Hello community, here is the log from the commit of package wireshark for openSUSE:11.3 checked in at Thu Oct 13 17:34:42 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/wireshark/wireshark.changes 2011-05-03 11:44:22.000000000 +0200 +++ 11.3/wireshark/wireshark.changes 2011-10-10 11:12:42.000000000 +0200 @@ -1,0 +2,26 @@ +Mon Sep 26 14:07:31 CST 2011 - [email protected] + +- security fixes (#bnc 718032) + * CVE-2011-3266: Wireshark IKE dissector vulnerability + * CVE-2011-3360: Wireshark Lua script execution vulnerability + * CVE-2011-3483: Wireshark buffer exception handling vulnerability + +------------------------------------------------------------------- +Wed Aug 10 06:25:28 UTC 2011 - [email protected] + +- security fixes (#bnc 706728) + * CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop + * CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop + +------------------------------------------------------------------- +Mon Jul 18 07:43:08 UTC 2011 - [email protected] + +- security fixes [#bnc 697516] + * CVE-2011-1957: Large/infinite loop in the DICOM dissector + * CVE-2011-1959: A corrupted snoop file could crash Wireshark + * CVE-2011-2174: Malformed compressed capture data could crash Wireshark + * CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark + * CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter + dictionary + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- wireshark-1.2.17-CVE-2011-1957.patch wireshark-1.2.17-CVE-2011-1958.patch wireshark-1.2.17-CVE-2011-1959.patch wireshark-1.2.17-CVE-2011-2174.patch wireshark-1.2.17-CVE-2011-2175.patch wireshark-1.4.8-CVE-2011-2597.patch wireshark-1.4.8-CVE-2011-2698.patch wireshark-1.6.2-CVE-2011-3266.patch wireshark-1.6.2-CVE-2011-3360.patch wireshark-1.6.2-CVE-2011-3483.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wireshark.spec ++++++ --- /var/tmp/diff_new_pack.3OC1aZ/_old 2011-10-13 17:34:12.000000000 +0200 +++ /var/tmp/diff_new_pack.3OC1aZ/_new 2011-10-13 17:34:12.000000000 +0200 @@ -21,7 +21,7 @@ Name: wireshark Version: 1.4.4 -Release: 0.<RELEASE4> +Release: 0.<RELEASE6> License: GPLv2+ Summary: A Network Traffic Analyser Url: http://www.wireshark.org/ @@ -39,6 +39,17 @@ Patch6: %{name}-%{version}-CVE-2011-1592.patch Patch7: %{name}-%{version}-CVE-2011-1590.patch Patch8: %{name}-%{version}-CVE-2011-1591.patch +Patch9: %{name}-1.2.17-CVE-2011-1957.patch +Patch10: %{name}-1.2.17-CVE-2011-1959.patch +Patch11: %{name}-1.2.17-CVE-2011-2174.patch +Patch12: %{name}-1.2.17-CVE-2011-2175.patch +Patch13: %{name}-1.2.17-CVE-2011-1958.patch +Patch14: %{name}-1.4.8-CVE-2011-2597.patch +Patch15: %{name}-1.4.8-CVE-2011-2698.patch +Patch16: %{name}-1.6.2-CVE-2011-3266.patch +Patch17: %{name}-1.6.2-CVE-2011-3360.patch +Patch18: %{name}-1.6.2-CVE-2011-3483.patch + BuildRequires: bison BuildRequires: cairo-devel BuildRequires: flex @@ -104,6 +115,16 @@ %patch6 -p1 %patch7 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 sed -i 's/^Icon=wireshark.png$/Icon=wireshark/' wireshark.desktop # run as root on 11.3 and older - bnc#349782 ++++++ wireshark-1.2.17-CVE-2011-1957.patch ++++++ --- trunk/epan/dissectors/packet-dcm.c 2011/04/30 08:36:00 36957 +++ trunk/epan/dissectors/packet-dcm.c 2011/04/30 17:43:05 36958 @@ -6519,6 +6519,7 @@ /* Process all PDUs in the buffer */ while (pdu_start < tlen) { + guint32 old_pdu_start; if ((pdu_len+6) > (tlen-offset)) { @@ -6539,7 +6540,13 @@ offset=dissect_dcm_pdu(tvb, pinfo, tree, pdu_start); /* Next PDU */ + old_pdu_start = pdu_start; pdu_start = pdu_start + pdu_len + 6; + if (pdu_start <= old_pdu_start) { + expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR, + "Invalid PDU length (%u)", pdu_len); + THROW(ReportedBoundsError); + } if (pdu_start < tlen - 6) { /* we got at least 6 bytes of the next PDU still in the buffer */ ++++++ wireshark-1.2.17-CVE-2011-1958.patch ++++++ --- trunk/epan/diam_dict.l 2011/05/06 15:05:51 37010 +++ trunk/epan/diam_dict.l 2011/05/06 19:39:47 37011 @@ -269,9 +269,6 @@ yyterminate(); } - include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER; - - for (e = ents.next; e; e = e->next) { if (strcmp(e->name,yytext) == 0) { yyin = ddict_open(sys_dir,e->file); @@ -282,6 +279,7 @@ yyterminate(); } } else { + include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER; yy_switch_to_buffer(yy_create_buffer( yyin, YY_BUF_SIZE ) ); BEGIN LOADING; } @@ -290,7 +288,7 @@ } if (!e) { - fprintf(stderr, "Could not find entity: '%s'", e->name ); + fprintf(stderr, "Could not find entity: '%s'\n", yytext ); yyterminate(); } ++++++ wireshark-1.2.17-CVE-2011-1959.patch ++++++ --- trunk/wiretap/snoop.c 2011/05/11 20:40:14 37067 +++ trunk/wiretap/snoop.c 2011/05/11 22:36:59 37068 @@ -473,6 +473,16 @@ rec_size = g_ntohl(hdr.rec_len); orig_size = g_ntohl(hdr.orig_len); packet_size = g_ntohl(hdr.incl_len); + if (orig_size > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u", + orig_size, WTAP_MAX_PACKET_SIZE); + return FALSE; + } if (packet_size > WTAP_MAX_PACKET_SIZE) { /* * Probably a corrupt capture file; don't blow up trying ++++++ wireshark-1.2.17-CVE-2011-2174.patch ++++++ --- trunk/epan/tvbuff.c 2011/05/12 15:48:51 37080 +++ trunk/epan/tvbuff.c 2011/05/12 16:31:42 37081 @@ -3425,9 +3425,9 @@ inflateEnd(strm); g_free(strm); g_free(strmbuf); - g_free(compr); if (uncompr == NULL) { + g_free(compr); return NULL; } ++++++ wireshark-1.2.17-CVE-2011-2175.patch ++++++ --- trunk/wiretap/visual.c 2011/05/13 17:05:05 37127 +++ trunk/wiretap/visual.c 2011/05/13 17:12:44 37128 @@ -420,6 +420,15 @@ break; } + if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) { + /* Check if wth->phdr.len is sane, small values of wth.phdr.len before + the case loop above can cause integer underflows */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u", + wth->phdr.len, WTAP_MAX_PACKET_SIZE); + return FALSE; + } + /* Sanity check */ if (wth->phdr.len < wth->phdr.caplen) { ++++++ wireshark-1.4.8-CVE-2011-2597.patch ++++++ --- trunk/wiretap/ascend_scanner.l 2011/06/08 18:26:50 37624 +++ trunk/wiretap/ascend_scanner.l 2011/06/08 20:58:44 37625 @@ -16,17 +16,17 @@ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <[email protected]> - * + * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. @@ -55,7 +55,7 @@ extern char *ascend_ra_ptr; extern char *ascend_ra_last; #define YY_INPUT(buf,result,max_size) { int c = file_getc(yy_fh); \ -result = (c==EOF) ? YY_NULL : (buf[0] = c, 1); } +result = (c==EOF) ? YY_NULL : (buf[0] = c, 1); } int at_eof; int mul, scratch; @@ -159,17 +159,17 @@ return WDS_PREFIX; } -<sc_ether_direction>[^\(]+ { +<sc_ether_direction>[^\(]{2,20} { BEGIN(sc_gen_task); - return STRING; + return STRING; } -<sc_isdn_call>[^\/\(:]+ { +<sc_isdn_call>[^\/\(:]{2,20} { BEGIN(sc_gen_task); return DECNUM; } -<sc_wds_user>[^:]+ { +<sc_wds_user>[^:]{2,20} { char *atcopy = g_strdup(ascendtext); char colon = input(); char after = input(); @@ -200,7 +200,7 @@ return DECNUM; } -<sc_gen_task>(0x|0X)?{H}+ { +<sc_gen_task>(0x|0X)?{H}{2,8} { BEGIN(sc_gen_time_s); ascendlval.d = strtoul(ascendtext, NULL, 16); return HEXNUM; @@ -210,13 +210,13 @@ return STRING; } -<sc_gen_time_s>{D}+ { +<sc_gen_time_s>{D}{1,10} { BEGIN(sc_gen_time_u); ascendlval.d = strtol(ascendtext, NULL, 10); return DECNUM; } -<sc_gen_time_u>{D}+ { +<sc_gen_time_u>{D}{1,6} { char *atcopy = g_strdup(ascendtext); BEGIN(sc_gen_octets); /* only want the most significant 2 digits. convert to usecs */ @@ -227,7 +227,7 @@ return DECNUM; } -<sc_gen_octets>{D}+ { +<sc_gen_octets>{D}{1,10} { BEGIN(sc_gen_counter); ascendlval.d = strtol(ascendtext, NULL, 10); return DECNUM; @@ -243,11 +243,11 @@ return HEXBYTE; } -<sc_gen_byte>" "{4} { +<sc_gen_byte>" "{4} { BEGIN(sc_chardisp); } -<sc_chardisp>.* { +<sc_chardisp>.* { BEGIN(sc_gen_byte); } @@ -315,7 +315,7 @@ return WDD_CHUNK; } -<sc_wdd_chunknum>{H}+ { +<sc_wdd_chunknum>{H}{1,8} { BEGIN(sc_wdd_type); ascendlval.d = strtoul(ascendtext, NULL, 16); return HEXNUM; @@ -349,7 +349,7 @@ /* * We want to stop processing when we get to the end of the input. - * (%option noyywrap is not used because if used then + * (%option noyywrap is not used because if used then * some flex versions (eg: 2.5.35) generate code which causes * warnings by the Windows VC compiler). */ ++++++ wireshark-1.4.8-CVE-2011-2698.patch ++++++ --- trunk/epan/dissectors/packet-ansi_a.c 2011/07/07 13:57:08 37929 +++ trunk/epan/dissectors/packet-ansi_a.c 2011/07/07 16:37:33 37930 @@ -2682,10 +2682,10 @@ break; default: - proto_tree_add_text(tree, tvb, curr_offset, len - 1, + proto_tree_add_text(tree, tvb, curr_offset, len, "Cell ID - Non IOS format"); - curr_offset += (len - 1); + curr_offset += len; break; } ++++++ wireshark-1.6.2-CVE-2011-3266.patch ++++++ --- trunk/epan/dissectors/packet-isakmp.c 2011/07/28 18:17:16 38246 +++ trunk/epan/dissectors/packet-isakmp.c 2011/07/28 22:19:46 38247 @@ -3880,12 +3880,13 @@ offset += 2; length -= 2; - - while (length > 0) { + if (spi_size > 0) { + while (length > 0) { proto_tree_add_item(tree, hf_isakmp_delete_spi, tvb, offset, spi_size, FALSE); offset+=spi_size; length-=spi_size; - } + } + } } ++++++ wireshark-1.6.2-CVE-2011-3360.patch ++++++ --- trunk/epan/wslua/template-init.lua 2011/08/08 17:59:32 38413 +++ trunk/epan/wslua/template-init.lua 2011/08/08 19:10:19 38414 @@ -73,5 +73,5 @@ DATA_DIR = datafile_path() USER_DIR = persconffile_path() -dofile("console.lua") ---dofile("dtd_gen.lua") +dofile(DATA_DIR.."console.lua") +--dofile(DATA_DIR.."dtd_gen.lua") ++++++ wireshark-1.6.2-CVE-2011-3483.patch ++++++ Index: wireshark-1.4.4/epan/packet.c =================================================================== --- wireshark-1.4.4.orig/epan/packet.c +++ wireshark-1.4.4/epan/packet.c @@ -321,6 +321,7 @@ dissect_packet(epan_dissect_t *edt, unio edt->pi.annex_a_used = MTP2_ANNEX_A_USED_UNKNOWN; edt->pi.dcerpc_procedure_name=""; edt->pi.link_dir = LINK_DIR_UNKNOWN; + edt->tvb = NULL; /* to enable decode as for ethertype=0x0000 (fix for bug 4721) */ edt->pi.ethertype = G_MAXINT; continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
