE: CVE-2024-9781 -Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cad248ce3bf5] - -(cherry picked from commit cad248ce3bf53026cc837fedeaca65d0f20ea3b5) -Signed-off-by: Shubham Pushpkar ---- - epan/dissectors/packet-atalk.c | 44 ++++++++++++++++++++++++---------- - 1 file changed, 32 insertions(+), 12 deletions(-) - -diff --git a/epan/dissectors/packet-atalk.c b/epan/dissectors/packet-atalk.c -index 396e7af519..065d6aedb6 100644 ---- a/epan/dissectors/packet-atalk.c -+++ b/epan/dissectors/packet-atalk.c -@@ -232,9 +232,18 @@ static int hf_asp_attn_code = -1; - static int hf_asp_seq = -1; - static int hf_asp_size = -1; - -+/* -+ * Structure used to represent a DDP address; gives the layout of the -+ * data pointed to by an Appletalk "address" structure. -+ */ -+struct atalk_ddp_addr { -+ guint16 net; -+ guint8 node; -+}; -+ - typedef struct { - guint32 conversation; -- guint8 src[4]; -+ guint8 src[sizeof(struct atalk_ddp_addr)]; - guint16 tid; - } asp_request_key; - -@@ -502,6 +511,10 @@ static const value_string asp_error_vals[] = { - {0, NULL } }; - value_string_ext asp_error_vals_ext = VALUE_STRING_EXT_INIT(asp_error_vals); - -+static bool is_ddp_address(address *addr) { -+ return addr->type == atalk_address_type && addr->len == sizeof(struct atalk_ddp_addr); -+} -+ - /* - * hf_index must be a FT_UINT_STRING type - * Are these always in a Mac extended character set? Should we have a -@@ -744,6 +757,12 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) - conversation_t *conversation; - asp_request_val *request_val = NULL; - -+ // ATP is carried over DDP -+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) { -+ return 0; -+ } -+ -+ - col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATP"); - - ctrlinfo = tvb_get_guint8(tvb, offset); -@@ -770,7 +789,7 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) - asp_request_key request_key; - - request_key.conversation = conversation->conv_index; -- memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, 4); -+ memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr)); - request_key.tid = atp_asp_dsi_info.tid; - - request_val = (asp_request_val *) wmem_map_lookup(atp_request_hash, &request_key); -@@ -1018,7 +1037,7 @@ get_transaction(tvbuff_t *tvb, packet_info *pinfo, struct atp_asp_dsi_info *atp_ - conversation = find_or_create_conversation(pinfo); - - request_key.conversation = conversation->conv_index; -- memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, 4); -+ memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr)); - request_key.tid = atp_asp_dsi_info->tid; - - request_val = (asp_request_val *) wmem_map_lookup(asp_request_hash, &request_key); -@@ -1051,6 +1070,11 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) - if (data == NULL) - return 0; - -+ // ASP is carried over ATP/DDP -+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) { -+ return 0; -+ } -+ - col_set_str(pinfo->cinfo, COL_PROTOCOL, "ASP"); - col_clear(pinfo->cinfo, COL_INFO); - -@@ -1183,15 +1207,6 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) - /* ----------------------------- - ZIP protocol cf. inside appletalk chap. 8 - */ --/* -- * Structure used to represent a DDP address; gives the layout of the -- * data pointed to by an Appletalk "address" structure. -- */ --struct atalk_ddp_addr { -- guint16 net; -- guint8 node; --}; -- - - static int atalk_str_len(const address* addr _U_) - { -@@ -1241,6 +1256,11 @@ dissect_atp_zip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) - if (data == NULL) - return 0; - -+ // ATP ZIP is carried over DDP -+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) { -+ return 0; -+ } -+ - col_set_str(pinfo->cinfo, COL_PROTOCOL, "ZIP"); - col_clear(pinfo->cinfo, COL_INFO); - --- -2.44.1 - diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb deleted file mode 100644 index d68b082bb3..0000000000 --- a/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb +++ /dev/null @@ -1,100 +0,0 @@ -DESCRIPTION = "wireshark - a popular network protocol analyzer" -HOMEPAGE = "http://www.wireshark.org" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -DEPENDS = "pcre2 expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bison-native c-ares speexdsp" - -DEPENDS:append:class-target = " wireshark-native chrpath-replacement-native " - -SRC_URI = "https://1.eu.dl.wireshark.org/src/wireshark-${PV}.tar.xz \ - file://0001-wireshark-src-improve-reproducibility.patch \ - file://0002-flex-Remove-line-directives.patch \ - file://0004-lemon-Remove-line-directives.patch \ - file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \ - file://CVE-2024-9781.patch \ - " - -UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" - -SRC_URI[sha256sum] = "2c5de08e19081bd666a2ce3f052c023274d06acaabc5d667a3c3051a9c618f86" - -PE = "1" - -inherit cmake pkgconfig python3native python3targetconfig perlnative upstream-version-is-even mime mime-xdg - -PACKAGECONFIG ?= "libpcap gnutls libnl libcap sbc" - -PACKAGECONFIG:class-native = "libpcap gnutls ssl libssh" - -PACKAGECONFIG[libcap] = "-DENABLE_CAP=ON,-DENABLE_CAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON, libcap" -PACKAGECONFIG[libpcap] = "-DENABLE_PCAP=ON,-DENABLE_PCAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON , libpcap" -PACKAGECONFIG[libsmi] = "-DENABLE_SMI=ON,-DENABLE_SMI=OFF,libsmi" -PACKAGECONFIG[libnl] = ",,libnl" -PACKAGECONFIG[portaudio] = "-DENABLE_PORTAUDIO=ON,-DENABLE_PORTAUDIO=OFF, portaudio-v19" -PACKAGECONFIG[gnutls] = "-DENABLE_GNUTLS=ON,-DENABLE_GNUTLS=OFF, gnutls" -PACKAGECONFIG[ssl] = ",,openssl" -PACKAGECONFIG[krb5] = "-DENABLE_KRB5=ON,-DENABLE_KRB5=OFF, krb5" -PACKAGECONFIG[lua] = "-DENABLE_LUA=ON,-DENABLE_LUA=OFF, lua" -PACKAGECONFIG[zlib] = "-DENABLE_ZLIB=ON,-DENABLE_ZLIB=OFF, zlib" -PACKAGECONFIG[geoip] = ",, geoip" -PACKAGECONFIG[plugins] = "-DENABLE_PLUGINS=ON,-DENABLE_PLUGINS=OFF" -PACKAGECONFIG[sbc] = "-DENABLE_SBC=ON,-DENABLE_SBC=OFF, sbc" -PACKAGECONFIG[libssh] = "-DENABLE_LIBSSH=ON,-DENABLE_LIBSSH=OFF, libssh2" -PACKAGECONFIG[lz4] = "-DENABLE_LZ4=ON,-DENABLE_LZ4=OFF, lz4" -PACKAGECONFIG[zstd] = "-DENABLE_STTD=ON,-DENABLE_ZSTD=OFF, zstd" -PACKAGECONFIG[nghttp2] = "-DENABLE_NGHTTP2=ON,-DENABLE_NGHTTP2=OFF, nghttp2" - -# these next two options require addional layers -PACKAGECONFIG[qt5] = "-DENABLE_QT5=ON -DBUILD_wireshark=ON, -DENABLE_QT5=OFF -DBUILD_wireshark=OFF, qttools-native qtmultimedia qtsvg" - -inherit ${@bb.utils.contains('PACKAGECONFIG', 'qt5', 'cmake_qt5', '', d)} - -EXTRA_OECMAKE += "-DENABLE_NETLINK=ON \ - -DBUILD_mmdbresolve=OFF \ - -DBUILD_randpktdump=OFF \ - -DBUILD_androiddump=OFF \ - -DBUILD_dcerpcidl2wrs=OFF \ - -DM_INCLUDE_DIR=${includedir} \ - -DM_LIBRARY=${libdir} \ - " -CFLAGS:append = " -lm" - -do_compile:append:class-target() { - # Fix TMPDIR, these are in the comments section - sed -i -e "s:** source file.*::g" ${B}/wiretap/ascend_parser.c - sed -i -e "s:** source file.*::g" ${B}/wiretap/candump_parser.c - sed -i -e "s:** source file.*::g" ${B}/wiretap/busmaster_parser.c - sed -i -e "s:** source file.*::g" ${B}/epan/protobuf_lang_parser.c - sed -i -e "s:** source file.*::g" ${B}/epan/dtd_grammar.c - sed -i -e "s:** source file.*::g" ${B}/epan/dfilter/grammar.c -} - -do_install:append:class-native() { - install -d ${D}${bindir} - for f in lemon - do - install -m 0755 ${B}/run/$f ${D}${bindir} - done -} - -do_install:append:class-target() { - for f in `find ${D}${libdir} ${D}${bindir} -type f -executable` - do - chrpath --delete $f - done - - # We don't need the cmake files installed - rm -fr ${D}${usrlib}/${BPN}/cmake -} - -PACKAGE_BEFORE_PN += "tshark" - -FILES:tshark = "${bindir}/tshark ${mandir}/man1/tshark.*" - -FILES:${PN} += "${datadir}*" - -RDEPENDS:tshark = "wireshark" - -BBCLASSEXTEND = "native" diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.9.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.9.bb new file mode 100644 index 0000000000..c561179c68 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.9.bb @@ -0,0 +1,99 @@ +DESCRIPTION = "wireshark - a popular network protocol analyzer" +HOMEPAGE = "http://www.wireshark.org" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS = "pcre2 expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bison-native c-ares speexdsp" + +DEPENDS:append:class-target = " wireshark-native chrpath-replacement-native " + +SRC_URI = "https://1.eu.dl.wireshark.org/src/wireshark-${PV}.tar.xz \ + file://0001-wireshark-src-improve-reproducibility.patch \ + file://0002-flex-Remove-line-directives.patch \ + file://0004-lemon-Remove-line-directives.patch \ + file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \ + " + +UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" + +SRC_URI[sha256sum] = "62c2b6652d7f9a50668867bd57b21609c9a9b6950f26e7f30a24b2de0e72ded3" + +PE = "1" + +inherit cmake pkgconfig python3native python3targetconfig perlnative upstream-version-is-even mime mime-xdg + +PACKAGECONFIG ?= "libpcap gnutls libnl libcap sbc" + +PACKAGECONFIG:class-native = "libpcap gnutls ssl libssh" + +PACKAGECONFIG[libcap] = "-DENABLE_CAP=ON,-DENABLE_CAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON, libcap" +PACKAGECONFIG[libpcap] = "-DENABLE_PCAP=ON,-DENABLE_PCAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON , libpcap" +PACKAGECONFIG[libsmi] = "-DENABLE_SMI=ON,-DENABLE_SMI=OFF,libsmi" +PACKAGECONFIG[libnl] = ",,libnl" +PACKAGECONFIG[portaudio] = "-DENABLE_PORTAUDIO=ON,-DENABLE_PORTAUDIO=OFF, portaudio-v19" +PACKAGECONFIG[gnutls] = "-DENABLE_GNUTLS=ON,-DENABLE_GNUTLS=OFF, gnutls" +PACKAGECONFIG[ssl] = ",,openssl" +PACKAGECONFIG[krb5] = "-DENABLE_KRB5=ON,-DENABLE_KRB5=OFF, krb5" +PACKAGECONFIG[lua] = "-DENABLE_LUA=ON,-DENABLE_LUA=OFF, lua" +PACKAGECONFIG[zlib] = "-DENABLE_ZLIB=ON,-DENABLE_ZLIB=OFF, zlib" +PACKAGECONFIG[geoip] = ",, geoip" +PACKAGECONFIG[plugins] = "-DENABLE_PLUGINS=ON,-DENABLE_PLUGINS=OFF" +PACKAGECONFIG[sbc] = "-DENABLE_SBC=ON,-DENABLE_SBC=OFF, sbc" +PACKAGECONFIG[libssh] = "-DENABLE_LIBSSH=ON,-DENABLE_LIBSSH=OFF, libssh2" +PACKAGECONFIG[lz4] = "-DENABLE_LZ4=ON,-DENABLE_LZ4=OFF, lz4" +PACKAGECONFIG[zstd] = "-DENABLE_STTD=ON,-DENABLE_ZSTD=OFF, zstd" +PACKAGECONFIG[nghttp2] = "-DENABLE_NGHTTP2=ON,-DENABLE_NGHTTP2=OFF, nghttp2" + +# these next two options require addional layers +PACKAGECONFIG[qt5] = "-DENABLE_QT5=ON -DBUILD_wireshark=ON, -DENABLE_QT5=OFF -DBUILD_wireshark=OFF, qttools-native qtmultimedia qtsvg" + +inherit ${@bb.utils.contains('PACKAGECONFIG', 'qt5', 'cmake_qt5', '', d)} + +EXTRA_OECMAKE += "-DENABLE_NETLINK=ON \ + -DBUILD_mmdbresolve=OFF \ + -DBUILD_randpktdump=OFF \ + -DBUILD_androiddump=OFF \ + -DBUILD_dcerpcidl2wrs=OFF \ + -DM_INCLUDE_DIR=${includedir} \ + -DM_LIBRARY=${libdir} \ + " +CFLAGS:append = " -lm" + +do_compile:append:class-target() { + # Fix TMPDIR, these are in the comments section + sed -i -e "s:** source file.*::g" ${B}/wiretap/ascend_parser.c + sed -i -e "s:** source file.*::g" ${B}/wiretap/candump_parser.c + sed -i -e "s:** source file.*::g" ${B}/wiretap/busmaster_parser.c + sed -i -e "s:** source file.*::g" ${B}/epan/protobuf_lang_parser.c + sed -i -e "s:** source file.*::g" ${B}/epan/dtd_grammar.c + sed -i -e "s:** source file.*::g" ${B}/epan/dfilter/grammar.c +} + +do_install:append:class-native() { + install -d ${D}${bindir} + for f in lemon + do + install -m 0755 ${B}/run/$f ${D}${bindir} + done +} + +do_install:append:class-target() { + for f in `find ${D}${libdir} ${D}${bindir} -type f -executable` + do + chrpath --delete $f + done + + # We don't need the cmake files installed + rm -fr ${D}${usrlib}/${BPN}/cmake +} + +PACKAGE_BEFORE_PN += "tshark" + +FILES:tshark = "${bindir}/tshark ${mandir}/man1/tshark.*" + +FILES:${PN} += "${datadir}*" + +RDEPENDS:tshark = "wireshark" + +BBCLASSEXTEND = "native" -- cgit v1.2.3-54-g00ecf