diff -u wireshark-0.99.6rel/debian/changelog wireshark-0.99.6rel/debian/changelog --- wireshark-0.99.6rel/debian/changelog +++ wireshark-0.99.6rel/debian/changelog @@ -1,3 +1,42 @@ +wireshark (0.99.6rel-3ubuntu0.3) gutsy-security; urgency=low + + * SECURITY UPDATE: The dissect_btacl function in packet-bthci_acl.c in the + Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote + attackers to cause a denial of service (application crash or abort) via + a packet with an invalid length, related to an erroneous tvb_memcpy call. + (LP #290716) + - debian/patches/33_CVE-2008-4683.dpatch - buffer check to prevent + overflow - Jeff Morris. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 25195 + - Included patch not listed by CVE to prevent memory overflow in + bluetooth dissector - Jeff Morris. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 25196 + - CVE-2008-4683 + * SECURITY UPDATE: packet-frame in Wireshark 0.99.2 through 1.0.3 does not + properly handle exceptions thrown by post dissectors, which allows + remote attackers to cause a denial of service (application crash) via + a certain series of packets, as demonstrated by enabling the (1) PRP + or (2) MATE post dissector. (LP #290716) + - debian/patches/34_CVE-2008-4684.dpatch - Catch errors given + post dissectors - Jeff Morris, wmeier + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 25339, 25342, 25344 + - CVE-2008-4684 + * SECURITY UPDATE: Use-after-free vulnerability in the dissect_q931_cause_ie + function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 + through 1.0.3 allows remote attackers to cause a denial of service (application + crash or abort) via certain packets that trigger an exception. (LP #290716) + - debian/patches/35_CVE-2008-4685.dpatch - Wrap dissect_q931_cause_ie() in + which clears the have_valid_q931_pi semaphore - Jaap Keuter. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Included as was detected as vulnerable even although CVE says otherwise. + - Revision: 26190 + - CVE-2008-4685 + + -- Stefan Lesicnik Sun, 02 Nov 2008 19:32:37 +0200 + wireshark (0.99.6rel-3ubuntu0.2) gutsy-security; urgency=low * SECURITY UPDATE: (LP: #172283) diff -u wireshark-0.99.6rel/debian/patches/00list wireshark-0.99.6rel/debian/patches/00list --- wireshark-0.99.6rel/debian/patches/00list +++ wireshark-0.99.6rel/debian/patches/00list @@ -30,0 +31,3 @@ +33_CVE-2008-4683 +34_CVE-2008-4684 +35_CVE-2008-4685 only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/35_CVE-2008-4685.dpatch +++ wireshark-0.99.6rel/debian/patches/35_CVE-2008-4685.dpatch @@ -0,0 +1,49 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 35_CVE-2008-4685.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4685 + +@DPATCH@ + +=== modified file 'epan/dissectors/packet-q931.c' +--- wireshark-1.0.3/epan/dissectors/packet-q931.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/dissectors/packet-q931.c 2008-10-28 14:04:45 +0000 +@@ -1182,8 +1182,8 @@ + { 0x00, NULL } + }; + +-void +-dissect_q931_cause_ie(tvbuff_t *tvb, int offset, int len, ++static void ++dissect_q931_cause_ie_unsafe(tvbuff_t *tvb, int offset, int len, + proto_tree *tree, int hf_cause_value, guint8 *cause_value) + { + guint8 octet; +@@ -1341,6 +1341,16 @@ + } + } + ++void ++dissect_q931_cause_ie(tvbuff_t *tvb, int offset, int len, ++ proto_tree *tree, int hf_cause_value, guint8 *cause_value) ++{ ++ gboolean have_valid_q931_pi_save = have_valid_q931_pi; ++ have_valid_q931_pi = FALSE; ++ dissect_q931_cause_ie_unsafe(tvb, offset, len, tree, hf_cause_value, cause_value); ++ have_valid_q931_pi = have_valid_q931_pi_save; ++} ++ + /* + * Dissect a Call state information element. + */ +@@ -2768,7 +2778,7 @@ + break; + + case CS0 | Q931_IE_CAUSE: +- dissect_q931_cause_ie(tvb, ++ dissect_q931_cause_ie_unsafe(tvb, + offset + 2, info_element_len, + ie_tree, + hf_q931_cause_value, &dummy); + only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/34_CVE-2008-4684.dpatch +++ wireshark-0.99.6rel/debian/patches/34_CVE-2008-4684.dpatch @@ -0,0 +1,135 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 34_CVE-2008-4684.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4684 + +@DPATCH@ + +=== modified file 'epan/dissectors/packet-frame.c' +--- wireshark-1.0.3/epan/dissectors/packet-frame.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/dissectors/packet-frame.c 2008-10-29 10:41:56 +0000 +@@ -351,7 +351,49 @@ + pinfo->layer_names = NULL; + } + +- call_all_postdissectors(tvb, pinfo, parent_tree); ++ /* Call postdissectors if we have any (while trying to avoid another ++ * TRY/CATCH) ++ */ ++ if (have_postdissector()) { ++ TRY { ++#ifdef _MSC_VER ++ /* Win32: Visual-C Structured Exception Handling (SEH) to trap hardware exceptions like memory access violations */ ++ /* (a running debugger will be called before the except part below) */ ++ __try { ++#endif ++ call_all_postdissectors(tvb, pinfo, parent_tree); ++#ifdef _MSC_VER ++ } __except(TRUE /* handle all exceptions */) { ++ switch(GetExceptionCode()) { ++ case(STATUS_ACCESS_VIOLATION): ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ "STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address"); ++ break; ++ case(STATUS_INTEGER_DIVIDE_BY_ZERO): ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ "STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero"); ++ break; ++ case(STATUS_STACK_OVERFLOW): ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ "STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)"); ++ /* XXX - this will have probably corrupted the stack, which makes problems later in the exception code */ ++ break; ++ /* XXX - add other hardware exception codes as required */ ++ default: ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode())); ++ } ++ } ++#endif ++ } ++ CATCH(OutOfMemoryError) { ++ RETHROW; ++ } ++ CATCH_ALL { ++ show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE); ++ } ++ ENDTRY; ++ } + + tap_queue_packet(frame_tap, pinfo, NULL); + +=== modified file 'epan/packet.h' +--- wireshark-1.0.3/epan/packet.h 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/packet.h 2008-10-29 10:42:04 +0000 +@@ -413,6 +413,7 @@ + * dissector has been called. + */ + extern void register_postdissector(dissector_handle_t); ++extern gboolean have_postdissector(); + extern void call_all_postdissectors(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); + + #ifdef __cplusplus + +=== modified file 'epan/packet.c' +--- wireshark-1.0.3/epan/packet.c 2008-10-30 11:59:57 +0000 ++++ wireshark-1.0.3/epan/packet.c 2008-11-02 14:48:03 +0000 +@@ -1792,14 +1792,17 @@ + } + + void +-dissector_dump_decodes() { ++dissector_dump_decodes() ++{ + dissector_all_tables_foreach(dissector_dump_decodes_display, NULL); + } + + static GPtrArray* post_dissectors = NULL; + static guint num_of_postdissectors = 0; + +-void register_postdissector(dissector_handle_t handle) { ++void ++register_postdissector(dissector_handle_t handle) ++{ + if (!post_dissectors) + post_dissectors = g_ptr_array_new(); + +@@ -1807,11 +1810,31 @@ + num_of_postdissectors++; + } + +-extern void call_all_postdissectors(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { +- guint i; +- for(i=0;iprotocol != NULL ++ && proto_is_protocol_enabled(handle->protocol)) { ++ /* We have at least one enabled postdissector */ ++ return TRUE; ++ } ++ } ++ return FALSE; ++} ++ ++void ++call_all_postdissectors(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ++{ ++ guint i; ++ ++ for(i = 0; i < num_of_postdissectors; i++) { + call_dissector((dissector_handle_t) g_ptr_array_index(post_dissectors,i), +- tvb,pinfo,tree); ++ tvb,pinfo,tree); + } + } +- + only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/33_CVE-2008-4683.dpatch +++ wireshark-0.99.6rel/debian/patches/33_CVE-2008-4683.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 33_CVE-2008-4683.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4683 and additional memory overflow + +@DPATCH@ + +=== modified file 'epan/dissectors/packet-bthci_acl.c' +--- wireshark-1.0.3/epan/dissectors/packet-bthci_acl.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/dissectors/packet-bthci_acl.c 2008-10-28 13:44:52 +0000 +@@ -169,9 +169,9 @@ + mfp->first_frame=pinfo->fd->num; + mfp->last_frame=0; + mfp->tot_len=l2cap_length+4; +- mfp->reassembled=se_alloc(l2cap_length+4); +- tvb_memcpy(tvb, (guint8*)mfp->reassembled, offset, tvb_length_remaining(tvb, offset)); +- mfp->cur_off=tvb_length_remaining(tvb, offset); ++ mfp->reassembled=se_alloc(mfp->tot_len); ++ tvb_memcpy(tvb, (guint8*)mfp->reassembled, offset, mfp->tot_len); ++ mfp->cur_off=mfp->tot_len; + se_tree_insert32(chandle_data->start_fragments, pinfo->fd->num, mfp); + } else { + mfp=se_tree_lookup32(chandle_data->start_fragments, pinfo->fd->num); + +Index: wireshark-1.0.3/epan/epan.c +=================================================================== +--- wireshark-1.0.3/epan/epan.c (revision 25195) ++++ wireshark-1.0.3/epan/epan.c (revision 25196) +@@ -107,6 +107,7 @@ + void + epan_cleanup(void) + { ++ se_free_all(); + expert_cleanup(); + dfilter_cleanup(); + proto_cleanup();