proposed wireshark_1.2.11-6+squeeze15 fixing multiple vulnerabilities
Hi LTS Team,
I have prepared a security update for the wireshark source package.
The issues are not known to allow remote code execution.
Please see the diffs attached.
Changes:
wireshark (1.2.11-6+squeeze15) squeeze-lts; urgency=low
.
* Make GIOP crash fix endianness-aware
* security fixes from Wireshark 1.10.9:
- The Catapult DCT2000 and IrDA dissectors could underrun a buffer
(CVE-2014-5161, CVE-2014-5162)
- The GSM Management dissector could crash (CVE-2014-5163)
Cheers,
Balint
diff -Nru wireshark-1.2.11/debian/changelog wireshark-1.2.11/debian/changelog
--- wireshark-1.2.11/debian/changelog 2014-03-09 16:14:43.000000000 +0100
+++ wireshark-1.2.11/debian/changelog 2014-08-08 15:53:21.000000000 +0200
@@ -1,3 +1,13 @@
+wireshark (1.2.11-6+squeeze15) squeeze-lts; urgency=low
+
+ * Make GIOP crash fix endianness-aware
+ * security fixes from Wireshark 1.10.9:
+ - The Catapult DCT2000 and IrDA dissectors could underrun a buffer
+ (CVE-2014-5161, CVE-2014-5162)
+ - The GSM Management dissector could crash (CVE-2014-5163)
+
+ -- Balint Reczey <balint@balintreczey.hu> Fri, 08 Aug 2014 11:03:25 +0200
+
wireshark (1.2.11-6+squeeze14) oldstable-security; urgency=high
* security fixes from Wireshark 1.8.11:
diff -Nru wireshark-1.2.11/debian/patches/64_fix_GIOP_crash_endianness_1.patch wireshark-1.2.11/debian/patches/64_fix_GIOP_crash_endianness_1.patch
--- wireshark-1.2.11/debian/patches/64_fix_GIOP_crash_endianness_1.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.2.11/debian/patches/64_fix_GIOP_crash_endianness_1.patch 2014-05-24 20:07:02.000000000 +0200
@@ -0,0 +1,54 @@
+From b1dd25faabd0a1609b010540be3753e650479dde Mon Sep 17 00:00:00 2001
+From: Balint Reczey <balint.reczey@ericsson.com>
+Date: Sat, 22 Aug 2009 22:46:41 +0000
+Subject: [PATCH 1/2] From Frederic Peters (made endian-aware by me): fixed
+ segfault with some GIOP packets
+
+svn path=/trunk/; revision=29509
+
+Conflicts:
+ epan/dissectors/packet-giop.c
+
+Change-Id: I464930dc6089a20faabc6e8099a716fc0e6751c4
+---
+ epan/dissectors/packet-giop.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-giop.c b/epan/dissectors/packet-giop.c
+index be9e005..7598392 100644
+--- a/epan/dissectors/packet-giop.c
++++ b/epan/dissectors/packet-giop.c
+@@ -1715,7 +1715,7 @@ static void giop_dump_collection(collection_data_t collection_type) {
+ * But skip a subdissector if it has been disabled in GUI "edit protocols".
+ */
+
+-static gboolean try_heuristic_giop_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int *offset,
++static gboolean try_heuristic_giop_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 *offset,
+ MessageHeader *header, gchar *operation ) {
+
+ int i,len;
+@@ -1727,8 +1727,19 @@ static gboolean try_heuristic_giop_dissector(tvbuff_t *tvb, packet_info *pinfo,
+
+ if (len == 0)
+ return FALSE;
+- if (*offset > header->message_size)
+- return FALSE;
++
++ {
++ guint32 message_size;
++ gboolean stream_is_big_endian = is_big_endian (header);
++
++ if (stream_is_big_endian)
++ message_size = pntohl (header->message_size);
++ else
++ message_size = pletohl (header->message_size);
++
++ if (*offset > header->message_size)
++ return FALSE;
++ }
+
+ saved_proto = pinfo->current_proto;
+ for (i=0; i<len; i++) {
+--
+1.9.1
+
diff -Nru wireshark-1.2.11/debian/patches/65_fix_GIOP_crash_endianness_2.patch wireshark-1.2.11/debian/patches/65_fix_GIOP_crash_endianness_2.patch
--- wireshark-1.2.11/debian/patches/65_fix_GIOP_crash_endianness_2.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.2.11/debian/patches/65_fix_GIOP_crash_endianness_2.patch 2014-05-24 20:07:02.000000000 +0200
@@ -0,0 +1,28 @@
+From eb184f0b35d3c5d0b18e797cf78e64848e4264eb Mon Sep 17 00:00:00 2001
+From: Chris Maynard <Christopher.Maynard@GTECH.COM>
+Date: Mon, 11 Jul 2011 00:17:08 +0000
+Subject: [PATCH 2/2] As noted by Jaap Keuter on -dev, be sure to use
+ message_size instead of header->message_size for a correct host endianness
+ comparison.
+
+svn path=/trunk/; revision=37957
+---
+ epan/dissectors/packet-giop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-giop.c b/epan/dissectors/packet-giop.c
+index 7598392..ee57a41 100644
+--- a/epan/dissectors/packet-giop.c
++++ b/epan/dissectors/packet-giop.c
+@@ -1737,7 +1737,7 @@ static gboolean try_heuristic_giop_dissector(tvbuff_t *tvb, packet_info *pinfo,
+ else
+ message_size = pletohl (header->message_size);
+
+- if (*offset > header->message_size)
++ if (*offset > message_size)
+ return FALSE;
+ }
+
+--
+1.9.1
+
diff -Nru wireshark-1.2.11/debian/patches/66_fix_from_1.10.9_fix_Catapult_IrDA_crash.patch wireshark-1.2.11/debian/patches/66_fix_from_1.10.9_fix_Catapult_IrDA_crash.patch
--- wireshark-1.2.11/debian/patches/66_fix_from_1.10.9_fix_Catapult_IrDA_crash.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.2.11/debian/patches/66_fix_from_1.10.9_fix_Catapult_IrDA_crash.patch 2014-08-08 15:53:21.000000000 +0200
@@ -0,0 +1,57 @@
+From 92c0fa7dc1d3f94a658951a21b8a0bf55c0fb5bd Mon Sep 17 00:00:00 2001
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Thu, 3 Jul 2014 11:25:21 +0200
+Subject: [PATCH 1/2] catapult,irda: Fix ASAN crashes due to buffer underrun
+
+The catapult dissector tripped on this random file I had. A quick look
+at other dissectors which use a construct like "-1] *= '*\\[rn]" showed
+packet-irda too, so fix that as well.
+
+Conflicts:
+ wiretap/catapult_dct2000.c
+
+Change-Id: I4b5fadcacd0b09d0fb29bdefc3dd1f28aef9b593
+Reviewed-on: https://code.wireshark.org/review/2802
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+(cherry picked from commit 16f8ba1bed579344df373bf38fff552ab8baf380)
+Reviewed-on: https://code.wireshark.org/review/2810
+Reviewed-on: https://code.wireshark.org/review/3501
+Reviewed-by: Balint Reczey <balint@balintreczey.hu>
+---
+ plugins/irda/packet-irda.c | 4 ++--
+ wiretap/catapult_dct2000.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/irda/packet-irda.c b/plugins/irda/packet-irda.c
+index 3f47607..e0d86df 100644
+--- a/plugins/irda/packet-irda.c
++++ b/plugins/irda/packet-irda.c
+@@ -1691,9 +1691,9 @@ static void dissect_log(tvbuff_t* tvb, packet_info* pinfo, proto_tree* root)
+ length = sizeof(buf)-1;
+ tvb_memcpy(tvb, buf, 0, length);
+ buf[length] = 0;
+- if (buf[length-1] == '\n')
++ if (length > 0 && buf[length-1] == '\n')
+ buf[length-1] = 0;
+- else if (buf[length-2] == '\n')
++ else if (length > 1 && buf[length-2] == '\n')
+ buf[length-2] = 0;
+
+ col_add_str(pinfo->cinfo, COL_INFO, buf);
+diff --git a/wiretap/catapult_dct2000.c b/wiretap/catapult_dct2000.c
+index 3fcd546..c182edc 100644
+--- a/wiretap/catapult_dct2000.c
++++ b/wiretap/catapult_dct2000.c
+@@ -806,7 +806,7 @@ gboolean read_new_line(FILE_T fh, gint64 *offset, gint *length)
+ *offset = *offset + *length;
+
+ /* ...but don't want to include newline in line length */
+- if (linebuff[*length-1] == '\n')
++ if (*length > 0 && linebuff[*length-1] == '\n')
+ {
+ linebuff[*length-1] = '\0';
+ *length = *length - 1;
+--
+2.0.1
+
diff -Nru wireshark-1.2.11/debian/patches/67_fix_from_1.10.9_fix_GSM_crash.patch wireshark-1.2.11/debian/patches/67_fix_from_1.10.9_fix_GSM_crash.patch
--- wireshark-1.2.11/debian/patches/67_fix_from_1.10.9_fix_GSM_crash.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.2.11/debian/patches/67_fix_from_1.10.9_fix_GSM_crash.patch 2014-08-08 15:53:21.000000000 +0200
@@ -0,0 +1,37 @@
+From a82d4408f9c0704ef610077ed54c94b8334cc4bc Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quantin@gmail.com>
+Date: Mon, 23 Jun 2014 22:06:05 +0200
+Subject: [PATCH 2/2] Initialize whole buffer in GPRS Mobility and Session
+ Management dissector
+
+Conflicts:
+ epan/dissectors/packet-gsm_a_gm.c
+
+Bug: 10216
+Change-Id: I572a7a6ce0f816063f02397b667dd46c990cf73e
+Reviewed-on: https://code.wireshark.org/review/2583
+Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
+(cherry picked from commit dd7134d907350ccc574cdec596f4162860912bb9)
+Reviewed-on: https://code.wireshark.org/review/2585
+Reviewed-on: https://code.wireshark.org/review/3502
+Reviewed-by: Balint Reczey <balint@balintreczey.hu>
+---
+ epan/dissectors/packet-gsm_a_gm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-gsm_a_gm.c b/epan/dissectors/packet-gsm_a_gm.c
+index 51b7c60..326a08a 100644
+--- a/epan/dissectors/packet-gsm_a_gm.c
++++ b/epan/dissectors/packet-gsm_a_gm.c
+@@ -3202,7 +3202,7 @@ de_sm_apn(tvbuff_t *tvb, proto_tree *tree, guint32 offset, guint len, gchar *add
+ curr_offset = offset;
+
+ /* init buffer and copy it */
+- memset ( str , 0 , MAX_APN_LENGTH );
++ memset ( str , 0 , MAX_APN_LENGTH+1 );
+ memcpy ( str , cptr , len<MAX_APN_LENGTH?len:MAX_APN_LENGTH );
+
+ curr_len = 0;
+--
+2.0.1
+
diff -Nru wireshark-1.2.11/debian/patches/series wireshark-1.2.11/debian/patches/series
--- wireshark-1.2.11/debian/patches/series 2014-03-09 16:13:30.000000000 +0100
+++ wireshark-1.2.11/debian/patches/series 2014-08-08 15:53:21.000000000 +0200
@@ -55,3 +55,7 @@
61_fix_from_1.8.10_fix_Netmon_crash.patch
62_fix_from_1.8.11_fix_TCP_crash.patch
63_fix_from_1.8.13_fix_MPEG_crash.patch
+64_fix_GIOP_crash_endianness_1.patch
+65_fix_GIOP_crash_endianness_2.patch
+66_fix_from_1.10.9_fix_Catapult_IrDA_crash.patch
+67_fix_from_1.10.9_fix_GSM_crash.patch
Reply to: