Source: wireshark Version: 1.0.2-3+lenny5 Severity: critical Tags: patch security
Hi, There is a new upstream version available: http://www.wireshark.org/docs/relnotes/wireshark-1.0.8.html It contains several security related fixes, collected in the attached patch. Cheers, Balint
Index: debian/patches/28_uat_proto_name_use_strndup.dpatch =================================================================== --- debian/patches/28_uat_proto_name_use_strndup.dpatch (revision 0) +++ debian/patches/28_uat_proto_name_use_strndup.dpatch (revision 0) @@ -0,0 +1,66 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 22_uat_proto_name_use_strndup.dpatch by <ebli...@oceanus.sz13.dyndns.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Use g_strndup() instead of ep_strndup() to avoid freeing it up too early + +...@dpatch@ + +Index: trunk/epan/uat.h +=================================================================== +--- trunk/epan/uat.h (revision 27662) ++++ trunk/epan/uat.h (revision 27663) +@@ -452,7 +452,7 @@ + #define UAT_PROTO_DEF(basename, field_name, dissector_field, name_field, rec_t) \ + static void basename ## _ ## field_name ## _set_cb(void* rec, const char* buf, unsigned len, void* u1 _U_, void* u2 _U_) {\ + if (len) { \ +- ((rec_t*)rec)->name_field = ep_strndup(buf,len); g_strdown(((rec_t*)rec)->name_field ); g_strchug(((rec_t*)rec)->name_field); \ ++ ((rec_t*)rec)->name_field = g_strndup(buf,len); g_strdown(((rec_t*)rec)->name_field ); g_strchug(((rec_t*)rec)->name_field); \ + ((rec_t*)rec)->dissector_field = find_dissector(((rec_t*)rec)->name_field); \ + } else { \ + ((rec_t*)rec)->dissector_field = find_dissector("data"); \ +Index: trunk/epan/dissectors/packet-user_encap.c +=================================================================== +--- trunk/epan/dissectors/packet-user_encap.c (revision 27662) ++++ trunk/epan/dissectors/packet-user_encap.c (revision 27663) +@@ -126,9 +126,27 @@ + } + } + +-static void user_update_cb(void* r _U_, const char** err _U_) { ++static void* user_copy_cb(void* dest, const void* orig, unsigned len _U_) ++{ ++ const user_encap_t *o = orig; ++ user_encap_t *d = dest; ++ ++ d->payload_proto_name = g_strdup(o->payload_proto_name); ++ d->header_proto_name = g_strdup(o->header_proto_name); ++ d->trailer_proto_name = g_strdup(o->trailer_proto_name); ++ ++ return d; + } + ++static void user_free_cb(void* record) ++{ ++ user_encap_t *u = record; ++ ++ if (u->payload_proto_name) g_free(u->payload_proto_name); ++ if (u->header_proto_name) g_free(u->header_proto_name); ++ if (u->trailer_proto_name) g_free(u->trailer_proto_name); ++} ++ + UAT_VS_DEF(user_encap, encap, user_encap_t, WTAP_ENCAP_USER0, ENCAP0_STR) + UAT_PROTO_DEF(user_encap, payload_proto, payload_proto, payload_proto_name, user_encap_t) + UAT_DEC_CB_DEF(user_encap, header_size, user_encap_t) +@@ -177,9 +195,9 @@ + &num_encaps, + UAT_CAT_FFMT, + "ChUserDLTsSection", ++ user_copy_cb, + NULL, +- user_update_cb, +- NULL, ++ user_free_cb, + user_flds ); + + prefs_register_uat_preference(module, Property changes on: debian/patches/28_uat_proto_name_use_strndup.dpatch ___________________________________________________________________ Added: svn:mergeinfo Index: debian/patches/31_ndmp_crash_fix.dpatch =================================================================== --- debian/patches/31_ndmp_crash_fix.dpatch (revision 0) +++ debian/patches/31_ndmp_crash_fix.dpatch (revision 0) @@ -0,0 +1,57 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 25_ndmp_crash_fix.dpatch by <ebli...@oceanus.sz13.dyndns.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Check pointers in NDMP dissector to prevent crash + +...@dpatch@ + +Index: trunk/epan/dissectors/packet-ndmp.c +=================================================================== +--- trunk/epan/dissectors/packet-ndmp.c (revision 28408) ++++ trunk/epan/dissectors/packet-ndmp.c (revision 28409) +@@ -1181,7 +1181,7 @@ + tvb_rlen=16; + cdb_tvb=tvb_new_subset(tvb, offset, tvb_len, tvb_rlen); + +- if(!ndmp_conv_data->task->itlq){ ++ if(ndmp_conv_data->task && !ndmp_conv_data->task->itlq){ + ndmp_conv_data->task->itlq=se_alloc(sizeof(itlq_nexus_t)); + ndmp_conv_data->task->itlq->lun=0xffff; + ndmp_conv_data->task->itlq->first_exchange_frame=pinfo->fd->num; +@@ -1195,7 +1195,7 @@ + ndmp_conv_data->task->itlq->fc_time=pinfo->fd->abs_ts; + ndmp_conv_data->task->itlq->extra_data=NULL; + } +- if(ndmp_conv_data->task->itlq){ ++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){ + dissect_scsi_cdb(cdb_tvb, pinfo, top_tree, devtype, ndmp_conv_data->task->itlq, get_itl_nexus(ndmp_conv_data, pinfo, FALSE)); + } + offset += cdb_len_full; +@@ -1239,7 +1239,7 @@ + tvb_rlen=payload_len; + data_tvb=tvb_new_subset(tvb, offset, tvb_len, tvb_rlen); + +- if(ndmp_conv_data->task->itlq){ ++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){ + /* ndmp conceptually always send both read and write + * data and always a full nonfragmented pdu + */ +@@ -1335,7 +1335,7 @@ + offset += 4; + + if (sns_len != 0) { +- if(ndmp_conv_data->task->itlq){ ++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){ + dissect_scsi_snsinfo(tvb, pinfo, top_tree, offset, sns_len, ndmp_conv_data->task->itlq, get_itl_nexus(ndmp_conv_data, pinfo, FALSE)); + } + offset += sns_len_full; +@@ -1356,7 +1356,7 @@ + /* status */ + proto_tree_add_item(tree, hf_ndmp_execute_cdb_status, tvb, offset, 4, FALSE); + status=tvb_get_ntohl(tvb, offset); +- if(ndmp_conv_data->task->itlq){ ++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){ + dissect_scsi_rsp(tvb, pinfo, top_tree, ndmp_conv_data->task->itlq, get_itl_nexus(ndmp_conv_data, pinfo, FALSE), (guint8)status); + } + offset += 4; Property changes on: debian/patches/31_ndmp_crash_fix.dpatch ___________________________________________________________________ Added: svn:mergeinfo Index: debian/patches/29_sccp_crash_fix.dpatch =================================================================== --- debian/patches/29_sccp_crash_fix.dpatch (revision 0) +++ debian/patches/29_sccp_crash_fix.dpatch (revision 0) @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 23_sccp_crash_fix.dpatch by <ebli...@oceanus.sz13.dyndns.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix uninitialized variable to prevent crash + +...@dpatch@ + +Index: trunk/epan/dissectors/packet-sccp.c +=================================================================== +--- trunk/epan/dissectors/packet-sccp.c (revision 28057) ++++ trunk/epan/dissectors/packet-sccp.c (revision 28058) +@@ -805,11 +805,12 @@ + a->called_ssn = INVALID_SSN; + a->has_fw_key = FALSE; + a->has_bw_key = FALSE; ++ a->msgs = NULL; ++ a->curr_msg = NULL; + a->payload = SCCP_PLOAD_NONE; + a->calling_party = NULL; + a->called_party = NULL; + a->extra_info = NULL; +- a->msgs = NULL; + + return a; + } Property changes on: debian/patches/29_sccp_crash_fix.dpatch ___________________________________________________________________ Added: svn:mergeinfo Index: debian/patches/30_pcnfsd_crash_fix.dpatch =================================================================== --- debian/patches/30_pcnfsd_crash_fix.dpatch (revision 0) +++ debian/patches/30_pcnfsd_crash_fix.dpatch (revision 0) @@ -0,0 +1,84 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 24__pcnfsd_crash_fix.dpatch by <ebli...@oceanus.sz13.dyndns.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix buffer allocation to prevent crash + +...@dpatch@ + +Index: trunk/epan/dissectors/packet-pcnfsd.c +=================================================================== +--- trunk/epan/dissectors/packet-pcnfsd.c (revision 28127) ++++ trunk/epan/dissectors/packet-pcnfsd.c (revision 28128) +@@ -211,7 +211,10 @@ + } + + if (ident) { +- pcnfsd_decode_obscure(ident, strlen(ident)); ++ /* Only attempt to decode the ident if it has been specified */ ++ if (strcmp(ident, RPC_STRING_EMPTY)) ++ pcnfsd_decode_obscure(ident, (int)strlen(ident)); ++ + if (ident_tree) + proto_tree_add_string(ident_tree, + hf_pcnfsd_auth_ident_clear, +@@ -238,7 +241,10 @@ + } + + if (password) { +- pcnfsd_decode_obscure(password, strlen(password)); ++ /* Only attempt to decode the password if it has been specified */ ++ if (strcmp(password, RPC_STRING_EMPTY)) ++ pcnfsd_decode_obscure(password, (int)strlen(password)); ++ + if (password_tree) + proto_tree_add_string(password_tree, + hf_pcnfsd_auth_password_clear, +Index: trunk/epan/dissectors/packet-rpc.c +=================================================================== +--- trunk/epan/dissectors/packet-rpc.c (revision 28127) ++++ trunk/epan/dissectors/packet-rpc.c (revision 28128) +@@ -626,24 +626,21 @@ + char *formatted; + + formatted = format_text(string_buffer, strlen(string_buffer)); +- /* alloc maximum data area */ +-#define STRING_BUFFER_PRINT_MAX_LEN (strlen(formatted)+12+1) +- string_buffer_print = (char*)ep_alloc(STRING_BUFFER_PRINT_MAX_LEN); + /* copy over the data and append <TRUNCATED> */ +- g_snprintf(string_buffer_print, STRING_BUFFER_PRINT_MAX_LEN, "%s<TRUNCATED>", formatted); ++ string_buffer_print=ep_strdup_printf("%s%s", formatted, RPC_STRING_TRUNCATED); + } else { +- string_buffer_print="<DATA><TRUNCATED>"; ++ string_buffer_print=RPC_STRING_DATA RPC_STRING_TRUNCATED; + } + } else { + if (string_data) { + string_buffer_print = + ep_strdup(format_text(string_buffer, strlen(string_buffer))); + } else { +- string_buffer_print="<DATA>"; ++ string_buffer_print=RPC_STRING_DATA; + } + } + } else { +- string_buffer_print="<EMPTY>"; ++ string_buffer_print=RPC_STRING_EMPTY; + } + + if (tree) { +Index: trunk/epan/dissectors/packet-rpc.h +=================================================================== +--- trunk/epan/dissectors/packet-rpc.h (revision 28127) ++++ trunk/epan/dissectors/packet-rpc.h (revision 28128) +@@ -93,6 +93,10 @@ + #define AUTHDES_NAMEKIND_FULLNAME 0 + #define AUTHDES_NAMEKIND_NICKNAME 1 + ++#define RPC_STRING_EMPTY "<EMPTY>" ++#define RPC_STRING_DATA "<DATA>" ++#define RPC_STRING_TRUNCATED "<TRUNCATED>" ++ + extern value_string rpc_authgss_svc[]; + typedef enum { + FLAVOR_UNKNOWN, /* authentication flavor unknown */ Property changes on: debian/patches/30_pcnfsd_crash_fix.dpatch ___________________________________________________________________ Added: svn:mergeinfo Index: debian/patches/32_dcm_memleak_fix.dpatch =================================================================== --- debian/patches/32_dcm_memleak_fix.dpatch (revision 0) +++ debian/patches/32_dcm_memleak_fix.dpatch (revision 0) @@ -0,0 +1,29 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 26_dcm_memleak_fix.dpatch by <ebli...@oceanus.sz13.dyndns.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix memory leak in DCM dissector + +...@dpatch@ + +Index: trunk-1.0/epan/dissectors/packet-dcm.c +=================================================================== +--- trunk-1.0/epan/dissectors/packet-dcm.c (revision 28410) ++++ trunk-1.0/epan/dissectors/packet-dcm.c (revision 28411) +@@ -289,15 +289,10 @@ + { + dcmState_t *ds; + +- if (NULL == (ds = (dcmState_t *) g_malloc(sizeof(dcmState_t)))) { ++ if (NULL == (ds = (dcmState_t *) se_alloc0(sizeof(dcmState_t)))) { + return NULL; + } +- ds->pdu = 0; +- ds->tlen = ds->rlen = 0; + ds->valid = TRUE; +- memset(ds->orig, 0, sizeof(ds->orig)); +- memset(ds->targ, 0, sizeof(ds->targ)); +- memset(ds->resp, 0, sizeof(ds->resp)); + ds->first = ds->last = NULL; + return ds; + } Property changes on: debian/patches/32_dcm_memleak_fix.dpatch ___________________________________________________________________ Added: svn:mergeinfo