* Moritz Mühlenhoff <[email protected]> [2026-01-30 09:27]:
On Fri, Jan 23, 2026 at 12:49:33PM -0300, Matheus Polkorny wrote:On Wed, Jan 21, 2026 at 09:46:11PM -0300, Matheus Polkorny wrote: > Hello, > > I will prepare an upload of Wireshark for trixieHi, I’ve imported the upstream patches to fix CVE-2026-0959, CVE-2026-0961, and CVE-2026-0962 for trixie. The wireshark.debdiff is attached for review. If this looks good to you, Samuel can proceed with the upload. The merge request is available at: https://salsa.debian.org/debian/wireshark/-/merge_requests/6
Ah, missed that.
For Wireshark we had moved to a setup where we are following the upstream LTS releases for as along as they are supported, so we should rebase to 4.4.13 instead.
@Matheus please tell me if you need help with that.
For CVE-2026-0962 we still need to figure out if bookworm is affected, the rest of the latest batches don't affect 4.0
Good point, looks like it is not. The bug was introduced in ca941e3881fc85e032159d004b8bdb499b590ad3 "SOME/IP-SD: improve Entry/Option handling and port registering" which is not part of the 4.0 branch.
I would still like to fix CVE-2024-11596 and CVE-2025-5601 in bookworm, would you be ok if I upload the attached patch to proposed?
Cheers Jochen
From 779a236ea63e5bfa2626f1a30f81256edd77b49e Mon Sep 17 00:00:00 2001 From: Jochen Sprickerhof <[email protected]> Date: Wed, 28 Jan 2026 13:22:56 +0100 Subject: [PATCH] DSA 4.0.17-0+deb12u2 --- debian/changelog | 10 ++ debian/patches/CVE-2024-11596.patch | 162 ++++++++++++++++++++++++++++ debian/patches/CVE-2025-5601.patch | 58 ++++++++++ debian/patches/series | 2 + 4 files changed, 232 insertions(+) create mode 100644 debian/patches/CVE-2024-11596.patch create mode 100644 debian/patches/CVE-2025-5601.patch diff --git a/debian/changelog b/debian/changelog index 25987ad4c3..87852f4ded 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +wireshark (4.0.17-0+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2024-11596: ECMP dissector crash allows denial of service via + packet injection or crafted capture file. + * Fix CVE-2025-5601: Column handling crashes allows denial of service via + packet injection or crafted capture file. + + -- Jochen Sprickerhof <[email protected]> Wed, 28 Jan 2026 13:22:40 +0100 + wireshark (4.0.17-0+deb12u1) bookworm; urgency=medium * Non-maintainer upload. diff --git a/debian/patches/CVE-2024-11596.patch b/debian/patches/CVE-2024-11596.patch new file mode 100644 index 0000000000..188344e6e5 --- /dev/null +++ b/debian/patches/CVE-2024-11596.patch @@ -0,0 +1,162 @@ +From: Gerald Combs <[email protected]> +Date: Thu, 14 Nov 2024 10:56:37 -0800 +Subject: ECMP: Exorcise a string buffer arithmetic gremlin + +Use a wmem_strbuf instead of manually allocating a string and managing +its offsets. + +Avoid appending a dangling space to our string. + +Fixes #20214 + +(cherry picked from commit c8e58870733f88f275ca9a6fa115ed085f987d94) + +Conflicts: + epan/dissectors/packet-ecmp.c + +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=06e0b0bb0925fe4b99cfb7243cce473031b09dee +--- + epan/dissectors/packet-ecmp.c | 77 +++++++++---------------------------------- + 1 file changed, 16 insertions(+), 61 deletions(-) + +diff --git a/epan/dissectors/packet-ecmp.c b/epan/dissectors/packet-ecmp.c +index 5b0ed6a..a1e351b 100644 +--- a/epan/dissectors/packet-ecmp.c ++++ b/epan/dissectors/packet-ecmp.c +@@ -1122,72 +1122,54 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si + proto_tree_add_bytes_format_value(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset-1, 0, NULL, "No data"); + } else { + /* define some variables */ +- gchar* pdata = NULL; /* pointer to array that stores the formatted data string */ +- guint16 idx = 0; /* counts through formatted string array */ +- guint8 value8 = 0; /* placeholder for extracted 8-bit data */ +- guint16 value16 = 0; /* placeholder for extracted 16-bit data */ +- guint32 value32 = 0; /* placeholder for extracted 32-bit data */ ++ wmem_strbuf_t* pdata = wmem_strbuf_new(wmem_packet_scope(), ""); /* formatted data string */ + guint16 num_elements_total = 0; /* contains total number of elements (byte/word/long) to be processed */ + const guint16 num_byte_elements_per_line = 16; /* number of byte (8-bit) elements per line e.g. "1B " (3 chars per element) */ + const guint16 num_word_elements_per_line = 16; /* number of word (16-bit) elements per line e.g. "A81B " (5 chars per element) */ + const guint16 num_long_elements_per_line = 8; /* number of long (32-bit) elements per line e.g. "01F4A81B " (9 chars per element) */ + guint16 num_elements_per_line = 8; /* counts the current number of elements per line */ + guint16 num_elements = 0; /* counts the number of elements in the format string */ +- guint16 format_string_size = 0; /* size of dynamic array to hold the formatted string */ + guint16 a = 0; /* value used for looping */ + int start_offset, line_offset; + +- /* calculate format string array size and other stuff */ +- /* */ +- /* Note: format string does require a nul-terminator (the + 1 in the equations) */ +- /* */ +- /* display = 0: (byte format "1D 24 3F ... A3 " */ +- /* format_string_size = (num_byte_elements_per_line * 3) + 1 */ +- /* */ +- /* display = 1: (word format "1D24 3F84 120B ... 1FA3 " */ +- /* format_string_size = (num_word_elements_per_line * 5) + 1 */ +- /* */ +- /* display = 2: (byte format "1D243F84 9BC08F20 ... 28BB1FA3 " */ +- /* format_string_size = (num_long_elements_per_line * 9) + 1 */ ++ /* calculate number of elements */ + /* */ + if (display == cyclic_display_byte_format) { +- format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49 */ + num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size; + } else if (display == cyclic_display_word_format) { +- format_string_size = (num_word_elements_per_line * 5) + 1; /* format_string_size = 81 */ + num_elements_per_line = num_word_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size >> 1; + } else if (display == cyclic_display_long_format) { +- format_string_size = (num_long_elements_per_line * 9) + 1; /* format_string_size = 73 */ + num_elements_per_line = num_long_elements_per_line; /* num_elements_per_line = 8 */ + num_elements_total = buffer_size >> 2; + } else { +- format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49 */ + num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size; + } + +- /* allocate dynamic memory for one line */ +- pdata = (gchar *)wmem_alloc(wmem_packet_scope(), format_string_size); +- + /* OK, let's get started */ +- idx = 0; + num_elements = 0; + + line_offset = start_offset = offset; + /* work through the display elements, 1 byte\word\long at a time */ +- for (a = 0; a < num_elements_total; a++ ) +- { ++ for (a = 0; a < num_elements_total; a++ ) { ++ if (wmem_strbuf_get_len(pdata) > 0) { ++ wmem_strbuf_append_c(pdata, ' '); ++ } ++ + /* use Wireshark accessor function to get the next byte, word, or long data */ + if (display == cyclic_display_byte_format) { +- value8 = tvb_get_guint8(tvb, offset); ++ guint8 value8 = tvb_get_guint8(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%02x", value8); + offset++; + } else if (display == cyclic_display_word_format) { +- value16 = tvb_get_ntohs(tvb, offset); ++ guint16 value16 = tvb_get_ntohs(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%04x", value16); + offset += 2; + } else if (display == cyclic_display_long_format) { +- value32 = tvb_get_ntohl(tvb, offset); ++ guint32 value32 = tvb_get_ntohl(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%08x", value32); + offset += 4; + } + +@@ -1196,47 +1178,20 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si + + /* check if we hit the max number of byte elements per line */ + if (num_elements >= num_elements_per_line) { +- /* we hit end of the current line */ +- /* add final value to string */ +- if (display == cyclic_display_byte_format) { +- snprintf(&pdata[idx], 32, "%02x",value8); +- } else if (display == cyclic_display_word_format) { +- snprintf(&pdata[idx], 32, "%04x",value16); +- } else if (display == cyclic_display_long_format) { +- snprintf(&pdata[idx], 32, "%08x",value32); +- } +- + /* display the completed line in the sub-tree */ +- proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", pdata); ++ proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", wmem_strbuf_get_str(pdata)); + + /* start the line over */ +- idx = 0; ++ wmem_strbuf_truncate(pdata, 0); + num_elements = 0; + line_offset = offset; +- +- } else { +- /* we're still adding to the current line */ +- /* add current value to string */ +- if (display == cyclic_display_byte_format) { +- snprintf(&pdata[idx], 32, "%02x ",value8); +- idx += 3; +- } else if (display == cyclic_display_word_format) { +- snprintf(&pdata[idx], 32, "%04x ",value16); +- idx += 5; +- } else if (display == cyclic_display_long_format) { +- snprintf(&pdata[idx], 32, "%08x ",value32); +- idx += 9; +- } + } + } + + /* if we exited the loop, see if there's a partial line to display */ + if (num_elements > 0) { +- /* add null-terminator to partial line */ +- pdata[idx] = 0x00; +- + /* display the partial line in the sub-tree */ +- proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", pdata); ++ proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", wmem_strbuf_get_str(pdata)); + } + } + return offset; diff --git a/debian/patches/CVE-2025-5601.patch b/debian/patches/CVE-2025-5601.patch new file mode 100644 index 0000000000..4930b883fd --- /dev/null +++ b/debian/patches/CVE-2025-5601.patch @@ -0,0 +1,58 @@ +From: John Thacker <[email protected]> +Date: Sat, 26 Apr 2025 10:01:19 +0000 +Subject: column: Do not allow fence to go beyond column size when prepending + +When moving the fence location forward when prepending, ensure +that it does not go past the end of the buffer. + +Also get rid of unnecessary branching and strlen calls. + +Fix #20509 + +(cherry picked from commit 53213086304caa3dfbdd7dc39c2668a3aea1a5c0) + +Co-authored-by: John Thacker <[email protected]> +origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/18076/diffs?commit_id=8c186dbb381cf51064fa8dbff7953468d5ae394c +--- + epan/column-utils.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/epan/column-utils.c b/epan/column-utils.c +index e80558d..6886608 100644 +--- a/epan/column-utils.c ++++ b/epan/column-utils.c +@@ -578,8 +578,13 @@ col_prepend_fstr(column_info *cinfo, const gint el, const gchar *format, ...) + /* + * Move the fence, unless it's at the beginning of the string. + */ +- if (col_item->col_fence > 0) ++ if (col_item->col_fence > 0) { ++ /* pos >= strlen if truncation occurred; this saves on a strlen ++ * call and prevents adding a single byte character later if a ++ * a multibyte character was truncated (good). */ + col_item->col_fence += (int) strlen(col_item->col_buf); ++ col_item->col_fence = MIN((int)(max_len - 1), col_item->col_fence); ++ } + + (void) g_strlcat(col_item->col_buf, orig, max_len); + col_item->col_data = col_item->col_buf; +@@ -622,11 +627,14 @@ col_prepend_fence_fstr(column_info *cinfo, const gint el, const gchar *format, . + * Move the fence if it exists, else create a new fence at the + * end of the prepended data. + */ +- if (col_item->col_fence > 0) { +- col_item->col_fence += (int) strlen(col_item->col_buf); +- } else { +- col_item->col_fence = (int) strlen(col_item->col_buf); +- } ++ /* pos >= strlen if truncation occurred; this saves on a strlen ++ * call and prevents adding a single byte character later if a ++ * a multibyte character was truncated (good). */ ++ col_item->col_fence += (int) strlen(col_item->col_buf); ++ col_item->col_fence = MIN((int)(max_len - 1), col_item->col_fence); ++ /* ++ * Append the original data. ++ */ + (void) g_strlcat(col_item->col_buf, orig, max_len); + col_item->col_data = col_item->col_buf; + } diff --git a/debian/patches/series b/debian/patches/series index 3834e173fe..e1e7c9c149 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,5 @@ 09_idl2wrs.patch 0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch 0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch +CVE-2024-11596.patch +CVE-2025-5601.patch -- 2.51.0
signature.asc
Description: PGP signature
