[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#550191: marked as done (wireshark 1.0.2-3+lenny6 security fixes)

Your message dated Sun, 25 Oct 2009 21:14:27 +0100
with message-id <ee1a84a50910251314mfdf1eb3g7f5adc324625a46a@mail.gmail.com>
and subject line wireshark 1.0.2-3+lenny6 security fixes uploaded
has caused the Debian Bug report #550191,
regarding wireshark 1.0.2-3+lenny6 security fixes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
550191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550191
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Severity: normal

Hi,

Could you please allow uploading wireshark 1.0.2-3+lenny6 to stable-security?

It fixes security issues only:

--- debian/changelog    (revision 13620)
+++ debian/changelog    (revision 14468)
@@ -1,3 +1,13 @@
+wireshark (1.0.2-3+lenny6) stable-security; urgency=high
+
+  * security fixes from Wireshark 1.0.8 and 1.0.9:
+    - The PCNFSD dissector could crash (CVE-2009-1829)
+    - The AFS dissector could crash (CVE-2009-2562)
+    - The OpcUa dissector could use excessive CPU and memory (CVE-2009-3242)
+   (Closes: #533347)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 28 Sep 2009 13:05:13 +0100
+
 wireshark (1.0.2-3+lenny5) stable-security; urgency=high

Thanks,
Balint

Index: debian/changelog
===================================================================
--- debian/changelog	(revision 13620)
+++ debian/changelog	(revision 14468)
@@ -1,3 +1,13 @@
+wireshark (1.0.2-3+lenny6) stable-security; urgency=high
+
+  * security fixes from Wireshark 1.0.8 and 1.0.9:
+    - The PCNFSD dissector could crash (CVE-2009-1829)
+    - The AFS dissector could crash (CVE-2009-2562)
+    - The OpcUa dissector could use excessive CPU and memory (CVE-2009-3242)
+   (Closes: #533347)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 28 Sep 2009 13:05:13 +0100
+
 wireshark (1.0.2-3+lenny5) stable-security; urgency=high
 
   * Security fixes from Wireshark 1.0.7
Index: debian/patches/34_fix_opcua_lockup.dpatch
===================================================================
--- debian/patches/34_fix_opcua_lockup.dpatch	(revision 0)
+++ debian/patches/34_fix_opcua_lockup.dpatch	(revision 14468)
@@ -0,0 +1,256 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 34_fix_opcua_lockup.dpatch by  <balint@balintreczey.hu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix excessive CPU and memory use in OpcUa disssector
+
+@DPATCH@
+
+Index: trunk/plugins/opcua/opcua_simpletypes.c
+===================================================================
+--- trunk/plugins/opcua/opcua_simpletypes.c	(revision 29828)
++++ trunk/plugins/opcua/opcua_simpletypes.c	(revision 29829)
+@@ -34,9 +34,6 @@
+ #include <string.h>
+ #include <epan/emem.h>
+ 
+-/* string buffer */
+-#define MAX_BUFFER 256
+-
+ #define DIAGNOSTICINFO_ENCODINGMASK_SYMBOLICID_FLAG           0x01
+ #define DIAGNOSTICINFO_ENCODINGMASK_NAMESPACE_FLAG            0x02
+ #define DIAGNOSTICINFO_ENCODINGMASK_LOCALIZEDTEXT_FLAG        0x04
+@@ -53,6 +50,9 @@
+ #define EXTOBJ_ENCODINGMASK_BINBODY_FLAG                      0x01
+ #define EXTOBJ_ENCODINGMASK_XMLBODY_FLAG                      0x02
+ 
++/* Chosen arbitrarily */
++#define MAX_ARRAY_LEN 10000
++
+ static int hf_opcua_diag_mask_symbolicflag = -1;
+ static int hf_opcua_diag_mask_namespaceflag = -1;
+ static int hf_opcua_diag_mask_localizedtextflag = -1;
+@@ -317,35 +317,28 @@
+ 
+ void parseString(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex)
+ {
+-    char *szValue = ep_alloc(MAX_BUFFER);
++    char *szValue;
+     gint iOffset = *pOffset;
+     gint32 iLen = tvb_get_letohl(tvb, *pOffset);
+     iOffset+=4;
+ 
+-    if (szValue)
++    if (iLen == -1)
+     {
+-        if (iLen == -1)
+-        {
+-            g_snprintf(szValue, MAX_BUFFER, "[OpcUa Null String]");
+-        }
+-        else if (iLen >= 0)
+-        {
+-            int iStrLen = iLen;
+-            if (iStrLen > (MAX_BUFFER-1)) iStrLen = MAX_BUFFER - 1;
+-            /* copy non null terminated string of length iStrlen */
+-            strncpy(szValue, (char*)&tvb->real_data[iOffset], iStrLen);
+-            /* set null terminator */
+-            szValue[iStrLen] = 0;
+-            iOffset += iLen; /* eat the whole string */
+-        }
+-        else
+-        {
+-            g_snprintf(szValue, MAX_BUFFER, "[Invalid String] Ups, something is wrong with this message.");
+-        }
+-
++        proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset),
++                              "[OpcUa Null String]");
++    }
++    else if (iLen >= 0)
++    {
++        iOffset += iLen; /* eat the whole string */
++        proto_tree_add_item(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), TRUE);
++    }
++    else
++    {
++        szValue = ep_strdup_printf("[Invalid String] Invalid length: %d", iLen);
+         proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), szValue);
+-        *pOffset = iOffset;
+     }
++
++    *pOffset = iOffset;
+ }
+ 
+ void parseStatusCode(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex)
+@@ -623,11 +616,17 @@
+     /* read array length */
+     iLen = tvb_get_letohl(tvb, *pOffset);
+     proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE);
+-    *pOffset += 4;
+ 
+     if (iLen == -1) return; /* no array */
+     if (iLen == 0)  return; /* array with zero elements*/
+ 
++    if (iLen > MAX_ARRAY_LEN)
++    {
++        PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen));
++        return;
++    }
++
++    *pOffset += 4;
+     for (i=0; i<iLen; i++)
+     {
+         (*pParserFunction)(subtree, tvb, pOffset, hfIndex);
+@@ -649,11 +648,17 @@
+     /* read array length */
+     iLen = tvb_get_letohl(tvb, *pOffset);
+     proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE);
+-    *pOffset += 4;
+ 
+     if (iLen == -1) return; /* no array */
+     if (iLen == 0)  return; /* array with zero elements*/
+ 
++    if (iLen > MAX_ARRAY_LEN)
++    {
++        PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen));
++        return;
++    }
++
++    *pOffset += 4;
+     for (i=0; i<iLen; i++)
+     {
+         (*pParserFunction)(subtree, tvb, pOffset);
+@@ -674,11 +679,17 @@
+     /* read array length */
+     iLen = tvb_get_letohl(tvb, *pOffset);
+     proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE);
+-    *pOffset += 4;
+ 
+     if (iLen == -1) return; /* no array */
+     if (iLen == 0)  return; /* array with zero elements*/
+ 
++    if (iLen > MAX_ARRAY_LEN)
++    {
++        PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen));
++        return;
++    }
++
++    *pOffset += 4;
+     for (i=0; i<iLen; i++)
+     {
+         char szNum[20];
+Index: plugins/opcua/opcua.c
+===================================================================
+--- trunk/plugins/opcua/opcua.c	(revision 29828)
++++ trunk/plugins/opcua/opcua.c	(revision 29829)
+@@ -184,11 +184,11 @@
+     }
+ 
+     /* parse message type */
+-    if (tvb->real_data[0] == 'U' && tvb->real_data[1] == 'A')
++    if (tvb_get_guint8(tvb, 0) == 'U' && tvb_get_guint8(tvb, 1) == 'A')
+     {
+-        if (tvb->real_data[2] == 'T')
++        if (tvb_get_guint8(tvb, 2) == 'T')
+         {
+-            switch(tvb->real_data[3])
++            switch(tvb_get_guint8(tvb, 3))
+             {
+             case 'H': msgtype = MSG_HELLO;
+                 pfctParse = parseHello;
+@@ -203,9 +203,9 @@
+                 break;
+             }                
+         }
+-        else if (tvb->real_data[2] == 'M')
++        else if (tvb_get_guint8(tvb, 2) == 'M')
+         {
+-            switch(tvb->real_data[3])
++            switch(tvb_get_guint8(tvb, 3))
+             {
+             case 'G': msgtype = MSG_DATA_LAST_CHUNK;
+                 pfctParse = parseData;
+Index: plugins/opcua/opcua_transport_layer.c
+===================================================================
+--- trunk/plugins/opcua/opcua_transport_layer.c	(revision 29828)
++++ trunk/plugins/opcua/opcua_transport_layer.c	(revision 29829)
+@@ -107,34 +107,10 @@
+     proto_register_field_array(proto, hf, array_length(hf));
+ }
+ 
+-/** helper functions for adding strings,
+-  * that are not zero terminated.
+-  */
+-void addString(proto_tree *tree,  
+-               int  hfindex,  
+-               tvbuff_t *tvb,  
+-               gint  start,  
+-               gint  length,  
+-               const char *value)
+-{
+-    char *szValue = ep_alloc(256);
+-
+-    if (szValue)
+-    {
+-        if (length > 255) length = 255;
+-        /* copy non null terminated string data */
+-        strncpy(szValue, value, length);
+-        /* set null terminator */
+-        szValue[length] = 0;
+-
+-        proto_tree_add_string(tree, hfindex, tvb, start, length, szValue);
+-    }
+-}
+-
+ /* Transport Layer: message parsers */
+ void parseHello(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
+ {
+-    addString(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, tvb->real_data); *pOffset+=4;
++    proto_tree_add_item(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_len, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_cid, tvb, *pOffset, 16, TRUE); *pOffset+=16;
+@@ -146,7 +122,7 @@
+ 
+ void parseAcknowledge(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
+ {
+-    addString(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, tvb->real_data); *pOffset+=4;
++    proto_tree_add_item(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_len, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_cid, tvb, *pOffset, 16, TRUE); *pOffset+=16;
+     proto_tree_add_item(tree, hf_opcua_transport_rlifetime, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+@@ -157,7 +133,7 @@
+ 
+ void parseDisconnect(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
+ {
+-    addString(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, tvb->real_data); *pOffset+=4;
++    proto_tree_add_item(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_len, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_cid, tvb, *pOffset, 16, TRUE); *pOffset+=16;
+ }
+@@ -169,7 +145,7 @@
+     proto_tree *nodeid_tree;
+     int ServiceId = 0;
+ 
+-    addString(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, tvb->real_data); *pOffset+=4;
++    proto_tree_add_item(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_len, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_cid, tvb, *pOffset, 16, TRUE); *pOffset+=16;
+     proto_tree_add_item(tree, hf_opcua_transport_rqid, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+@@ -195,7 +171,7 @@
+ 
+ void parseAbort(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
+ {
+-    addString(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, tvb->real_data); *pOffset+=4;
++    proto_tree_add_item(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_len, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_cid, tvb, *pOffset, 16, TRUE); *pOffset+=16;
+     proto_tree_add_item(tree, hf_opcua_transport_rqid, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+@@ -203,7 +179,7 @@
+ 
+ void parseError(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
+ {
+-    addString(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, tvb->real_data); *pOffset+=4;
++    proto_tree_add_item(tree, hf_opcua_transport_sig, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_len, tvb, *pOffset, 4, TRUE); *pOffset+=4;
+     proto_tree_add_item(tree, hf_opcua_transport_cid, tvb, *pOffset, 16, TRUE); *pOffset+=16;
+     proto_tree_add_item(tree, hf_opcua_transport_rqid, tvb, *pOffset, 4, TRUE); *pOffset+=4;
Index: debian/patches/33_fix_afs_crash.dpatch
===================================================================
--- debian/patches/33_fix_afs_crash.dpatch	(revision 0)
+++ debian/patches/33_fix_afs_crash.dpatch	(revision 14468)
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 33_fix_afs_crash.dpatch by  <balint@balintreczey.hu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix crash in AFS dissector
+
+@DPATCH@
+
+--- wireshark-1.0.2/epan/dissectors/packet-afs.c.orig	2009-09-28 13:19:22.000000000 +0200
++++ wireshark-1.0.2/epan/dissectors/packet-afs.c	2009-09-28 13:23:37.000000000 +0200
+@@ -414,19 +414,12 @@
+ /* Output a rx style string, up to a maximum length first
+    4 bytes - length, then char data */
+ #define OUT_RXString(field) \
+-	{	guint32 i,len; \
+-		char *tmp; \
+-		const guint8 *p; \
+-		i = tvb_get_ntohl(tvb, offset); \
+-		offset += 4; \
+-		p = tvb_get_ptr(tvb,offset,i); \
+-		len = ((i+4-1)/4)*4; \
+-		tmp = ep_alloc(i+1); \
+-		memcpy(tmp, p, i); \
+-		tmp[i] = '\0'; \
+-		proto_tree_add_string(tree, field, tvb, offset-4, len+4, \
+-		(void *)tmp); \
+-		offset += len; \
++	{	guint32 i_orxs,len_orxs; \
++		i_orxs = tvb_get_ntohl(tvb, offset); \
++		len_orxs = ((i_orxs+4-1)/4)*4 + 4; \
++		proto_tree_add_item(tree, field, tvb, offset-4, len_orxs, \
++		FALSE); \
++		offset += len_orxs; \
+ 	}
+ 
+ /* Output a fixed length vectorized string (each char is a 32 bit int) */
Index: debian/patches/30_pcnfsd_crash_fix.dpatch
===================================================================
--- debian/patches/30_pcnfsd_crash_fix.dpatch	(revision 0)
+++ debian/patches/30_pcnfsd_crash_fix.dpatch	(revision 14468)
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 24__pcnfsd_crash_fix.dpatch by  <balint@balintreczey.hu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer allocation to prevent crash
+
+@DPATCH@
+
+Index: trunk/epan/dissectors/packet-pcnfsd.c
+===================================================================
+--- trunk/epan/dissectors/packet-pcnfsd.c	(revision 28127)
++++ trunk/epan/dissectors/packet-pcnfsd.c	(revision 28128)
+@@ -211,7 +211,10 @@
+ 	}
+ 
+ 	if (ident) {
+-		pcnfsd_decode_obscure(ident, strlen(ident));
++		/* Only attempt to decode the ident if it has been specified */
++		if (strcmp(ident, RPC_STRING_EMPTY))	
++			pcnfsd_decode_obscure(ident, (int)strlen(ident));
++
+ 		if (ident_tree)
+ 			proto_tree_add_string(ident_tree,
+ 				hf_pcnfsd_auth_ident_clear,
+@@ -238,7 +241,10 @@
+ 	}
+ 
+ 	if (password) {
+-		pcnfsd_decode_obscure(password, strlen(password));
++		/* Only attempt to decode the password if it has been specified */
++		if (strcmp(password, RPC_STRING_EMPTY))	
++			pcnfsd_decode_obscure(password, (int)strlen(password));
++
+ 		if (password_tree)
+ 			proto_tree_add_string(password_tree,
+ 				hf_pcnfsd_auth_password_clear,
+Index: trunk/epan/dissectors/packet-rpc.c
+===================================================================
+--- trunk/epan/dissectors/packet-rpc.c	(revision 28127)
++++ trunk/epan/dissectors/packet-rpc.c	(revision 28128)
+@@ -626,24 +626,21 @@
+ 				char *formatted;
+ 
+ 				formatted = format_text(string_buffer, strlen(string_buffer));
+-				/* alloc maximum data area */
+-#define STRING_BUFFER_PRINT_MAX_LEN (strlen(formatted)+12+1)
+-				string_buffer_print = (char*)ep_alloc(STRING_BUFFER_PRINT_MAX_LEN);
+ 				/* copy over the data and append <TRUNCATED> */
+-				g_snprintf(string_buffer_print, STRING_BUFFER_PRINT_MAX_LEN, "%s<TRUNCATED>", formatted);
++				string_buffer_print=ep_strdup_printf("%s%s", formatted, RPC_STRING_TRUNCATED);
+ 			} else {
+-				string_buffer_print="<DATA><TRUNCATED>";
++				string_buffer_print=RPC_STRING_DATA RPC_STRING_TRUNCATED;
+ 			}
+ 		} else {
+ 			if (string_data) {
+ 				string_buffer_print =
+ 				    ep_strdup(format_text(string_buffer, strlen(string_buffer)));
+ 			} else {
+-				string_buffer_print="<DATA>";
++				string_buffer_print=RPC_STRING_DATA;
+ 			}
+ 		}
+ 	} else {
+-		string_buffer_print="<EMPTY>";
++		string_buffer_print=RPC_STRING_EMPTY;
+ 	}
+ 
+ 	if (tree) {
+Index: trunk/epan/dissectors/packet-rpc.h
+===================================================================
+--- trunk/epan/dissectors/packet-rpc.h	(revision 28127)
++++ trunk/epan/dissectors/packet-rpc.h	(revision 28128)
+@@ -93,6 +93,10 @@
+ #define AUTHDES_NAMEKIND_FULLNAME 0
+ #define AUTHDES_NAMEKIND_NICKNAME 1
+ 
++#define RPC_STRING_EMPTY "<EMPTY>"
++#define RPC_STRING_DATA "<DATA>"
++#define RPC_STRING_TRUNCATED "<TRUNCATED>"
++
+ extern value_string rpc_authgss_svc[];
+ typedef enum {
+ 	FLAVOR_UNKNOWN,		/* authentication flavor unknown */
Index: debian/patches/00list
===================================================================
--- debian/patches/00list	(revision 13620)
+++ debian/patches/00list	(revision 14468)
@@ -17,3 +17,6 @@
 25_security_fixes_from_1.0.5
 26_security_fixes_from_1.0.6
 27_security_fixes_from_1.0.7
+30_pcnfsd_crash_fix.dpatch
+33_fix_afs_crash.dpatch
+34_fix_opcua_lockup.dpatch

--- End Message ---
--- Begin Message --- 
http://packages.qa.debian.org/w/wireshark/news/20091025T195740Z.html

Thanks,
Balint

--- End Message ---
Reply to: