subject:"wireshark security update for Wheezy LTS"

wireshark security update for Wheezy LTS

2016-09-20 Thread Bálint Réczey

Hi,

I have prepared an update for wireshark in Wheezy.

Please see the diff to previous version attached. A practically
identical changeset has been already accepted to jessie-security.

Changes:
 wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium
 .
   * security fixes from Wireshark 2.0.6:
 - The H.225 dissector could crash (CVE-2016-7176)
 - The Catapult DCT2000 dissector could crash (CVE-2016-7177)
 - The UMTS FP dissector could crash (CVE-2016-7178)
 - The Catapult DCT2000  dissector could crash (CVE-2016-7179)
 - The IPMI trace dissector could crash (CVE-2016-7180)

I plan uploading the package tomorrow around noon UTC.

Cheers,
Balint


diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog	2016-08-14 16:20:37.0 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog	2016-09-20 18:05:25.0 +0200
@@ -1,3 +1,14 @@
+wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium
+
+  * security fixes from Wireshark 2.0.6:
+- The H.225 dissector could crash (CVE-2016-7176)
+- The Catapult DCT2000 dissector could crash (CVE-2016-7177)
+- The UMTS FP dissector could crash (CVE-2016-7178)
+- The Catapult DCT2000  dissector could crash (CVE-2016-7179)
+- The IPMI trace dissector could crash (CVE-2016-7180)
+
+ -- Balint Reczey   Tue, 20 Sep 2016 18:05:16 +0200
+
 wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium
 
   * security fixes from Wireshark 1.12.13:
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch	1970-01-01 01:00:00.0 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch	2016-09-20 18:04:38.0 +0200
@@ -0,0 +1,695 @@
+From 8b20fac0cdcbeb0266caf5307600e1e1f4912b99 Mon Sep 17 00:00:00 2001
+From: Guy Harris 
+Date: Tue, 2 Aug 2016 20:39:34 -0700
+Subject: [PATCH 127/131] Don't snprintf() into a string with one of the
+ arguments being the same string.
+
+That doesn't work - you could be writing into the string from which
+you're reading.
+
+Conflicts:
+	asn1/h225/h225.cnf
+	epan/dissectors/packet-h225.c
+
+Bug: 12700
+
+Change-Id: I2fc6416e0613791dcd37ef70dbf00aae159008de
+Reviewed-on: https://code.wireshark.org/review/16852
+Reviewed-by: Guy Harris 
+Reviewed-on: https://code.wireshark.org/review/17800
+Reviewed-by: Balint Reczey 
+---
+ asn1/h225/h225.cnf|  58 +--
+ epan/dissectors/packet-h225.c | 168 +++---
+ 2 files changed, 127 insertions(+), 99 deletions(-)
+
+diff --git a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf
+index 2bece14..a6ad36b 100644
+--- a/asn1/h225/h225.cnf
 b/asn1/h225/h225.cnf
+@@ -274,8 +274,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber
+ 		dissect_h245_FastStart_OLC(value_tvb, %(ACTX)s->pinfo, tree, codec_str);
+ 	}
+ 
+-/* Add to packet info */
+-g_snprintf(h225_pi->frame_label, 50, "%%s %%s", h225_pi->frame_label, codec_str);
++  /* Add to packet info */
++  {
++char temp[50];
++g_snprintf(temp, 50, "%%s %%s", h225_pi->frame_label, codec_str);
++g_strlcpy(h225_pi->frame_label, temp, 50);
++  }
+ 
+ 	contains_faststart = TRUE;
+ 	h225_pi->is_faststart = TRUE;
+@@ -362,10 +366,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber
+ #.FN_FTR Progress-UUIE
+   /* Add to packet info */
+   h225_pi->cs_type = H225_PROGRESS;
+-  if (contains_faststart == TRUE )
+-g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label);
+-  else
+-g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""));
++  if (contains_faststart) {
++char temp[50];
++g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label);
++g_strlcpy(h225_pi->frame_label, temp, 50);
++  } else
++g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""));
+ #.END
+ #
+ #.FN_FTR SetupAcknowledge-UUIE
+@@ -389,28 +395,34 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber
+ #.FN_FTR Setup-UUIE
+   /* Add to packet info */
+   h225_pi->cs_type = H225_SETUP;
+-  if (contains_faststart == TRUE )
+-  g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type,

wireshark security update for Wheezy LTS

2016-08-14 Thread Bálint Réczey

Hi,

I have prepared an update for wireshark in Wheezy.

Please see the diff to previous version attached. A practically
identical changeset has been already accepted to jessie-security.

Changes:
 wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium
 .
   * security fixes from Wireshark 1.12.13:
 - The NDS dissector could crash (CVE-2016-6504)
 - The PacketBB dissector could crash (CVE-2016-6505)
 - The WSP dissector could go into an infinite loop (CVE-2016-6506)
 - The MMSE dissector could go into an infinite loop (CVE-2016-6507)
 - The RLC dissector could go into a long loop (CVE-2016-6508)
 - The LDSS dissector could crash (CVE-2016-6509)
 - The RLC dissector could crash (CVE-2016-6510)
 - The OpenFlow dissector could go into a long loop (CVE-2016-6511)
   * Cherry-pick fix for regressions caused by CVE-2016-6511's fix

I plan uploading the package tomorrow around noon UTC.

Cheers,
Balint

diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog	2016-06-26 20:37:15.0 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog	2016-08-14 16:20:37.0 +0200
@@ -1,3 +1,18 @@
+wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium
+
+  * security fixes from Wireshark 1.12.13:
+- The NDS dissector could crash (CVE-2016-6504)
+- The PacketBB dissector could crash (CVE-2016-6505)
+- The WSP dissector could go into an infinite loop (CVE-2016-6506)
+- The MMSE dissector could go into an infinite loop (CVE-2016-6507)
+- The RLC dissector could go into a long loop (CVE-2016-6508)
+- The LDSS dissector could crash (CVE-2016-6509)
+- The RLC dissector could crash (CVE-2016-6510)
+- The OpenFlow dissector could go into a long loop (CVE-2016-6511)
+  * Cherry-pick fix for regressions caused by CVE-2016-6511's fix
+
+ -- Balint Reczey   Sun, 14 Aug 2016 16:20:12 +0200
+
 wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u2) wheezy-security; urgency=high
 
   * security fixes from Wireshark 1.12.12:
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch	1970-01-01 01:00:00.0 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch	2016-08-12 20:29:06.0 +0200
@@ -0,0 +1,33 @@
+From 471830020143111ca694a1153d9ea477343edde7 Mon Sep 17 00:00:00 2001
+From: Michael Mann 
+Date: Sat, 2 Jul 2016 10:37:20 -0400
+Subject: [PATCH 118/125] dissect_nds_request: Add NULL check
+
+Bug: 12576
+Change-Id: If25d65b58ccc3860a48a48d5dbc4a076a79ad459
+Reviewed-on: https://code.wireshark.org/review/16245
+Reviewed-by: Michael Mann 
+(cherry picked from commit 9eacbb4d48df647648127b9258f9e5aeeb0c7d99)
+Reviewed-on: https://code.wireshark.org/review/17015
+Reviewed-by: Balint Reczey 
+---
+ epan/dissectors/packet-ncp.inc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-ncp.inc b/epan/dissectors/packet-ncp.inc
+index 35f0fa6..6c7c4c6 100644
+--- a/epan/dissectors/packet-ncp.inc
 b/epan/dissectors/packet-ncp.inc
+@@ -11803,7 +11803,8 @@ dissect_nds_request(tvbuff_t *tvb, packet_info *pinfo,
+ ; /* nothing */
+ break;
+ }
+-ptvcursor_free(ptvc);
++if (ptvc != NULL)
++ptvcursor_free(ptvc);
+ 
+ /* Free the temporary proto_tree */
+ CLEANUP_CALL_AND_POP;
+-- 
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch	1970-01-01 01:00:00.0 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch	2016-08-12 20:29:06.0 +0200
@@ -0,0 +1,48 @@
+From 5576ce24c69cf38c890f70696285e84d6e4c2932 Mon Sep 17 00:00:00 2001
+From: Michael Mann 
+Date: Sat, 2 Jul 2016 08:23:34 -0400
+Subject: [PATCH 119/125] packetbb: Prevent divide by 0.
+
+Bug: 12577
+Change-Id: Ibfa605597b786d8dbf1e256ef2ca6dc691498974
+Reviewed-on: https://code.wireshark.org/review/16241
+Petri-Dish: Michael Mann 
+Tested-by: Petri Dish Buildbot 
+Reviewed-by: Michael Mann 
+(cherry picked from commit 94e97e45cf614c7bb8fe90c23df52910246b2c95)
+Reviewed-on: https://code.wireshark.org/review/16244
+(cherry picked from commit 3ce7de0ce8d32ded8e4c0ebf747886b9b5b1b26f)
+Reviewed-on:

wireshark security update for Wheezy LTS

wireshark security update for Wheezy LTS

2 matches

Site Navigation

Mail list logo

Footer information