Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=200681131f1aa8a16c5b59f7ba34253162eb2799
commit 200681131f1aa8a16c5b59f7ba34253162eb2799 Author: kikadf <[email protected]> Date: Sat Nov 29 13:56:11 2014 +0100 wireshark-1.8.15-1arcturus2-x86_64 * Fix CVE-2014-8710, CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, * CVE-2014-8714 diff --git a/source/xapps-extra/wireshark/CVE-2014-8710.patch b/source/xapps-extra/wireshark/CVE-2014-8710.patch new file mode 100644 index 0000000..a55494e --- /dev/null +++ b/source/xapps-extra/wireshark/CVE-2014-8710.patch @@ -0,0 +1,43 @@ +From 63b971cd752ac9cdb48d297a48e86851ef7e4ac1 Mon Sep 17 00:00:00 2001 +From: Evan Huus <[email protected]> +Date: Tue, 4 Nov 2014 21:31:17 -0500 +Subject: [PATCH 4/5] sigcomp-udvm: fix invalid access + +Way back in 2006, svn r20041 (now gd408f2f6fc) worked around a problem by +limiting the amount of buffer dealt with in the udvm_state_access call (changing +it from state_minimum_access_length_buff[n] to STATE_MIN_ACCESS_LEN). + +The very next line however, tries to read the same amount of buffer to display +to the user - since it seems nobody ever applied a proper fix for the original +case, just apply the same workaround to the second call. + +Conflicts: + epan/sigcomp-udvm.c + +Bug: 10662 +Change-Id: I32c81ee2a8eb7b30ff7ab1fbbb6ea5f206385d4b +Reviewed-on: https://code.wireshark.org/review/5125 +Reviewed-by: Evan Huus <[email protected]> +Reviewed-on: https://code.wireshark.org/review/5331 +Reviewed-by: Michael Mann <[email protected]> +Reviewed-on: https://code.wireshark.org/review/5355 +--- + epan/sigcomp-udvm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/sigcomp-udvm.c b/epan/sigcomp-udvm.c +index dc5cfdb..929234f 100644 +--- a/epan/sigcomp-udvm.c ++++ b/epan/sigcomp-udvm.c +@@ -2707,7 +2707,7 @@ execute_next_instruction: + udvm_state_create(sha1buff, sha1_digest_buf, STATE_MIN_ACCESS_LEN); + /* end partial state-id change [email protected] */ + proto_tree_add_text(udvm_tree,bytecode_tvb, 0, -1,"### Creating state ###"); +- proto_tree_add_string(udvm_tree,hf_id, bytecode_tvb, 0, 0, bytes_to_str(sha1_digest_buf, state_minimum_access_length_buff[n])); ++ proto_tree_add_string(udvm_tree,hf_id, bytecode_tvb, 0, 0, bytes_to_str(sha1_digest_buf, STATE_MIN_ACCESS_LEN)); + + n++; + +-- +2.1.3 + diff --git a/source/xapps-extra/wireshark/CVE-2014-8711.patch b/source/xapps-extra/wireshark/CVE-2014-8711.patch new file mode 100644 index 0000000..1276e1e --- /dev/null +++ b/source/xapps-extra/wireshark/CVE-2014-8711.patch @@ -0,0 +1,51 @@ +From f18ced8f1da11e1760b85726b0890457223c768d Mon Sep 17 00:00:00 2001 +From: Bill Meier <[email protected]> +Date: Sun, 19 Oct 2014 10:04:39 -0400 +Subject: [PATCH 5/5] packet-amqp.c: Temporary/preliminary fix for Bug #10582 + (crash) + +This is a temporary/preliminary fix to prevent the buildbot fuzz-test + failures seen when testing the capture file attached to Bug #10582. + +As noted in the bug, a complete fix will require some reworking of + the amqp dissector. + +Change-Id: I2571f1eeb46a7eede04b8d809e87b95f1ff529df +Reviewed-on: https://code.wireshark.org/review/4835 +Reviewed-by: Bill Meier <[email protected]> +(cherry picked from commit 8def8ef9c40189472a46d9b1ad95289780e09af5) +Reviewed-on: https://code.wireshark.org/review/4837 +Reviewed-by: Evan Huus <[email protected]> +Reviewed-on: https://code.wireshark.org/review/5356 +--- + epan/dissectors/packet-amqp.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/epan/dissectors/packet-amqp.c b/epan/dissectors/packet-amqp.c +index 3d42d0a..9c610a9 100644 +--- a/epan/dissectors/packet-amqp.c ++++ b/epan/dissectors/packet-amqp.c +@@ -53,10 +53,20 @@ static int amqp_port = 5672; + + /* Generic defines */ + ++#if 0 + #define AMQP_INCREMENT(offset, addend, bound) {\ + offset += (addend);\ + THROW_ON((offset > bound), ReportedBoundsError); \ + } ++#else /* --> (temporary until in-progress code review completed; See Bug #10582) */ ++#define AMQP_INCREMENT(offset, addend, bound) {\ ++ THROW_ON( \ ++ (((unsigned)(offset) + (unsigned)(addend)) < (unsigned)(offset)) || \ ++ (((unsigned)(offset) + (unsigned)(addend)) > (unsigned)(bound )) \ ++ , ReportedBoundsError); \ ++ offset += (addend); \ ++} ++#endif + + /* + * This dissector handles AMQP 0-9 and 0-10. The conversation structure +-- +2.1.3 + diff --git a/source/xapps-extra/wireshark/CVE-2014-8712.patch b/source/xapps-extra/wireshark/CVE-2014-8712.patch new file mode 100644 index 0000000..aef47a6 --- /dev/null +++ b/source/xapps-extra/wireshark/CVE-2014-8712.patch @@ -0,0 +1,38 @@ +From 4028d5ba2714f7270190f8f86ead2412975fc878 Mon Sep 17 00:00:00 2001 +From: Evan Huus <[email protected]> +Date: Sat, 25 Oct 2014 14:08:57 -0400 +Subject: [PATCH 2/5] ncp2222: initialize buffer in build_expert_data + +We do a bunch of conditional logic to fill in the buffer, and then were checking +strlen(buffer) to see if we'd actually filled it in or not, but if we hadn't +then the buffer was garbage and strlen(buffer) was throwing valgrind warnings. +Ensure this works as intended by setting the first byte of the buffer +unconditionally at the beginning, so strlen(buffer) returns 0 as expected in +that case. + +Bug: 10628 +Change-Id: I6f6c29fbbcb601b6ebccb3a4b312f0fa72c169ae +Reviewed-on: https://code.wireshark.org/review/4925 +Reviewed-by: Evan Huus <[email protected]> +(cherry picked from commit b726d17816e0af213a554b6b4138e432ac002dd8) +Reviewed-on: https://code.wireshark.org/review/5353 +Reviewed-by: Balint Reczey <[email protected]> +--- + epan/dissectors/packet-ncp2222.inc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc +index 79f8fa4..176248d 100644 +--- a/epan/dissectors/packet-ncp2222.inc ++++ b/epan/dissectors/packet-ncp2222.inc +@@ -2686,6 +2686,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer, + char temp_buffer[256]="\0"; + gboolean in_struct=FALSE; + ++ buffer[0] = '\0'; + tree_loc = ncp_tree->first_child; + for (tree_pointer=tree_loc; tree_pointer!=NULL; tree_pointer=tree_pointer->next) + { +-- +2.1.3 + diff --git a/source/xapps-extra/wireshark/CVE-2014-8713.patch b/source/xapps-extra/wireshark/CVE-2014-8713.patch new file mode 100644 index 0000000..78900e9 --- /dev/null +++ b/source/xapps-extra/wireshark/CVE-2014-8713.patch @@ -0,0 +1,42 @@ +From b75179a7c392a134801bf988b1b2d7400d4670b4 Mon Sep 17 00:00:00 2001 +From: Evan Huus <[email protected]> +Date: Mon, 13 Oct 2014 12:55:40 -0400 +Subject: [PATCH 3/5] ncp2222: don't overflow buffer constructing string + +Fixes stack-smashing vuln. + +Somehow there was already an XXX in the code about this, but nobody realized at +the time it was worth fixing... really? + +Bug: 10552 +Change-Id: I849068bd6c45146339444f295b72430d3c6e08f2 +Reviewed-on: https://code.wireshark.org/review/4653 +Reviewed-by: Evan Huus <[email protected]> +(cherry picked from commit b9988e2bbfc7c6c41ef82c559bd11a8c19170491) +Reviewed-on: https://code.wireshark.org/review/4654 +Reviewed-on: https://code.wireshark.org/review/5336 +Reviewed-by: Michael Mann <[email protected]> +(cherry picked from commit 6b8c5dba634cde2fe95fca81668337380f19d641) +Reviewed-on: https://code.wireshark.org/review/5354 +Reviewed-by: Balint Reczey <[email protected]> +--- + epan/dissectors/packet-ncp2222.inc | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc +index 176248d..38559ae 100644 +--- a/epan/dissectors/packet-ncp2222.inc ++++ b/epan/dissectors/packet-ncp2222.inc +@@ -2712,8 +2712,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer, + case 18: + case 19: + case 20: /* string */ +- /* XXX: Should we verify: buffer_size is as large as value returned by get_finfo_length(...) ??? */ +- uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), get_finfo_length(PTREE_FINFO(tree_pointer)), buffer); ++ uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), MIN(get_finfo_length(PTREE_FINFO(tree_pointer)), buffer_size), buffer); + if (repeat_lookup > 0) { + if (strlen(temp_buffer) + strlen(buffer) < 250) { + g_strlcat(temp_buffer, buffer, 256); +-- +2.1.3 + diff --git a/source/xapps-extra/wireshark/CVE-2014-8714.patch b/source/xapps-extra/wireshark/CVE-2014-8714.patch new file mode 100644 index 0000000..5430ac0 --- /dev/null +++ b/source/xapps-extra/wireshark/CVE-2014-8714.patch @@ -0,0 +1,37 @@ +From 170b5630c94189bac0665dc1161057f6de937c68 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser <[email protected]> +Date: Mon, 20 Oct 2014 22:37:51 +0200 +Subject: [PATCH 1/5] tn5250: fix an endless loop, exit when offset is not + incremented + +Bug: 10596 +Change-Id: I64509aa49fce4893dee4e7a74a560e09a98830f6 +Reviewed-on: https://code.wireshark.org/review/4878 +Reviewed-by: Martin Kaiser <[email protected]> +Tested-by: Martin Kaiser <[email protected]> +(cherry picked from commit bc2726578156f3608960fc65ce1f691639e6addc) +Reviewed-on: https://code.wireshark.org/review/4879 +Reviewed-by: Evan Huus <[email protected]> +(cherry picked from commit fad4ecce54ac890117ab94e804b9689695b28be9) +Reviewed-on: https://code.wireshark.org/review/5352 +Reviewed-by: Balint Reczey <[email protected]> +--- + epan/dissectors/packet-tn5250.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/epan/dissectors/packet-tn5250.c b/epan/dissectors/packet-tn5250.c +index 2a041e4..347759c 100644 +--- a/epan/dissectors/packet-tn5250.c ++++ b/epan/dissectors/packet-tn5250.c +@@ -4647,6 +4647,8 @@ dissect_write_structured_field(proto_tree *tn5250_tree, tvbuff_t *tvb, gint offs + length = tvb_get_guint8(tvb,offset); + proto_tree_add_item(tn5250_tree, hf_tn5250_length, tvb, offset, + 1, ENC_BIG_ENDIAN); ++ if (length==0) ++ break; + proto_tree_add_item(tn5250_tree, hf_tn5250_dpt_ec, tvb, offset, + length, ENC_EBCDIC|ENC_NA); + offset += length; +-- +2.1.3 + diff --git a/source/xapps-extra/wireshark/FrugalBuild b/source/xapps-extra/wireshark/FrugalBuild index fccfe37..ed95cff 100644 --- a/source/xapps-extra/wireshark/FrugalBuild +++ b/source/xapps-extra/wireshark/FrugalBuild @@ -5,7 +5,7 @@ options+=('asneeded') pkgname=wireshark pkgver=1.8.15 -pkgrel=1arcturus1 +pkgrel=1arcturus2 pkgdesc="The world's most popular network protocol analyzer" url="http://www.wireshark.org/"; depends=('libkrb5' 'gtk+2>=2.20.0-2' 'libpcap' 'gnutls>=2.12.12' 'openssl>=1.0.0') @@ -17,18 +17,25 @@ _F_gnome_iconcache="y" _F_gnome_desktop="y" Finclude gnome-scriptlet up2date="lynx -dump http://www.wireshark.org/download.html | grep stable -m1 | sed 's/.*is \(.*\)\. .*/\1/'" -source=(http://www.wireshark.org/download/src/$pkgname-$pkgver.tar.bz2) +source=(http://www.wireshark.org/download/src//all-versions/$pkgname-$pkgver.tar.bz2) sha1sums=('0c5d87db77acb4508819d4d5d3674265a7444f49') ## TODO: split GUI / utils # FSA fix *** source=(${source[@]} CVE-2014-5161-5162.patch CVE-2014-5163.patch - CVE-2014-5164.patch CVE-2014-5165.patch) + CVE-2014-5164.patch CVE-2014-5165.patch CVE-2014-8710.patch + CVE-2014-8711.patch CVE-2014-8712.patch CVE-2014-8713.patch + CVE-2014-8714.patch) sha1sums=(${sha1sums[@]} 'c6041fcb35ce7bda66f4185f37d4ec44d5b8861b' \ 'f0894ed02dd2c165dd5af72db14ac8dede1ae9d6' \ '5b53305699847d21bd21991639756d1a932043cf' \ - '29d9cfb8f381fe85374168f1c48e7a8716da7443') + '29d9cfb8f381fe85374168f1c48e7a8716da7443' \ + '6e1a14a5e48bb3b5e9629c6ff7a2f01902fd683b' \ + 'b54cfe0f961a5bc4dc785f12a5e0246addd8c6d8' \ + '843ad111b868ddf2e7e3b7cf1fa477e8ddd01225' \ + 'f2bad25d4e1e24e9906f98a9c1eff0a6c4629980' \ + '311ce10f11d07d163e0e3f3d302f1159c4dd21e8') # *********** _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
