Hi Balint,as part of my work on E/LTS for Freexian I have prepared and tested security updates for trixie and bookworm (attached). Do you want to handle them or should I coordinate with the security team?
Cheers Jochen * Debian Bug Tracking System <[email protected]> [2026-01-16 16:15]:
This is an automatic notification regarding your Bug report which was filed against the src:wireshark package: #1125690: wireshark: CVE-2026-0959 CVE-2026-0960 CVE-2026-0961 CVE-2026-0962 It has been closed by Debian FTP Masters <[email protected]> (reply to Balint Reczey <[email protected]>). Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Debian FTP Masters <[email protected]> (reply to Balint Reczey <[email protected]>) by replying to this email. -- 1125690: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125690 Debian Bug Tracking System Contact [email protected] with problems
Date: Fri, 16 Jan 2026 16:12:37 +0000 To: [email protected] Reply-To: Balint Reczey <[email protected]> From: Debian FTP Masters <[email protected]> Subject: Bug#1125690: fixed in wireshark 4.6.3-1
Date: Fri, 16 Jan 2026 08:10:38 +0100 To: Debian Bug Tracking System <[email protected]> X-Mailer: reportbug 13.2.0 From: Salvatore Bonaccorso <[email protected]> Subject: wireshark: CVE-2026-0959 CVE-2026-0960 CVE-2026-0961 CVE-2026-0962 Source: wireshark Version: 4.6.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Hi, The following vulnerabilities were published for wireshark. CVE-2026-0959[0]: | IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and | 4.4.0 to 4.4.12 allows denial of service CVE-2026-0960[1]: | HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 | allows denial of service CVE-2026-0961[2]: | BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to | 4.4.12 allows denial of service CVE-2026-0962[3]: | SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and | 4.4.0 to 4.4.12 allows denial of service If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-0959 https://www.cve.org/CVERecord?id=CVE-2026-0959 [1] https://security-tracker.debian.org/tracker/CVE-2026-0960 https://www.cve.org/CVERecord?id=CVE-2026-0960 [2] https://security-tracker.debian.org/tracker/CVE-2026-0961 https://www.cve.org/CVERecord?id=CVE-2026-0961 [3] https://security-tracker.debian.org/tracker/CVE-2026-0962 https://www.cve.org/CVERecord?id=CVE-2026-0962 Regards, Salvatore
From 2b9a8dd6bace267518c568cf3f39a83270255ec3 Mon Sep 17 00:00:00 2001 From: Jochen Sprickerhof <[email protected]> Date: Wed, 28 Jan 2026 13:22:56 +0100 Subject: [PATCH] DSA 4.0.17-0+deb12u2 --- debian/changelog | 12 +++ debian/patches/CVE-2024-11596.patch | 162 ++++++++++++++++++++++++++++ debian/patches/CVE-2025-5601.patch | 58 ++++++++++ debian/patches/CVE-2026-0962.patch | 144 +++++++++++++++++++++++++ debian/patches/series | 3 + 5 files changed, 379 insertions(+) create mode 100644 debian/patches/CVE-2024-11596.patch create mode 100644 debian/patches/CVE-2025-5601.patch create mode 100644 debian/patches/CVE-2026-0962.patch diff --git a/debian/changelog b/debian/changelog index 25987ad4c3..e464ecf18c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +wireshark (4.0.17-0+deb12u2) bookworm-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2024-11596: ECMP dissector crash allows denial of service via + packet injection or crafted capture file. + * Fix CVE-2025-5601: Column handling crashes allows denial of service via + packet injection or crafted capture file. + Fix CVE-2026-0962: SOME/IP-SD protocol dissector crash allows denial of + service. + + -- Jochen Sprickerhof <[email protected]> Wed, 28 Jan 2026 13:22:40 +0100 + wireshark (4.0.17-0+deb12u1) bookworm; urgency=medium * Non-maintainer upload. diff --git a/debian/patches/CVE-2024-11596.patch b/debian/patches/CVE-2024-11596.patch new file mode 100644 index 0000000000..188344e6e5 --- /dev/null +++ b/debian/patches/CVE-2024-11596.patch @@ -0,0 +1,162 @@ +From: Gerald Combs <[email protected]> +Date: Thu, 14 Nov 2024 10:56:37 -0800 +Subject: ECMP: Exorcise a string buffer arithmetic gremlin + +Use a wmem_strbuf instead of manually allocating a string and managing +its offsets. + +Avoid appending a dangling space to our string. + +Fixes #20214 + +(cherry picked from commit c8e58870733f88f275ca9a6fa115ed085f987d94) + +Conflicts: + epan/dissectors/packet-ecmp.c + +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=06e0b0bb0925fe4b99cfb7243cce473031b09dee +--- + epan/dissectors/packet-ecmp.c | 77 +++++++++---------------------------------- + 1 file changed, 16 insertions(+), 61 deletions(-) + +diff --git a/epan/dissectors/packet-ecmp.c b/epan/dissectors/packet-ecmp.c +index 5b0ed6a..a1e351b 100644 +--- a/epan/dissectors/packet-ecmp.c ++++ b/epan/dissectors/packet-ecmp.c +@@ -1122,72 +1122,54 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si + proto_tree_add_bytes_format_value(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset-1, 0, NULL, "No data"); + } else { + /* define some variables */ +- gchar* pdata = NULL; /* pointer to array that stores the formatted data string */ +- guint16 idx = 0; /* counts through formatted string array */ +- guint8 value8 = 0; /* placeholder for extracted 8-bit data */ +- guint16 value16 = 0; /* placeholder for extracted 16-bit data */ +- guint32 value32 = 0; /* placeholder for extracted 32-bit data */ ++ wmem_strbuf_t* pdata = wmem_strbuf_new(wmem_packet_scope(), ""); /* formatted data string */ + guint16 num_elements_total = 0; /* contains total number of elements (byte/word/long) to be processed */ + const guint16 num_byte_elements_per_line = 16; /* number of byte (8-bit) elements per line e.g. "1B " (3 chars per element) */ + const guint16 num_word_elements_per_line = 16; /* number of word (16-bit) elements per line e.g. "A81B " (5 chars per element) */ + const guint16 num_long_elements_per_line = 8; /* number of long (32-bit) elements per line e.g. "01F4A81B " (9 chars per element) */ + guint16 num_elements_per_line = 8; /* counts the current number of elements per line */ + guint16 num_elements = 0; /* counts the number of elements in the format string */ +- guint16 format_string_size = 0; /* size of dynamic array to hold the formatted string */ + guint16 a = 0; /* value used for looping */ + int start_offset, line_offset; + +- /* calculate format string array size and other stuff */ +- /* */ +- /* Note: format string does require a nul-terminator (the + 1 in the equations) */ +- /* */ +- /* display = 0: (byte format "1D 24 3F ... A3 " */ +- /* format_string_size = (num_byte_elements_per_line * 3) + 1 */ +- /* */ +- /* display = 1: (word format "1D24 3F84 120B ... 1FA3 " */ +- /* format_string_size = (num_word_elements_per_line * 5) + 1 */ +- /* */ +- /* display = 2: (byte format "1D243F84 9BC08F20 ... 28BB1FA3 " */ +- /* format_string_size = (num_long_elements_per_line * 9) + 1 */ ++ /* calculate number of elements */ + /* */ + if (display == cyclic_display_byte_format) { +- format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49 */ + num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size; + } else if (display == cyclic_display_word_format) { +- format_string_size = (num_word_elements_per_line * 5) + 1; /* format_string_size = 81 */ + num_elements_per_line = num_word_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size >> 1; + } else if (display == cyclic_display_long_format) { +- format_string_size = (num_long_elements_per_line * 9) + 1; /* format_string_size = 73 */ + num_elements_per_line = num_long_elements_per_line; /* num_elements_per_line = 8 */ + num_elements_total = buffer_size >> 2; + } else { +- format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49 */ + num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size; + } + +- /* allocate dynamic memory for one line */ +- pdata = (gchar *)wmem_alloc(wmem_packet_scope(), format_string_size); +- + /* OK, let's get started */ +- idx = 0; + num_elements = 0; + + line_offset = start_offset = offset; + /* work through the display elements, 1 byte\word\long at a time */ +- for (a = 0; a < num_elements_total; a++ ) +- { ++ for (a = 0; a < num_elements_total; a++ ) { ++ if (wmem_strbuf_get_len(pdata) > 0) { ++ wmem_strbuf_append_c(pdata, ' '); ++ } ++ + /* use Wireshark accessor function to get the next byte, word, or long data */ + if (display == cyclic_display_byte_format) { +- value8 = tvb_get_guint8(tvb, offset); ++ guint8 value8 = tvb_get_guint8(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%02x", value8); + offset++; + } else if (display == cyclic_display_word_format) { +- value16 = tvb_get_ntohs(tvb, offset); ++ guint16 value16 = tvb_get_ntohs(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%04x", value16); + offset += 2; + } else if (display == cyclic_display_long_format) { +- value32 = tvb_get_ntohl(tvb, offset); ++ guint32 value32 = tvb_get_ntohl(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%08x", value32); + offset += 4; + } + +@@ -1196,47 +1178,20 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si + + /* check if we hit the max number of byte elements per line */ + if (num_elements >= num_elements_per_line) { +- /* we hit end of the current line */ +- /* add final value to string */ +- if (display == cyclic_display_byte_format) { +- snprintf(&pdata[idx], 32, "%02x",value8); +- } else if (display == cyclic_display_word_format) { +- snprintf(&pdata[idx], 32, "%04x",value16); +- } else if (display == cyclic_display_long_format) { +- snprintf(&pdata[idx], 32, "%08x",value32); +- } +- + /* display the completed line in the sub-tree */ +- proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", pdata); ++ proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", wmem_strbuf_get_str(pdata)); + + /* start the line over */ +- idx = 0; ++ wmem_strbuf_truncate(pdata, 0); + num_elements = 0; + line_offset = offset; +- +- } else { +- /* we're still adding to the current line */ +- /* add current value to string */ +- if (display == cyclic_display_byte_format) { +- snprintf(&pdata[idx], 32, "%02x ",value8); +- idx += 3; +- } else if (display == cyclic_display_word_format) { +- snprintf(&pdata[idx], 32, "%04x ",value16); +- idx += 5; +- } else if (display == cyclic_display_long_format) { +- snprintf(&pdata[idx], 32, "%08x ",value32); +- idx += 9; +- } + } + } + + /* if we exited the loop, see if there's a partial line to display */ + if (num_elements > 0) { +- /* add null-terminator to partial line */ +- pdata[idx] = 0x00; +- + /* display the partial line in the sub-tree */ +- proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", pdata); ++ proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", wmem_strbuf_get_str(pdata)); + } + } + return offset; diff --git a/debian/patches/CVE-2025-5601.patch b/debian/patches/CVE-2025-5601.patch new file mode 100644 index 0000000000..4930b883fd --- /dev/null +++ b/debian/patches/CVE-2025-5601.patch @@ -0,0 +1,58 @@ +From: John Thacker <[email protected]> +Date: Sat, 26 Apr 2025 10:01:19 +0000 +Subject: column: Do not allow fence to go beyond column size when prepending + +When moving the fence location forward when prepending, ensure +that it does not go past the end of the buffer. + +Also get rid of unnecessary branching and strlen calls. + +Fix #20509 + +(cherry picked from commit 53213086304caa3dfbdd7dc39c2668a3aea1a5c0) + +Co-authored-by: John Thacker <[email protected]> +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=8c186dbb381cf51064fa8dbff7953468d5ae394c +--- + epan/column-utils.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/epan/column-utils.c b/epan/column-utils.c +index e80558d..6886608 100644 +--- a/epan/column-utils.c ++++ b/epan/column-utils.c +@@ -578,8 +578,13 @@ col_prepend_fstr(column_info *cinfo, const gint el, const gchar *format, ...) + /* + * Move the fence, unless it's at the beginning of the string. + */ +- if (col_item->col_fence > 0) ++ if (col_item->col_fence > 0) { ++ /* pos >= strlen if truncation occurred; this saves on a strlen ++ * call and prevents adding a single byte character later if a ++ * a multibyte character was truncated (good). */ + col_item->col_fence += (int) strlen(col_item->col_buf); ++ col_item->col_fence = MIN((int)(max_len - 1), col_item->col_fence); ++ } + + (void) g_strlcat(col_item->col_buf, orig, max_len); + col_item->col_data = col_item->col_buf; +@@ -622,11 +627,14 @@ col_prepend_fence_fstr(column_info *cinfo, const gint el, const gchar *format, . + * Move the fence if it exists, else create a new fence at the + * end of the prepended data. + */ +- if (col_item->col_fence > 0) { +- col_item->col_fence += (int) strlen(col_item->col_buf); +- } else { +- col_item->col_fence = (int) strlen(col_item->col_buf); +- } ++ /* pos >= strlen if truncation occurred; this saves on a strlen ++ * call and prevents adding a single byte character later if a ++ * a multibyte character was truncated (good). */ ++ col_item->col_fence += (int) strlen(col_item->col_buf); ++ col_item->col_fence = MIN((int)(max_len - 1), col_item->col_fence); ++ /* ++ * Append the original data. ++ */ + (void) g_strlcat(col_item->col_buf, orig, max_len); + col_item->col_data = col_item->col_buf; + } diff --git a/debian/patches/CVE-2026-0962.patch b/debian/patches/CVE-2026-0962.patch new file mode 100644 index 0000000000..bc089ea923 --- /dev/null +++ b/debian/patches/CVE-2026-0962.patch @@ -0,0 +1,144 @@ +From: Gerald Combs <[email protected]> +Date: Mon, 12 Jan 2026 17:01:48 -0800 +Subject: SOME/IP-SD: Fix a buffer overflow + +Make sure we don't write past the end of our option port array. Make our +option count unsigned. + +Fixes #20945 + +(cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454) + +Conflicts: + epan/dissectors/packet-someip-sd.c +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=825b83e1ed146f6c8fa8f1d7ad2794061b82c895 +--- + epan/dissectors/packet-someip-sd.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c +index 3f5d36a..059e307 100644 +--- a/epan/dissectors/packet-someip-sd.c ++++ b/epan/dissectors/packet-someip-sd.c +@@ -81,6 +81,9 @@ + #define SD_OPTION_L4PROTO_TCP 6 + #define SD_OPTION_L4PROTO_UDP 17 + ++/* option start 0..255, num 0..15 -> 0..270 */ ++#define SD_MAX_NUM_OPTIONS 271 ++ + /* ID wireshark identifies the dissector by */ + static int proto_someip_sd = -1; + +@@ -237,6 +240,7 @@ static expert_field ef_someipsd_option_unknown = EI_INIT; + static expert_field ef_someipsd_option_wrong_length = EI_INIT; + static expert_field ef_someipsd_L4_protocol_unsupported = EI_INIT; + static expert_field ef_someipsd_config_string_malformed = EI_INIT; ++static expert_field ei_someipsd_too_many_options = EI_INIT; + + /*** prototypes ***/ + void proto_register_someip_sd(void); +@@ -247,13 +251,13 @@ void proto_reg_handoff_someip_sd(void); + *************************************/ + + static void +-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + guint32 offset_orig = offset; + const guint8 *config_string; + proto_item *ti; + proto_tree *subtree; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Configuration Option", optionnum); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Configuration Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -290,7 +294,7 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr + } + + static void +-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum); + + /* Add common fields */ +@@ -310,7 +314,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_ + } + + static void +-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + guint8 type = 255; + const gchar *description = NULL; + guint32 l4port = 0; +@@ -323,7 +327,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + + type = tvb_get_guint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV4_LENGTH) { + expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length); +@@ -369,7 +373,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + guint8 type = 255; + const gchar *description = NULL; + guint32 l4port = 0; +@@ -381,7 +385,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + type = tvb_get_guint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV6_LENGTH) { + expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length); +@@ -425,11 +429,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + guint32 len = 0; + proto_item *ti; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum, ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum, + val_to_str_const(tvb_get_guint8(tvb, offset + 2), sd_option_type, "Unknown")); + + expert_add_info(pinfo, ti, &ef_someipsd_option_unknown); +@@ -454,7 +458,7 @@ static int + dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, guint32 offset_orig, guint32 length) { + guint16 real_length = 0; + guint8 option_type = 0; +- int optionnum = 0; ++ unsigned optionnum = 0; + tvbuff_t *subtvb = NULL; + + guint32 offset = offset_orig; +@@ -465,6 +469,11 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre + } + + while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) { ++ if (optionnum >= SD_MAX_NUM_OPTIONS) { ++ expert_add_info(pinfo, ti, &ei_someipsd_too_many_options); ++ return offset; ++ } ++ + real_length = tvb_get_ntohs(tvb, offset) + 3; + option_type = tvb_get_guint8(tvb, offset + 2); + +@@ -1164,6 +1173,7 @@ proto_register_someip_sd(void) { + { &ef_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } }, + { &ef_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } }, + { &ef_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } }, ++ { &ei_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } }, + }; + + /* Register Protocol, Fields, ETTs, Expert Info, Taps */ diff --git a/debian/patches/series b/debian/patches/series index 3834e173fe..d615fc08fc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,6 @@ 09_idl2wrs.patch 0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch 0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch +CVE-2024-11596.patch +CVE-2025-5601.patch +CVE-2026-0962.patch -- 2.51.0
From 0d6235c8603e9de971ecb33ce29b4b5cdc78d534 Mon Sep 17 00:00:00 2001 From: Jochen Sprickerhof <[email protected]> Date: Wed, 28 Jan 2026 12:32:57 +0100 Subject: [PATCH] DSA 4.4.7-1+deb13u1 --- debian/changelog | 11 +++ debian/patches/CVE-2026-0959.patch | 62 +++++++++++++ debian/patches/CVE-2026-0961.patch | 31 +++++++ debian/patches/CVE-2026-0962.patch | 137 +++++++++++++++++++++++++++++ debian/patches/series | 3 + 5 files changed, 244 insertions(+) create mode 100644 debian/patches/CVE-2026-0959.patch create mode 100644 debian/patches/CVE-2026-0961.patch create mode 100644 debian/patches/CVE-2026-0962.patch diff --git a/debian/changelog b/debian/changelog index f83ee2440a..c5050b7565 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wireshark (4.4.7-1+deb13u1) trixie-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2026-0959: EEE 802.11 protocol dissector crash allows denial of + service. + * Fix CVE-2026-0961: BLF file parser crash allows denial of service. + * Fix CVE-2026-0962: SOME/IP-SD protocol dissector crash allows denial of + service. + + -- Jochen Sprickerhof <[email protected]> Wed, 28 Jan 2026 12:32:30 +0100 + wireshark (4.4.7-1) unstable; urgency=medium * Upload to unstable (Closes: #1107515) diff --git a/debian/patches/CVE-2026-0959.patch b/debian/patches/CVE-2026-0959.patch new file mode 100644 index 0000000000..f13ead16b5 --- /dev/null +++ b/debian/patches/CVE-2026-0959.patch @@ -0,0 +1,62 @@ +From: John Thacker <[email protected]> +Date: Sun, 11 Jan 2026 03:11:02 +0000 +Subject: ieee80211: Avoid using a fixed array for multi-link per-STA + subelements + +Since this processes to the end of the TVB, there might be more than 16. +Simplify the logic and only test for a set link_id in one place. This +also gets rid of a possible use of an uninitialized value on error. + +Fix #20939, OSS-Fuzz 474458885 + +(cherry picked from commit 4b48ee36f1829d6d3d009bf9871af523ce8e3ace) + +Co-authored-by: John Thacker <[email protected]> +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=5bfd4035f52f3dbc499a1963c42cedbb194b7eec +--- + epan/dissectors/packet-ieee80211.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c +index 6ed3b47..89bea94 100644 +--- a/epan/dissectors/packet-ieee80211.c ++++ b/epan/dissectors/packet-ieee80211.c +@@ -28301,7 +28301,7 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + uint8_t multi_link_type = multi_link_control & 0x0007; + uint16_t present = multi_link_control >> 4; + int elt = 0, hf_index; +- int local_link_ids[16]; ++ wmem_strbuf_t *link_id_list = wmem_strbuf_create(pinfo->pool); + + control = proto_tree_add_item(tree, hf_ieee80211_eht_multi_link_control, tvb, + offset, 2, ENC_LITTLE_ENDIAN); +@@ -28590,9 +28590,6 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + multi_link_type, &link_id); + + offset += overhead; /* Account for the overhead in the subelt */ +- if (link_id != -1) { +- local_link_ids[elt] = link_id; +- } + break; + case 221: + /* Add an expert info saying there are none so far? */ +@@ -28603,18 +28600,13 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + break; + } + if (link_id != -1) { ++ wmem_strbuf_append_printf(link_id_list, (elt == 0) ? "%d" : "_%d", link_id); + elt++; + } + } + proto_tree_add_uint(tree, hf_index, tvb, 0, 0, elt); + + if (elt) { +- wmem_strbuf_t *link_id_list = wmem_strbuf_new_sized(pinfo->pool, elt * 2); +- for (int i = 0; i < elt; i++) { +- if (local_link_ids[i] != -1) { +- wmem_strbuf_append_printf(link_id_list, (i == 0) ? "%d" : "_%d", local_link_ids[i]); +- } +- } + proto_tree_add_string(tree, hf_ieee80211_eht_multi_link_link_id_list, tvb, + 0, 0, link_id_list->str); + } diff --git a/debian/patches/CVE-2026-0961.patch b/debian/patches/CVE-2026-0961.patch new file mode 100644 index 0000000000..394dfbb83e --- /dev/null +++ b/debian/patches/CVE-2026-0961.patch @@ -0,0 +1,31 @@ +From: Darius Davis <[email protected]> +Date: Mon, 1 Dec 2025 17:47:28 +1000 +Subject: BLF: Validate length of uncompressed segments. + +When a container's data is not compressed, its actual length should equal the +length of the data stored in the file. + +Fixes #20880. + +(cherry picked from commit 516ba22c34bd62468c2967ac476146bc03482679) +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=c99f1188693ddad1e6ff0244ca0cd095619bdda7 +--- + wiretap/blf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/wiretap/blf.c b/wiretap/blf.c +index 0075936..528ccb0 100644 +--- a/wiretap/blf.c ++++ b/wiretap/blf.c +@@ -793,6 +793,11 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, blf_log_container_t *con + } + + if (container->compression_method == BLF_COMPRESSION_NONE) { ++ if (data_length != container->real_length) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = ws_strdup("blf_pull_logcontainer_into_memory: uncompressed data has wrong length"); ++ return false; ++ } + unsigned char* buf = g_try_malloc((size_t)container->real_length); + if (buf == NULL) { + *err = WTAP_ERR_INTERNAL; diff --git a/debian/patches/CVE-2026-0962.patch b/debian/patches/CVE-2026-0962.patch new file mode 100644 index 0000000000..504acad83d --- /dev/null +++ b/debian/patches/CVE-2026-0962.patch @@ -0,0 +1,137 @@ +From: Gerald Combs <[email protected]> +Date: Mon, 12 Jan 2026 17:01:48 -0800 +Subject: SOME/IP-SD: Fix a buffer overflow + +Make sure we don't write past the end of our option port array. Make our +option count unsigned. + +Fixes #20945 + +(cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454) + +Conflicts: + epan/dissectors/packet-someip-sd.c +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=825b83e1ed146f6c8fa8f1d7ad2794061b82c895 +--- + epan/dissectors/packet-someip-sd.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c +index 1a348d3..b36a2fc 100644 +--- a/epan/dissectors/packet-someip-sd.c ++++ b/epan/dissectors/packet-someip-sd.c +@@ -269,6 +269,7 @@ static expert_field ei_someipsd_option_unknown; + static expert_field ei_someipsd_option_wrong_length; + static expert_field ei_someipsd_L4_protocol_unsupported; + static expert_field ei_someipsd_config_string_malformed; ++static expert_field ei_someipsd_too_many_options; + + /*** prototypes ***/ + void proto_register_someip_sd(void); +@@ -301,13 +302,13 @@ someip_sd_register_ports(uint32_t opt_index, uint32_t opt_num, uint32_t option_c + } + + static void +-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum) { ++dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum) { + uint32_t offset_orig = offset; + const uint8_t *config_string; + proto_item *ti; + proto_tree *subtree; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Configuration Option", optionnum); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Configuration Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -344,8 +345,8 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr + } + + static void +-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum) { +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum); ++dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum) { ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Load Balancing Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -364,7 +365,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_ + } + + static void +-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum, uint32_t option_ports[]) { ++dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum, uint32_t option_ports[]) { + uint8_t type = 255; + const char *description = NULL; + uint32_t l4port = 0; +@@ -377,7 +378,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + + type = tvb_get_uint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV4_LENGTH) { + expert_add_info(pinfo, ti_top, &ei_someipsd_option_wrong_length); +@@ -418,7 +419,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum, uint32_t option_ports[]) { ++dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum, uint32_t option_ports[]) { + uint8_t type = 255; + const char *description = NULL; + uint32_t l4port = 0; +@@ -431,7 +432,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + type = tvb_get_uint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV6_LENGTH) { + expert_add_info(pinfo, ti_top, &ei_someipsd_option_wrong_length); +@@ -471,11 +472,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum) { ++dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum) { + uint32_t len = 0; + proto_item *ti; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum, ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum, + val_to_str_const(tvb_get_uint8(tvb, offset + 2), sd_option_type, "Unknown")); + + expert_add_info(pinfo, ti, &ei_someipsd_option_unknown); +@@ -500,7 +501,7 @@ static int + dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, uint32_t offset_orig, uint32_t length, uint32_t option_ports[], unsigned *option_count) { + uint16_t real_length = 0; + uint8_t option_type = 0; +- int optionnum = 0; ++ unsigned optionnum = 0; + tvbuff_t *subtvb = NULL; + + uint32_t offset = offset_orig; +@@ -511,7 +512,11 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre + } + + while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) { +- ws_assert(optionnum >= 0 && optionnum < SD_MAX_NUM_OPTIONS); ++ if (optionnum >= SD_MAX_NUM_OPTIONS) { ++ expert_add_info(pinfo, ti, &ei_someipsd_too_many_options); ++ return offset; ++ } ++ + option_ports[optionnum] = 0; + + real_length = tvb_get_ntohs(tvb, offset) + 3; +@@ -1290,6 +1295,7 @@ proto_register_someip_sd(void) { + { &ei_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } }, + { &ei_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } }, + { &ei_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } }, ++ { &ei_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } }, + }; + + /* Register Protocol, Fields, ETTs, Expert Info, Taps, Dissector */ diff --git a/debian/patches/series b/debian/patches/series index fab07d763f..89f1dbfaec 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,6 @@ 0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch 09_idl2wrs.patch 0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch +CVE-2026-0959.patch +CVE-2026-0961.patch +CVE-2026-0962.patch -- 2.51.0
signature.asc
Description: PGP signature
