--- Begin Message ---
Source: wireshark
Version: 1.0.2-3+lenny5
Severity: critical
Tags: patch security
Hi,
There is a new upstream version available:
http://www.wireshark.org/docs/relnotes/wireshark-1.0.8.html
It contains several security related fixes, collected in the attached patch.
Cheers,
Balint
Index: debian/patches/28_uat_proto_name_use_strndup.dpatch
===================================================================
--- debian/patches/28_uat_proto_name_use_strndup.dpatch (revision 0)
+++ debian/patches/28_uat_proto_name_use_strndup.dpatch (revision 0)
@@ -0,0 +1,66 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 22_uat_proto_name_use_strndup.dpatch by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Use g_strndup() instead of ep_strndup() to avoid freeing it up too early
+
+...@dpatch@
+
+Index: trunk/epan/uat.h
+===================================================================
+--- trunk/epan/uat.h (revision 27662)
++++ trunk/epan/uat.h (revision 27663)
+@@ -452,7 +452,7 @@
+ #define UAT_PROTO_DEF(basename, field_name, dissector_field, name_field, rec_t) \
+ static void basename ## _ ## field_name ## _set_cb(void* rec, const char* buf, unsigned len, void* u1 _U_, void* u2 _U_) {\
+ if (len) { \
+- ((rec_t*)rec)->name_field = ep_strndup(buf,len); g_strdown(((rec_t*)rec)->name_field ); g_strchug(((rec_t*)rec)->name_field); \
++ ((rec_t*)rec)->name_field = g_strndup(buf,len); g_strdown(((rec_t*)rec)->name_field ); g_strchug(((rec_t*)rec)->name_field); \
+ ((rec_t*)rec)->dissector_field = find_dissector(((rec_t*)rec)->name_field); \
+ } else { \
+ ((rec_t*)rec)->dissector_field = find_dissector("data"); \
+Index: trunk/epan/dissectors/packet-user_encap.c
+===================================================================
+--- trunk/epan/dissectors/packet-user_encap.c (revision 27662)
++++ trunk/epan/dissectors/packet-user_encap.c (revision 27663)
+@@ -126,9 +126,27 @@
+ }
+ }
+
+-static void user_update_cb(void* r _U_, const char** err _U_) {
++static void* user_copy_cb(void* dest, const void* orig, unsigned len _U_)
++{
++ const user_encap_t *o = orig;
++ user_encap_t *d = dest;
++
++ d->payload_proto_name = g_strdup(o->payload_proto_name);
++ d->header_proto_name = g_strdup(o->header_proto_name);
++ d->trailer_proto_name = g_strdup(o->trailer_proto_name);
++
++ return d;
+ }
+
++static void user_free_cb(void* record)
++{
++ user_encap_t *u = record;
++
++ if (u->payload_proto_name) g_free(u->payload_proto_name);
++ if (u->header_proto_name) g_free(u->header_proto_name);
++ if (u->trailer_proto_name) g_free(u->trailer_proto_name);
++}
++
+ UAT_VS_DEF(user_encap, encap, user_encap_t, WTAP_ENCAP_USER0, ENCAP0_STR)
+ UAT_PROTO_DEF(user_encap, payload_proto, payload_proto, payload_proto_name, user_encap_t)
+ UAT_DEC_CB_DEF(user_encap, header_size, user_encap_t)
+@@ -177,9 +195,9 @@
+ &num_encaps,
+ UAT_CAT_FFMT,
+ "ChUserDLTsSection",
++ user_copy_cb,
+ NULL,
+- user_update_cb,
+- NULL,
++ user_free_cb,
+ user_flds );
+
+ prefs_register_uat_preference(module,
Property changes on: debian/patches/28_uat_proto_name_use_strndup.dpatch
___________________________________________________________________
Added: svn:mergeinfo
Index: debian/patches/31_ndmp_crash_fix.dpatch
===================================================================
--- debian/patches/31_ndmp_crash_fix.dpatch (revision 0)
+++ debian/patches/31_ndmp_crash_fix.dpatch (revision 0)
@@ -0,0 +1,57 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 25_ndmp_crash_fix.dpatch by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Check pointers in NDMP dissector to prevent crash
+
+...@dpatch@
+
+Index: trunk/epan/dissectors/packet-ndmp.c
+===================================================================
+--- trunk/epan/dissectors/packet-ndmp.c (revision 28408)
++++ trunk/epan/dissectors/packet-ndmp.c (revision 28409)
+@@ -1181,7 +1181,7 @@
+ tvb_rlen=16;
+ cdb_tvb=tvb_new_subset(tvb, offset, tvb_len, tvb_rlen);
+
+- if(!ndmp_conv_data->task->itlq){
++ if(ndmp_conv_data->task && !ndmp_conv_data->task->itlq){
+ ndmp_conv_data->task->itlq=se_alloc(sizeof(itlq_nexus_t));
+ ndmp_conv_data->task->itlq->lun=0xffff;
+ ndmp_conv_data->task->itlq->first_exchange_frame=pinfo->fd->num;
+@@ -1195,7 +1195,7 @@
+ ndmp_conv_data->task->itlq->fc_time=pinfo->fd->abs_ts;
+ ndmp_conv_data->task->itlq->extra_data=NULL;
+ }
+- if(ndmp_conv_data->task->itlq){
++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){
+ dissect_scsi_cdb(cdb_tvb, pinfo, top_tree, devtype, ndmp_conv_data->task->itlq, get_itl_nexus(ndmp_conv_data, pinfo, FALSE));
+ }
+ offset += cdb_len_full;
+@@ -1239,7 +1239,7 @@
+ tvb_rlen=payload_len;
+ data_tvb=tvb_new_subset(tvb, offset, tvb_len, tvb_rlen);
+
+- if(ndmp_conv_data->task->itlq){
++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){
+ /* ndmp conceptually always send both read and write
+ * data and always a full nonfragmented pdu
+ */
+@@ -1335,7 +1335,7 @@
+ offset += 4;
+
+ if (sns_len != 0) {
+- if(ndmp_conv_data->task->itlq){
++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){
+ dissect_scsi_snsinfo(tvb, pinfo, top_tree, offset, sns_len, ndmp_conv_data->task->itlq, get_itl_nexus(ndmp_conv_data, pinfo, FALSE));
+ }
+ offset += sns_len_full;
+@@ -1356,7 +1356,7 @@
+ /* status */
+ proto_tree_add_item(tree, hf_ndmp_execute_cdb_status, tvb, offset, 4, FALSE);
+ status=tvb_get_ntohl(tvb, offset);
+- if(ndmp_conv_data->task->itlq){
++ if(ndmp_conv_data->task && ndmp_conv_data->task->itlq){
+ dissect_scsi_rsp(tvb, pinfo, top_tree, ndmp_conv_data->task->itlq, get_itl_nexus(ndmp_conv_data, pinfo, FALSE), (guint8)status);
+ }
+ offset += 4;
Property changes on: debian/patches/31_ndmp_crash_fix.dpatch
___________________________________________________________________
Added: svn:mergeinfo
Index: debian/patches/29_sccp_crash_fix.dpatch
===================================================================
--- debian/patches/29_sccp_crash_fix.dpatch (revision 0)
+++ debian/patches/29_sccp_crash_fix.dpatch (revision 0)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 23_sccp_crash_fix.dpatch by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix uninitialized variable to prevent crash
+
+...@dpatch@
+
+Index: trunk/epan/dissectors/packet-sccp.c
+===================================================================
+--- trunk/epan/dissectors/packet-sccp.c (revision 28057)
++++ trunk/epan/dissectors/packet-sccp.c (revision 28058)
+@@ -805,11 +805,12 @@
+ a->called_ssn = INVALID_SSN;
+ a->has_fw_key = FALSE;
+ a->has_bw_key = FALSE;
++ a->msgs = NULL;
++ a->curr_msg = NULL;
+ a->payload = SCCP_PLOAD_NONE;
+ a->calling_party = NULL;
+ a->called_party = NULL;
+ a->extra_info = NULL;
+- a->msgs = NULL;
+
+ return a;
+ }
Property changes on: debian/patches/29_sccp_crash_fix.dpatch
___________________________________________________________________
Added: svn:mergeinfo
Index: debian/patches/30_pcnfsd_crash_fix.dpatch
===================================================================
--- debian/patches/30_pcnfsd_crash_fix.dpatch (revision 0)
+++ debian/patches/30_pcnfsd_crash_fix.dpatch (revision 0)
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 24__pcnfsd_crash_fix.dpatch by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer allocation to prevent crash
+
+...@dpatch@
+
+Index: trunk/epan/dissectors/packet-pcnfsd.c
+===================================================================
+--- trunk/epan/dissectors/packet-pcnfsd.c (revision 28127)
++++ trunk/epan/dissectors/packet-pcnfsd.c (revision 28128)
+@@ -211,7 +211,10 @@
+ }
+
+ if (ident) {
+- pcnfsd_decode_obscure(ident, strlen(ident));
++ /* Only attempt to decode the ident if it has been specified */
++ if (strcmp(ident, RPC_STRING_EMPTY))
++ pcnfsd_decode_obscure(ident, (int)strlen(ident));
++
+ if (ident_tree)
+ proto_tree_add_string(ident_tree,
+ hf_pcnfsd_auth_ident_clear,
+@@ -238,7 +241,10 @@
+ }
+
+ if (password) {
+- pcnfsd_decode_obscure(password, strlen(password));
++ /* Only attempt to decode the password if it has been specified */
++ if (strcmp(password, RPC_STRING_EMPTY))
++ pcnfsd_decode_obscure(password, (int)strlen(password));
++
+ if (password_tree)
+ proto_tree_add_string(password_tree,
+ hf_pcnfsd_auth_password_clear,
+Index: trunk/epan/dissectors/packet-rpc.c
+===================================================================
+--- trunk/epan/dissectors/packet-rpc.c (revision 28127)
++++ trunk/epan/dissectors/packet-rpc.c (revision 28128)
+@@ -626,24 +626,21 @@
+ char *formatted;
+
+ formatted = format_text(string_buffer, strlen(string_buffer));
+- /* alloc maximum data area */
+-#define STRING_BUFFER_PRINT_MAX_LEN (strlen(formatted)+12+1)
+- string_buffer_print = (char*)ep_alloc(STRING_BUFFER_PRINT_MAX_LEN);
+ /* copy over the data and append <TRUNCATED> */
+- g_snprintf(string_buffer_print, STRING_BUFFER_PRINT_MAX_LEN, "%s<TRUNCATED>", formatted);
++ string_buffer_print=ep_strdup_printf("%s%s", formatted, RPC_STRING_TRUNCATED);
+ } else {
+- string_buffer_print="<DATA><TRUNCATED>";
++ string_buffer_print=RPC_STRING_DATA RPC_STRING_TRUNCATED;
+ }
+ } else {
+ if (string_data) {
+ string_buffer_print =
+ ep_strdup(format_text(string_buffer, strlen(string_buffer)));
+ } else {
+- string_buffer_print="<DATA>";
++ string_buffer_print=RPC_STRING_DATA;
+ }
+ }
+ } else {
+- string_buffer_print="<EMPTY>";
++ string_buffer_print=RPC_STRING_EMPTY;
+ }
+
+ if (tree) {
+Index: trunk/epan/dissectors/packet-rpc.h
+===================================================================
+--- trunk/epan/dissectors/packet-rpc.h (revision 28127)
++++ trunk/epan/dissectors/packet-rpc.h (revision 28128)
+@@ -93,6 +93,10 @@
+ #define AUTHDES_NAMEKIND_FULLNAME 0
+ #define AUTHDES_NAMEKIND_NICKNAME 1
+
++#define RPC_STRING_EMPTY "<EMPTY>"
++#define RPC_STRING_DATA "<DATA>"
++#define RPC_STRING_TRUNCATED "<TRUNCATED>"
++
+ extern value_string rpc_authgss_svc[];
+ typedef enum {
+ FLAVOR_UNKNOWN, /* authentication flavor unknown */
Property changes on: debian/patches/30_pcnfsd_crash_fix.dpatch
___________________________________________________________________
Added: svn:mergeinfo
Index: debian/patches/32_dcm_memleak_fix.dpatch
===================================================================
--- debian/patches/32_dcm_memleak_fix.dpatch (revision 0)
+++ debian/patches/32_dcm_memleak_fix.dpatch (revision 0)
@@ -0,0 +1,29 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 26_dcm_memleak_fix.dpatch by <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix memory leak in DCM dissector
+
+...@dpatch@
+
+Index: trunk-1.0/epan/dissectors/packet-dcm.c
+===================================================================
+--- trunk-1.0/epan/dissectors/packet-dcm.c (revision 28410)
++++ trunk-1.0/epan/dissectors/packet-dcm.c (revision 28411)
+@@ -289,15 +289,10 @@
+ {
+ dcmState_t *ds;
+
+- if (NULL == (ds = (dcmState_t *) g_malloc(sizeof(dcmState_t)))) {
++ if (NULL == (ds = (dcmState_t *) se_alloc0(sizeof(dcmState_t)))) {
+ return NULL;
+ }
+- ds->pdu = 0;
+- ds->tlen = ds->rlen = 0;
+ ds->valid = TRUE;
+- memset(ds->orig, 0, sizeof(ds->orig));
+- memset(ds->targ, 0, sizeof(ds->targ));
+- memset(ds->resp, 0, sizeof(ds->resp));
+ ds->first = ds->last = NULL;
+ return ds;
+ }
Property changes on: debian/patches/32_dcm_memleak_fix.dpatch
___________________________________________________________________
Added: svn:mergeinfo
--- End Message ---
