diff -u wireshark-1.0.3/debian/changelog wireshark-1.0.3/debian/changelog --- wireshark-1.0.3/debian/changelog +++ wireshark-1.0.3/debian/changelog @@ -1,3 +1,69 @@ +wireshark (1.0.3-1ubuntu2.1) intrepid-security; urgency=low + + * SECURITY UPDATE: packet-usb.c in the USB dissector in Wireshark 0.99.7 + through 1.0.3 allows remote attackers to cause a denial of service + (application crash or abort) via a malformed USB Request Block (URB). + (LP #290716) + - debian/patches/30_CVE-2008-4680.dpatch - Properly initialise + data structures in packet-usb.c - Gerald Combs. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 26333 + - CVE-2008-4680 + * SECURITY UPDATE: Unspecified vulnerability in the Bluetooth RFCOMM + dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers + to cause a denial of service (application crash or abort) via unknown + packets. (LP #290716) + - debian/patches/31_CVE-2008-4681.dpatch - Properly initialise + data structures in btrfcomm.c - Gerald Combs. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 26333 + - CVE-2008-4681 + * SECURITY UPDATE: wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote + attackers to cause a denial of service (application abort) via a + malformed Tamos CommView capture file (aka .ncf file) with an + "unknown/unexpected packet type" that triggers a failed assertion. + (LP #290716) + - debian/patches/32_CVE-2008-4682.dpatch - Return an error if it + finds an unknown/unexpected packet type - Jeff Morris. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 26327 + - CVE-2008-4682 + * SECURITY UPDATE: The dissect_btacl function in packet-bthci_acl.c in the + Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote + attackers to cause a denial of service (application crash or abort) via + a packet with an invalid length, related to an erroneous tvb_memcpy call. + (LP #290716) + - debian/patches/33_CVE-2008-4683.dpatch - buffer check to prevent + overflow - Jeff Morris. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 25195 + - Included patch not listed by CVE to prevent memory overflow in + bluetooth dissector - Jeff Morris. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 25196 + - CVE-2008-4683 + * SECURITY UPDATE: packet-frame in Wireshark 0.99.2 through 1.0.3 does not + properly handle exceptions thrown by post dissectors, which allows + remote attackers to cause a denial of service (application crash) via + a certain series of packets, as demonstrated by enabling the (1) PRP + or (2) MATE post dissector. (LP #290716) + - debian/patches/34_CVE-2008-4684.dpatch - Catch errors given + post dissectors - Jeff Morris, wmeier + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 25339, 25342, 25344 + - CVE-2008-4684 + * SECURITY UPDATE: Use-after-free vulnerability in the dissect_q931_cause_ie + function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through + 1.0.3 allows remote attackers to cause a denial of service (application crash + or abort) via certain packets that trigger an exception. (LP #290716) + - debian/patches/35_CVE-2008-4685.dpatch - Wrap dissect_q931_cause_ie() in + which clears the have_valid_q931_pi semaphore - Jaap Keuter. + - Cherrypicked from http://anonsvn.wireshark.org/wireshark/trunk + - Revision: 26190 + - CVE-2008-4685 + + -- Stefan Lesicnik Wed, 29 Oct 2008 22:31:07 +0200 + wireshark (1.0.3-1ubuntu2) intrepid; urgency=low * Add debian/patches/20_sigpipe.dpatch, which restores the default sigpipe diff -u wireshark-1.0.3/debian/patches/00list wireshark-1.0.3/debian/patches/00list --- wireshark-1.0.3/debian/patches/00list +++ wireshark-1.0.3/debian/patches/00list @@ -12,0 +13,6 @@ +30_CVE-2008-4680 +31_CVE-2008-4681 +32_CVE-2008-4682 +33_CVE-2008-4683 +34_CVE-2008-4684 +35_CVE-2008-4685 only in patch2: unchanged: --- wireshark-1.0.3.orig/debian/patches/35_CVE-2008-4685.dpatch +++ wireshark-1.0.3/debian/patches/35_CVE-2008-4685.dpatch @@ -0,0 +1,49 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 35_CVE-2008-4685.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4685 + +@DPATCH@ + +=== modified file 'epan/dissectors/packet-q931.c' +--- wireshark-1.0.3/epan/dissectors/packet-q931.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/dissectors/packet-q931.c 2008-10-28 14:04:45 +0000 +@@ -1182,8 +1182,8 @@ + { 0x00, NULL } + }; + +-void +-dissect_q931_cause_ie(tvbuff_t *tvb, int offset, int len, ++static void ++dissect_q931_cause_ie_unsafe(tvbuff_t *tvb, int offset, int len, + proto_tree *tree, int hf_cause_value, guint8 *cause_value) + { + guint8 octet; +@@ -1341,6 +1341,16 @@ + } + } + ++void ++dissect_q931_cause_ie(tvbuff_t *tvb, int offset, int len, ++ proto_tree *tree, int hf_cause_value, guint8 *cause_value) ++{ ++ gboolean have_valid_q931_pi_save = have_valid_q931_pi; ++ have_valid_q931_pi = FALSE; ++ dissect_q931_cause_ie_unsafe(tvb, offset, len, tree, hf_cause_value, cause_value); ++ have_valid_q931_pi = have_valid_q931_pi_save; ++} ++ + /* + * Dissect a Call state information element. + */ +@@ -2768,7 +2778,7 @@ + break; + + case CS0 | Q931_IE_CAUSE: +- dissect_q931_cause_ie(tvb, ++ dissect_q931_cause_ie_unsafe(tvb, + offset + 2, info_element_len, + ie_tree, + hf_q931_cause_value, &dummy); + only in patch2: unchanged: --- wireshark-1.0.3.orig/debian/patches/34_CVE-2008-4684.dpatch +++ wireshark-1.0.3/debian/patches/34_CVE-2008-4684.dpatch @@ -0,0 +1,136 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 34_CVE-2008-4684.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4684 + +@DPATCH@ + +=== modified file 'epan/dissectors/packet-frame.c' +--- wireshark-1.0.3/epan/dissectors/packet-frame.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/dissectors/packet-frame.c 2008-10-29 10:41:56 +0000 +@@ -351,7 +351,49 @@ + pinfo->layer_names = NULL; + } + +- call_all_postdissectors(tvb, pinfo, parent_tree); ++ /* Call postdissectors if we have any (while trying to avoid another ++ * TRY/CATCH) ++ */ ++ if (have_postdissector()) { ++ TRY { ++#ifdef _MSC_VER ++ /* Win32: Visual-C Structured Exception Handling (SEH) to trap hardware exceptions like memory access violations */ ++ /* (a running debugger will be called before the except part below) */ ++ __try { ++#endif ++ call_all_postdissectors(tvb, pinfo, parent_tree); ++#ifdef _MSC_VER ++ } __except(TRUE /* handle all exceptions */) { ++ switch(GetExceptionCode()) { ++ case(STATUS_ACCESS_VIOLATION): ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ "STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address"); ++ break; ++ case(STATUS_INTEGER_DIVIDE_BY_ZERO): ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ "STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero"); ++ break; ++ case(STATUS_STACK_OVERFLOW): ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ "STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)"); ++ /* XXX - this will have probably corrupted the stack, which makes problems later in the exception code */ ++ break; ++ /* XXX - add other hardware exception codes as required */ ++ default: ++ show_exception(tvb, pinfo, parent_tree, DissectorError, ++ g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode())); ++ } ++ } ++#endif ++ } ++ CATCH(OutOfMemoryError) { ++ RETHROW; ++ } ++ CATCH_ALL { ++ show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE); ++ } ++ ENDTRY; ++ } + + tap_queue_packet(frame_tap, pinfo, NULL); + + +=== modified file 'epan/packet.c' +--- wireshark-1.0.3/epan/packet.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/packet.c 2008-10-29 10:42:07 +0000 +@@ -1850,14 +1850,17 @@ + } + + void +-dissector_dump_decodes() { ++dissector_dump_decodes() ++{ + dissector_all_tables_foreach(dissector_dump_decodes_display, NULL); + } + + static GPtrArray* post_dissectors = NULL; + static guint num_of_postdissectors = 0; + +-void register_postdissector(dissector_handle_t handle) { ++void ++register_postdissector(dissector_handle_t handle) ++{ + if (!post_dissectors) + post_dissectors = g_ptr_array_new(); + +@@ -1865,11 +1868,31 @@ + num_of_postdissectors++; + } + +-extern void call_all_postdissectors(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { +- guint i; +- for(i=0;iprotocol != NULL ++ && proto_is_protocol_enabled(handle->protocol)) { ++ /* We have at least one enabled postdissector */ ++ return TRUE; ++ } ++ } ++ return FALSE; ++} ++ ++void ++call_all_postdissectors(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ++{ ++ guint i; ++ ++ for(i = 0; i < num_of_postdissectors; i++) { + call_dissector_only((dissector_handle_t) g_ptr_array_index(post_dissectors,i), +- tvb,pinfo,tree); ++ tvb,pinfo,tree); + } + } + +=== modified file 'epan/packet.h' +--- wireshark-1.0.3/epan/packet.h 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/packet.h 2008-10-29 10:42:04 +0000 +@@ -413,6 +413,7 @@ + * dissector has been called. + */ + extern void register_postdissector(dissector_handle_t); ++extern gboolean have_postdissector(); + extern void call_all_postdissectors(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); + + #ifdef __cplusplus + only in patch2: unchanged: --- wireshark-1.0.3.orig/debian/patches/33_CVE-2008-4683.dpatch +++ wireshark-1.0.3/debian/patches/33_CVE-2008-4683.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 33_CVE-2008-4683.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4683 and additional memory overflow + +@DPATCH@ + +=== modified file 'epan/dissectors/packet-bthci_acl.c' +--- wireshark-1.0.3/epan/dissectors/packet-bthci_acl.c 2008-10-28 11:47:19 +0000 ++++ wireshark-1.0.3/epan/dissectors/packet-bthci_acl.c 2008-10-28 13:44:52 +0000 +@@ -169,9 +169,9 @@ + mfp->first_frame=pinfo->fd->num; + mfp->last_frame=0; + mfp->tot_len=l2cap_length+4; +- mfp->reassembled=se_alloc(l2cap_length+4); +- tvb_memcpy(tvb, (guint8*)mfp->reassembled, offset, tvb_length_remaining(tvb, offset)); +- mfp->cur_off=tvb_length_remaining(tvb, offset); ++ mfp->reassembled=se_alloc(mfp->tot_len); ++ tvb_memcpy(tvb, (guint8*)mfp->reassembled, offset, mfp->tot_len); ++ mfp->cur_off=mfp->tot_len; + se_tree_insert32(chandle_data->start_fragments, pinfo->fd->num, mfp); + } else { + mfp=se_tree_lookup32(chandle_data->start_fragments, pinfo->fd->num); + +Index: wireshark-1.0.3/epan/epan.c +=================================================================== +--- wireshark-1.0.3/epan/epan.c (revision 25195) ++++ wireshark-1.0.3/epan/epan.c (revision 25196) +@@ -107,6 +107,7 @@ + void + epan_cleanup(void) + { ++ se_free_all(); + expert_cleanup(); + dfilter_cleanup(); + proto_cleanup(); only in patch2: unchanged: --- wireshark-1.0.3.orig/debian/patches/32_CVE-2008-4682.dpatch +++ wireshark-1.0.3/debian/patches/32_CVE-2008-4682.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 32_CVE-2008-4682.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4682 + +@DPATCH@ + +--- wireshark-1.0.3/wiretap/commview.c.orig 2008-10-28 15:23:33.000000000 +0200 ++++ wireshark-1.0.3/wiretap/commview.c 2008-10-28 15:25:11.000000000 +0200 +@@ -160,6 +160,11 @@ commview_read(wtap *wth, int *err, gchar + case MEDIUM_TOKEN_RING : + wth->phdr.pkt_encap = WTAP_ENCAP_TOKEN_RING; + break; ++ default: ++ *err = WTAP_ERR_BAD_RECORD; ++ *err_info = g_strdup_printf("commview: unsupported encap: %u", ++ cv_hdr.flags & FLAGS_MEDIUM); ++ return FALSE; + } + + buffer_assure_space(wth->frame_buffer, cv_hdr.data_len); only in patch2: unchanged: --- wireshark-1.0.3.orig/debian/patches/31_CVE-2008-4681.dpatch +++ wireshark-1.0.3/debian/patches/31_CVE-2008-4681.dpatch @@ -0,0 +1,41 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 31_CVE-2008-4681.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4681 + +@DPATCH@ + +--- wireshark-1.0.3/epan/dissectors/packet-btrfcomm.c.orig 2008-09-04 00:56:31.000000000 +0200 ++++ wireshark-1.0.3/epan/dissectors/packet-btrfcomm.c 2008-10-28 14:36:59.000000000 +0200 +@@ -284,14 +284,9 @@ dissect_ctrl_pn(packet_info *pinfo, prot + if(!pinfo->fd->flags.visited){ + dlci_state=se_tree_lookup32(dlci_table, dlci); + if(!dlci_state){ +- dlci_state=se_alloc(sizeof(dlci_state_t)); +- dlci_state->do_credit_fc=0; +- dlci_state->direction[0].len=0; ++ dlci_state=se_alloc0(sizeof(dlci_state_t)); + dlci_state->direction[0].current=-1; +- dlci_state->direction[0].stream_buf=NULL; +- dlci_state->direction[1].len=0; + dlci_state->direction[1].current=-1; +- dlci_state->direction[1].stream_buf=NULL; + se_tree_insert32(dlci_table, dlci, dlci_state); + } + +@@ -642,14 +637,9 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_i + + dlci_state=se_tree_lookup32(dlci_table, dlci); + if(!dlci_state){ +- dlci_state=se_alloc(sizeof(dlci_state_t)); +- dlci_state->do_credit_fc=0; +- dlci_state->direction[0].len=0; ++ dlci_state=se_alloc0(sizeof(dlci_state_t)); + dlci_state->direction[0].current=-1; +- dlci_state->direction[0].stream_buf=NULL; +- dlci_state->direction[1].len=0; + dlci_state->direction[1].current=-1; +- dlci_state->direction[1].stream_buf=NULL; + se_tree_insert32(dlci_table, dlci, dlci_state); + } only in patch2: unchanged: --- wireshark-1.0.3.orig/debian/patches/30_CVE-2008-4680.dpatch +++ wireshark-1.0.3/debian/patches/30_CVE-2008-4680.dpatch @@ -0,0 +1,48 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 30_CVE-2008-4680.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4680 + +@DPATCH@ + +--- wireshark-1.0.3/epan/dissectors/packet-usb.c.orig 2008-10-28 14:10:01.000000000 +0200 ++++ wireshark-1.0.3/epan/dissectors/packet-usb.c 2008-10-28 14:17:50.000000000 +0200 +@@ -242,10 +242,9 @@ get_usb_conv_info(conversation_t *conver + usb_conv_info = conversation_get_proto_data(conversation, proto_usb); + if(!usb_conv_info){ + /* no not yet so create some */ +- usb_conv_info = se_alloc(sizeof(usb_conv_info_t)); ++ usb_conv_info = se_alloc0(sizeof(usb_conv_info_t)); + usb_conv_info->interfaceClass=IF_CLASS_UNKNOWN; + usb_conv_info->transactions=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "usb transactions"); +- usb_conv_info->class_data=NULL; + + conversation_add_proto_data(conversation, proto_usb, usb_conv_info); + } +@@ -504,10 +503,9 @@ dissect_usb_interface_descriptor(packet_ + /* save the class so we can access it later in the endpoint descriptor */ + usb_conv_info->interfaceClass=tvb_get_guint8(tvb, offset); + if(!pinfo->fd->flags.visited){ +- usb_trans_info->interface_info=se_alloc(sizeof(usb_conv_info_t)); ++ usb_trans_info->interface_info=se_alloc0(sizeof(usb_conv_info_t)); + usb_trans_info->interface_info->interfaceClass=tvb_get_guint8(tvb, offset); + usb_trans_info->interface_info->transactions=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "usb transactions"); +- usb_trans_info->interface_info->class_data=NULL; + } + offset++; + +@@ -1052,12 +1050,9 @@ dissect_linux_usb(tvbuff_t *tvb, packet_ + /* this is a request */ + usb_trans_info=se_tree_lookup32(usb_conv_info->transactions, pinfo->fd->num); + if(!usb_trans_info){ +- usb_trans_info=se_alloc(sizeof(usb_trans_info_t)); ++ usb_trans_info=se_alloc0(sizeof(usb_trans_info_t)); + usb_trans_info->request_in=pinfo->fd->num; +- usb_trans_info->response_in=0; + usb_trans_info->req_time=pinfo->fd->abs_ts; +- usb_trans_info->requesttype=0; +- usb_trans_info->request=0; + se_tree_insert32(usb_conv_info->transactions, pinfo->fd->num, usb_trans_info); + } + usb_conv_info->usb_trans_info=usb_trans_info;