wireshark security update for Wheezy LTS
Hi, I have prepared an update for wireshark in Wheezy. Please see the diff to previous version attached. A practically identical changeset has been already accepted to jessie-security. Changes: wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium . * security fixes from Wireshark 2.0.6: - The H.225 dissector could crash (CVE-2016-7176) - The Catapult DCT2000 dissector could crash (CVE-2016-7177) - The UMTS FP dissector could crash (CVE-2016-7178) - The Catapult DCT2000 dissector could crash (CVE-2016-7179) - The IPMI trace dissector could crash (CVE-2016-7180) I plan uploading the package tomorrow around noon UTC. Cheers, Balint diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog --- wireshark-1.12.1+g01b65bf/debian/changelog 2016-08-14 16:20:37.0 +0200 +++ wireshark-1.12.1+g01b65bf/debian/changelog 2016-09-20 18:05:25.0 +0200 @@ -1,3 +1,14 @@ +wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium + + * security fixes from Wireshark 2.0.6: +- The H.225 dissector could crash (CVE-2016-7176) +- The Catapult DCT2000 dissector could crash (CVE-2016-7177) +- The UMTS FP dissector could crash (CVE-2016-7178) +- The Catapult DCT2000 dissector could crash (CVE-2016-7179) +- The IPMI trace dissector could crash (CVE-2016-7180) + + -- Balint ReczeyTue, 20 Sep 2016 18:05:16 +0200 + wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium * security fixes from Wireshark 1.12.13: diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch --- wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch 1970-01-01 01:00:00.0 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch 2016-09-20 18:04:38.0 +0200 @@ -0,0 +1,695 @@ +From 8b20fac0cdcbeb0266caf5307600e1e1f4912b99 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 2 Aug 2016 20:39:34 -0700 +Subject: [PATCH 127/131] Don't snprintf() into a string with one of the + arguments being the same string. + +That doesn't work - you could be writing into the string from which +you're reading. + +Conflicts: + asn1/h225/h225.cnf + epan/dissectors/packet-h225.c + +Bug: 12700 + +Change-Id: I2fc6416e0613791dcd37ef70dbf00aae159008de +Reviewed-on: https://code.wireshark.org/review/16852 +Reviewed-by: Guy Harris +Reviewed-on: https://code.wireshark.org/review/17800 +Reviewed-by: Balint Reczey +--- + asn1/h225/h225.cnf| 58 +-- + epan/dissectors/packet-h225.c | 168 +++--- + 2 files changed, 127 insertions(+), 99 deletions(-) + +diff --git a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf +index 2bece14..a6ad36b 100644 +--- a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf +@@ -274,8 +274,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + dissect_h245_FastStart_OLC(value_tvb, %(ACTX)s->pinfo, tree, codec_str); + } + +-/* Add to packet info */ +-g_snprintf(h225_pi->frame_label, 50, "%%s %%s", h225_pi->frame_label, codec_str); ++ /* Add to packet info */ ++ { ++char temp[50]; ++g_snprintf(temp, 50, "%%s %%s", h225_pi->frame_label, codec_str); ++g_strlcpy(h225_pi->frame_label, temp, 50); ++ } + + contains_faststart = TRUE; + h225_pi->is_faststart = TRUE; +@@ -362,10 +366,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Progress-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_PROGRESS; +- if (contains_faststart == TRUE ) +-g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label); +- else +-g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "")); ++ if (contains_faststart) { ++char temp[50]; ++g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label); ++g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "")); + #.END + # + #.FN_FTR SetupAcknowledge-UUIE +@@ -389,28 +395,34 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Setup-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_SETUP; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type,
wireshark security update for Wheezy LTS
Hi, I have prepared an update for wireshark in Wheezy. Please see the diff to previous version attached. A practically identical changeset has been already accepted to jessie-security. Changes: wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium . * security fixes from Wireshark 1.12.13: - The NDS dissector could crash (CVE-2016-6504) - The PacketBB dissector could crash (CVE-2016-6505) - The WSP dissector could go into an infinite loop (CVE-2016-6506) - The MMSE dissector could go into an infinite loop (CVE-2016-6507) - The RLC dissector could go into a long loop (CVE-2016-6508) - The LDSS dissector could crash (CVE-2016-6509) - The RLC dissector could crash (CVE-2016-6510) - The OpenFlow dissector could go into a long loop (CVE-2016-6511) * Cherry-pick fix for regressions caused by CVE-2016-6511's fix I plan uploading the package tomorrow around noon UTC. Cheers, Balint diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog --- wireshark-1.12.1+g01b65bf/debian/changelog 2016-06-26 20:37:15.0 +0200 +++ wireshark-1.12.1+g01b65bf/debian/changelog 2016-08-14 16:20:37.0 +0200 @@ -1,3 +1,18 @@ +wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium + + * security fixes from Wireshark 1.12.13: +- The NDS dissector could crash (CVE-2016-6504) +- The PacketBB dissector could crash (CVE-2016-6505) +- The WSP dissector could go into an infinite loop (CVE-2016-6506) +- The MMSE dissector could go into an infinite loop (CVE-2016-6507) +- The RLC dissector could go into a long loop (CVE-2016-6508) +- The LDSS dissector could crash (CVE-2016-6509) +- The RLC dissector could crash (CVE-2016-6510) +- The OpenFlow dissector could go into a long loop (CVE-2016-6511) + * Cherry-pick fix for regressions caused by CVE-2016-6511's fix + + -- Balint ReczeySun, 14 Aug 2016 16:20:12 +0200 + wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u2) wheezy-security; urgency=high * security fixes from Wireshark 1.12.12: diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch --- wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch 1970-01-01 01:00:00.0 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch 2016-08-12 20:29:06.0 +0200 @@ -0,0 +1,33 @@ +From 471830020143111ca694a1153d9ea477343edde7 Mon Sep 17 00:00:00 2001 +From: Michael Mann +Date: Sat, 2 Jul 2016 10:37:20 -0400 +Subject: [PATCH 118/125] dissect_nds_request: Add NULL check + +Bug: 12576 +Change-Id: If25d65b58ccc3860a48a48d5dbc4a076a79ad459 +Reviewed-on: https://code.wireshark.org/review/16245 +Reviewed-by: Michael Mann +(cherry picked from commit 9eacbb4d48df647648127b9258f9e5aeeb0c7d99) +Reviewed-on: https://code.wireshark.org/review/17015 +Reviewed-by: Balint Reczey +--- + epan/dissectors/packet-ncp.inc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-ncp.inc b/epan/dissectors/packet-ncp.inc +index 35f0fa6..6c7c4c6 100644 +--- a/epan/dissectors/packet-ncp.inc b/epan/dissectors/packet-ncp.inc +@@ -11803,7 +11803,8 @@ dissect_nds_request(tvbuff_t *tvb, packet_info *pinfo, + ; /* nothing */ + break; + } +-ptvcursor_free(ptvc); ++if (ptvc != NULL) ++ptvcursor_free(ptvc); + + /* Free the temporary proto_tree */ + CLEANUP_CALL_AND_POP; +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch --- wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch 1970-01-01 01:00:00.0 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch 2016-08-12 20:29:06.0 +0200 @@ -0,0 +1,48 @@ +From 5576ce24c69cf38c890f70696285e84d6e4c2932 Mon Sep 17 00:00:00 2001 +From: Michael Mann +Date: Sat, 2 Jul 2016 08:23:34 -0400 +Subject: [PATCH 119/125] packetbb: Prevent divide by 0. + +Bug: 12577 +Change-Id: Ibfa605597b786d8dbf1e256ef2ca6dc691498974 +Reviewed-on: https://code.wireshark.org/review/16241 +Petri-Dish: Michael Mann +Tested-by: Petri Dish Buildbot +Reviewed-by: Michael Mann +(cherry picked from commit 94e97e45cf614c7bb8fe90c23df52910246b2c95) +Reviewed-on: https://code.wireshark.org/review/16244 +(cherry picked from commit 3ce7de0ce8d32ded8e4c0ebf747886b9b5b1b26f) +Reviewed-on: