Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
This update fixes the 14 non-dsa CVEs in buster by upgrading to 2.6.20 (12 CVEs fixed) plus two fixes for additional CVEs. Wireshark is a package where upstream is followed, and will likely eventually be upgraded to a 3.x release in a DSA at some point in the future. That's why this pu request updates to the final 2.6 release (on top of the last 2.6 release that was in unstable) instead of backporting all CVE fixes. The attached debdiff only includes changes to debian/
diff -Nru wireshark-2.6.8/debian/changelog wireshark-2.6.20/debian/changelog --- wireshark-2.6.8/debian/changelog 2019-05-27 17:08:44.000000000 +0300 +++ wireshark-2.6.20/debian/changelog 2020-11-26 21:21:18.000000000 +0200 @@ -1,3 +1,46 @@ +wireshark (2.6.20-0+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * New upstream version including the following security fixes: + - CVE-2019-16319: The Gryphon dissector could go into an infinite loop. + - CVE-2019-19553: The CMS dissector could crash. + - CVE-2020-7045: The BT ATT dissector could crash. + - CVE-2020-9428: The EAP dissector could crash. + - CVE-2020-9430: The WiMax DLMAP dissector could crash. + - CVE-2020-9431: The LTE RRC dissector could leak memory. + - CVE-2020-11647: The BACapp dissector could crash. (Closes: #958213) + - CVE-2020-13164: The NFS dissector could crash. + - CVE-2020-15466: The GVCP dissector could go into an infinite loop. + - CVE-2020-25862: The TCP dissector could crash. + - CVE-2020-25863: The MIME Multipart dissector could crash. + * Adjust 17_libdir_location.patch for context changes. + * Since Wireshark 2.6.14 tests are run automatically by debhelper, + backport the build fix and making test failures non-fatal. + * CVE-2020-26575: The Facebook Zero Protocol (aka FBZERO) dissector + could enter an infinite loop. (Closes: #974688) + * CVE-2020-28030: The GQUIC dissector could crash. (Closes: #974689) + + -- Adrian Bunk <b...@debian.org> Thu, 26 Nov 2020 21:21:18 +0200 + +wireshark (2.6.10-1) unstable; urgency=medium + + * New upstream version 2.6.10 + - security fixes: + - ASN.1 BER and related dissectors crash (CVE-2019-13619) + - fix QIcon crash on exit on Ubuntu 16.04 with Qt 5.5.1 (LP: #1803808) + * debian/gitlab-ci.yml: User minimal reference configuration + + -- Balint Reczey <rbal...@ubuntu.com> Wed, 17 Jul 2019 23:23:05 +0200 + +wireshark (2.6.9-1) unstable; urgency=medium + + * Acknowledge NMU + * New upstream version 2.6.9 + * Drop obsolete CVE-2019-12295.patch + * Refresh patches + + -- Balint Reczey <rbal...@ubuntu.com> Thu, 30 May 2019 22:13:15 +0200 + wireshark (2.6.8-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru wireshark-2.6.8/debian/gitlab-ci.yml wireshark-2.6.20/debian/gitlab-ci.yml --- wireshark-2.6.8/debian/gitlab-ci.yml 2019-05-27 17:00:57.000000000 +0300 +++ wireshark-2.6.20/debian/gitlab-ci.yml 2019-07-18 00:23:05.000000000 +0300 @@ -1,13 +1,3 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: - extends: .build-unstable - -lintian: - extends: .test-lintian - -autopkgtest: - extends: .test-autopkgtest - -piuparts: - extends: .test-piuparts +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff -Nru wireshark-2.6.8/debian/patches/0001-FBZERO-Make-sure-our-offset-advances.patch wireshark-2.6.20/debian/patches/0001-FBZERO-Make-sure-our-offset-advances.patch --- wireshark-2.6.8/debian/patches/0001-FBZERO-Make-sure-our-offset-advances.patch 1970-01-01 02:00:00.000000000 +0200 +++ wireshark-2.6.20/debian/patches/0001-FBZERO-Make-sure-our-offset-advances.patch 2020-11-26 21:21:18.000000000 +0200 @@ -0,0 +1,63 @@ +From 3ff940652962c099b73ae3233322b8697b0d10ab Mon Sep 17 00:00:00 2001 +From: Gerald Combs <ger...@wireshark.org> +Date: Fri, 2 Oct 2020 12:42:03 -0700 +Subject: FBZERO: Make sure our offset advances. + +Make sure our offset advances so that we don't infinitely loop. +Fixes #16887. +--- + epan/dissectors/packet-fbzero.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-fbzero.c b/epan/dissectors/packet-fbzero.c +index 16ffb63cf1..132079cfaa 100644 +--- a/epan/dissectors/packet-fbzero.c ++++ b/epan/dissectors/packet-fbzero.c +@@ -66,6 +66,7 @@ static gint ett_fb_zero_tag_value = -1; + static expert_field ei_fb_zero_tag_undecoded = EI_INIT; + static expert_field ei_fb_zero_tag_length = EI_INIT; + static expert_field ei_fb_zero_tag_unknown = EI_INIT; ++static expert_field ei_fb_zero_length_invalid = EI_INIT; + + #define FBZERO_MIN_LENGTH 3 + +@@ -261,18 +262,26 @@ dissect_fb_zero_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *fb_zero_tree, + "Dissector for FB Zero Tag" + " %s (%s) code not implemented, Contact" + " Wireshark developers if you want this supported", tvb_get_string_enc(wmem_packet_scope(), tvb, offset-8, 4, ENC_ASCII|ENC_NA), val_to_str(tag, tag_vals, "Unknown")); +- tag_offset += tag_len; ++ goto end; + break; + } + + if(tag_offset != offset_end){ + /* Wrong Tag len... */ + proto_tree_add_expert(tag_tree, pinfo, &ei_fb_zero_tag_unknown, tvb, tag_offset_start + tag_offset, offset_end - tag_offset); +- tag_offset = offset_end; ++ // XXX Return instead? ++ goto end; + } + + tag_number--; + } ++ ++ end: ++ if (offset + total_tag_len <= offset) { ++ expert_add_info_format(pinfo, fb_zero_tree, &ei_fb_zero_length_invalid, ++ "Invalid total tag length: %u", total_tag_len); ++ return offset + tvb_reported_length_remaining(tvb, offset); ++ } + return offset + total_tag_len; + + } +@@ -562,6 +571,7 @@ proto_register_fb_zero(void) + { &ei_fb_zero_tag_undecoded, { "fb_zero.tag.undecoded", PI_UNDECODED, PI_NOTE, "Dissector for FB Zero Tag code not implemented, Contact Wireshark developers if you want this supported", EXPFILL }}, + { &ei_fb_zero_tag_length, { "fb_zero.tag.length.truncated", PI_MALFORMED, PI_NOTE, "Truncated Tag Length...", EXPFILL }}, + { &ei_fb_zero_tag_unknown, { "fb_zero.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }}, ++ { &ei_fb_zero_length_invalid, { "fb_zero.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid length", EXPFILL }}, + }; + + expert_module_t *expert_fb_zero; +-- +2.20.1 + diff -Nru wireshark-2.6.8/debian/patches/0001-GQUIC-make-sure-our-tag-offset-advances.patch wireshark-2.6.20/debian/patches/0001-GQUIC-make-sure-our-tag-offset-advances.patch --- wireshark-2.6.8/debian/patches/0001-GQUIC-make-sure-our-tag-offset-advances.patch 1970-01-01 02:00:00.000000000 +0200 +++ wireshark-2.6.20/debian/patches/0001-GQUIC-make-sure-our-tag-offset-advances.patch 2020-11-26 21:21:18.000000000 +0200 @@ -0,0 +1,58 @@ +From 7dd685e4c0b7d049695b302f2cce732cdf15085c Mon Sep 17 00:00:00 2001 +From: Richard Smith <pcy...@126.com> +Date: Sat, 10 Oct 2020 18:25:57 +0800 +Subject: GQUIC: make sure our tag offset advances. + +Make sure gquic tag offset advances so that we don't infinitely loop. +--- + epan/dissectors/packet-gquic.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-gquic.c b/epan/dissectors/packet-gquic.c +index 581499d7d0..955301b91f 100644 +--- a/epan/dissectors/packet-gquic.c ++++ b/epan/dissectors/packet-gquic.c +@@ -185,6 +185,7 @@ static expert_field ei_gquic_tag_undecoded = EI_INIT; + static expert_field ei_gquic_tag_length = EI_INIT; + static expert_field ei_gquic_tag_unknown = EI_INIT; + static expert_field ei_gquic_version_invalid = EI_INIT; ++static expert_field ei_gquic_length_invalid = EI_INIT; + + typedef struct gquic_info_data { + guint8 version; +@@ -1604,7 +1605,7 @@ dissect_gquic_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, gui + "Dissector for (Google) QUIC Tag" + " %s (%s) code not implemented, Contact" + " Wireshark developers if you want this supported", tvb_get_string_enc(wmem_packet_scope(), tvb, offset-8, 4, ENC_ASCII|ENC_NA), val_to_str(tag, tag_vals, "Unknown")); +- tag_offset += tag_len; ++ goto end; + break; + } + if(tag_offset != offset_end){ +@@ -1615,6 +1616,13 @@ dissect_gquic_tag(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, gui + + tag_number--; + } ++ ++ end: ++ if (offset + total_tag_len <= offset) { ++ expert_add_info_format(pinfo, gquic_tree, &ei_gquic_length_invalid, ++ "Invalid total tag length: %u", total_tag_len); ++ return offset + tvb_reported_length_remaining(tvb, offset); ++ } + return offset + total_tag_len; + + } +@@ -2873,7 +2881,8 @@ proto_register_gquic(void) + { &ei_gquic_tag_undecoded, { "gquic.tag.undecoded", PI_UNDECODED, PI_NOTE, "Dissector for (Google)QUIC Tag code not implemented, Contact Wireshark developers if you want this supported", EXPFILL }}, + { &ei_gquic_tag_length, { "gquic.tag.length.truncated", PI_MALFORMED, PI_NOTE, "Truncated Tag Length...", EXPFILL }}, + { &ei_gquic_tag_unknown, { "gquic.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }}, +- { &ei_gquic_version_invalid, { "gquic.version.invalid", PI_MALFORMED, PI_ERROR, "Invalid Version", EXPFILL }} ++ { &ei_gquic_version_invalid, { "gquic.version.invalid", PI_MALFORMED, PI_ERROR, "Invalid Version", EXPFILL }}, ++ { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }} + }; + + expert_module_t *expert_gquic; +-- +2.20.1 + diff -Nru wireshark-2.6.8/debian/patches/03_no_version_in_gtk_title.patch wireshark-2.6.20/debian/patches/03_no_version_in_gtk_title.patch --- wireshark-2.6.8/debian/patches/03_no_version_in_gtk_title.patch 2019-05-27 17:00:57.000000000 +0300 +++ wireshark-2.6.20/debian/patches/03_no_version_in_gtk_title.patch 2019-07-18 00:23:05.000000000 +0300 @@ -1,6 +1,6 @@ --- a/epan/prefs.c +++ b/epan/prefs.c -@@ -4108,7 +4108,7 @@ +@@ -4105,7 +4105,7 @@ prefs.gui_prepend_window_title = g_strdup(""); g_free(prefs.gui_start_title); prefs.gui_start_title = g_strdup("The World's Most Popular Network Protocol Analyzer"); diff -Nru wireshark-2.6.8/debian/patches/17_libdir_location.patch wireshark-2.6.20/debian/patches/17_libdir_location.patch --- wireshark-2.6.8/debian/patches/17_libdir_location.patch 2019-05-27 17:00:57.000000000 +0300 +++ wireshark-2.6.20/debian/patches/17_libdir_location.patch 2020-11-26 21:21:18.000000000 +0200 @@ -5,7 +5,7 @@ --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -1477,7 +1477,7 @@ +@@ -1473,7 +1473,7 @@ set( prefix "${CMAKE_INSTALL_PREFIX}" ) set( exec_prefix "\${prefix}" ) @@ -23,5 +23,5 @@ -set(Wireshark_LIB_DIR "@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBDIR@") +set(Wireshark_LIB_DIR "@CMAKE_INSTALL_LIBDIR@") set(Wireshark_INCLUDE_DIR "@CMAKE_INSTALL_PREFIX@/include/wireshark") - set(Wireshark_CMAKE_MODULES_DIR "@CMAKE_INSTALL_MODULES_DIR@") + set(Wireshark_CMAKE_MODULES_DIR "@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_MODULES_DIR@") diff -Nru wireshark-2.6.8/debian/patches/CVE-2019-12295.patch wireshark-2.6.20/debian/patches/CVE-2019-12295.patch --- wireshark-2.6.8/debian/patches/CVE-2019-12295.patch 2019-05-27 17:07:19.000000000 +0300 +++ wireshark-2.6.20/debian/patches/CVE-2019-12295.patch 1970-01-01 02:00:00.000000000 +0200 @@ -1,42 +0,0 @@ -Description: CVE-2019-12295 - In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, - the dissection engine could crash. This was addressed in - epan/packet.c by restricting the number of layers and - consequently limiting recursion. -Origin: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 -Bug-Debian: https://bugs.debian.org/929446 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/epan/packet.c -+++ b/epan/packet.c -@@ -725,6 +725,13 @@ - call_dissector_work_error(dissector_handle_t handle, tvbuff_t *tvb, - packet_info *pinfo_arg, proto_tree *tree, void *); - -+/* -+ * XXX packet_info.curr_layer_num is a guint8 and *_MAX_RECURSION_DEPTH is -+ * 100 elsewhere in the code. We should arguably use the same value here, -+ * but using that makes suite_wslua.case_wslua.test_wslua_dissector_fpm fail. -+ */ -+#define PINFO_LAYER_MAX_RECURSION_DEPTH 500 -+ - static int - call_dissector_work(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo_arg, - proto_tree *tree, gboolean add_proto_name, void *data) -@@ -747,6 +754,7 @@ - saved_proto = pinfo->current_proto; - saved_can_desegment = pinfo->can_desegment; - saved_layers_len = wmem_list_count(pinfo->layers); -+ DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH); - - /* - * can_desegment is set to 2 by anyone which offers the -@@ -2675,6 +2683,8 @@ - saved_layers_len = wmem_list_count(pinfo->layers); - *heur_dtbl_entry = NULL; - -+ DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH); -+ - for (entry = sub_dissectors->dissectors; entry != NULL; - entry = g_slist_next(entry)) { - /* XXX - why set this now and above? */ diff -Nru wireshark-2.6.8/debian/patches/series wireshark-2.6.20/debian/patches/series --- wireshark-2.6.8/debian/patches/series 2019-05-27 17:03:48.000000000 +0300 +++ wireshark-2.6.20/debian/patches/series 2020-11-26 21:21:18.000000000 +0200 @@ -4,4 +4,5 @@ 09_idl2wrs.patch 16_licence_about_location.patch 17_libdir_location.patch -CVE-2019-12295.patch +0001-FBZERO-Make-sure-our-offset-advances.patch +0001-GQUIC-make-sure-our-tag-offset-advances.patch diff -Nru wireshark-2.6.8/debian/rules wireshark-2.6.20/debian/rules --- wireshark-2.6.8/debian/rules 2019-05-27 17:00:57.000000000 +0300 +++ wireshark-2.6.20/debian/rules 2020-11-26 21:21:18.000000000 +0200 @@ -88,6 +88,10 @@ debian/wireshark-dev/usr/share/pyshared/wireshark_be.py \ debian/wireshark-dev/usr/share/pyshared/wireshark_gen.py +override_dh_auto_test: + $(MAKE) -C obj-* test-programs + -dh_auto_test + override_dh_clean: test ! -f version.conf.bak || mv version.conf.bak version.conf dh_clean
