X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68]) by lists.alpinelinux.org (Postfix) with ESMTP id 2BD2F5C434A for ; Wed, 22 Feb 2017 09:16:05 +0000 (GMT) Received: by mail-lf0-f68.google.com with SMTP id p197so467768lfp.3 for ; Wed, 22 Feb 2017 01:16:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=1XBY174jZFGOKEyTu4KnVX1MKRqANNpgZj3OsA1lWDM=; b=TMMzcOPDS8pYzeQn24EcBYz+T9uAyzF1X+hvMurPmiDLiGhv7oyZkv3EznGRnhaAVL B6Up0SODq95+ecI+F543sPfT1qRUkcus/etYmXoy2BncLEJQAM7Pm9Kb3qs0Vb0xWz62 nJNgTAczZr2bbxpIs967i/OMvcrcIXH6ViJVR9oy+5jvAIACfhtZM9BrnLl9ZQplSh9U /Sdz0apnWtfAxHptppP5vDpb5SuOajJUEEWrliwdyxrc8z9YCZBQ88xU0uUR5V3KEXVL S3dSDjcaao3Fc60OhodAQtMBUS931pZk+cupfjLRWHh25+H9dwEiVcBZYEnNqXkbIXgI OAMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=1XBY174jZFGOKEyTu4KnVX1MKRqANNpgZj3OsA1lWDM=; b=VniFamKqtJp0LXqN+GZZR0xJDiMyrxiGwaYb3vfgtOK/K4YGflsk3ut7/ApiV4Cx2+ IdgAYaZ2N1nKyUGR5WTd5olT0UaEiIeAf+UvswIZxcqy9Vyh16A7chL+uu3+yHVD5csj 9GO9ddhcEXUw7+X/Cu6FPfRdkwQyqjCZa37tH2RT7kDY8rIy1yjA6Bd2Mnf1hmnc626/ SG8beQ+g2IS+EFswHvoGe+aiC12X/aB/VhrwEFihYiCMO14EZk8OmcSlUzrywMCnAxaJ BdM1gpabASWaUkutoEf0UZh53OPgSXPn5I3ywbkma2t5NKpVhc25wKfltNEmw3doGJGJ eGlg== X-Gm-Message-State: AMke39mrx13wtegeJE1MVEY6cWzHrtwAxa2+Np2TBI5T8DPB1E5uFWnf/byGgT/QgjD/SA== X-Received: by 10.25.22.201 with SMTP id 70mr8946011lfw.97.1487754964213; Wed, 22 Feb 2017 01:16:04 -0800 (PST) Received: from v3-5.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id l14sm6939589ljb.66.2017.02.22.01.16.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 01:16:03 -0800 (PST) From: Sergei Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergei Lukin Subject: [alpine-aports] [PATCH v3.5] main/wireshark: security fixes #6907 Date: Wed, 22 Feb 2017 09:15:57 +0000 Message-Id: <20170222091557.12710-1-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.11.1 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2017-6014: Memory exhaustion/infinite loop via malformed STANAG 4607 capture file --- main/wireshark/APKBUILD | 25 ++++++++++------ main/wireshark/CVE-2017-6014.patch | 61 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 9 deletions(-) create mode 100644 main/wireshark/CVE-2017-6014.patch diff --git a/main/wireshark/APKBUILD b/main/wireshark/APKBUILD index 5e686f62f7..6b5ea04661 100644 --- a/main/wireshark/APKBUILD +++ b/main/wireshark/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa pkgname=wireshark pkgver=2.2.4 -pkgrel=0 +pkgrel=1 pkgdesc="A network protocol analyzer - GTK version" url="http://www.wireshark.org" arch="all" @@ -16,11 +16,15 @@ makedepends="bison flex perl glib glib-dev libpcap-dev libcap-dev install="" subpackages="$pkgname-dev $pkgname-doc $pkgname-gtk $pkgname-common tshark" source="http://www.wireshark.org/download/src/$pkgname-$pkgver.tar.bz2 - fix-androiddump.patch" + fix-androiddump.patch + CVE-2017-6014.patch + " -_builddir="$srcdir"/$pkgname-$pkgver +builddir="$srcdir"/$pkgname-$pkgver # security fixes: +# 2.2.4-r1: +# - CVE-2017-6014 # 2.2.4-r0: # - CVE-2017-5596 # - CVE-2017-5597 @@ -35,7 +39,7 @@ _builddir="$srcdir"/$pkgname-$pkgver # - CVE-2016-6513 prepare() { - cd "$_builddir" + cd "$builddir" for i in $source; do case "$i" in *.patch) @@ -47,7 +51,7 @@ prepare() { } build() { - cd "$_builddir" + cd "$builddir" # configure script searches for uic and uic-qt4 but not uic-qt5 # we set path so it finds 'uic' export PATH="$PATH:/usr/lib/qt5/bin" @@ -65,7 +69,7 @@ build() { } package() { - cd "$_builddir" + cd "$builddir" make -j1 DESTDIR="$pkgdir" install || return 1 } @@ -98,8 +102,11 @@ gtk() { } md5sums="6d0878ba931ea379f6e675d4cba6536b wireshark-2.2.4.tar.bz2 -38a681230ccab441e64d1fc6f52858c4 fix-androiddump.patch" +38a681230ccab441e64d1fc6f52858c4 fix-androiddump.patch +a6479f087d071af8be7f45ab128fe3d5 CVE-2017-6014.patch" sha256sums="42a7fb35eed5a32478153e24601a284bb50148b7ba919c3e8452652f4c2a3911 wireshark-2.2.4.tar.bz2 -21aaa55e6b4bb9144146e8e3284512d2c5ee5deee8921b66a513b819b57d8b01 fix-androiddump.patch" +21aaa55e6b4bb9144146e8e3284512d2c5ee5deee8921b66a513b819b57d8b01 fix-androiddump.patch +7333d52e39407d2003c997b500ccee9dff1f9a95431797cb3b59aadd43d313bd CVE-2017-6014.patch" sha512sums="f3ff6979fdd1c7cf6abe386ec476fee12045ae6df3c8162568d521532045d5eb6ad689262c38b1766c75c9fc1068f480fcd64f0aa077b3a0ceea7c16dbdabc65 wireshark-2.2.4.tar.bz2 -d462e3289c1350a9f712a21d2d1973977e5dd7989f7beff4b71498551174458f572a23f267c83552f088466cb9d2721df2b2eb807514db6ad1e0877dbc87fc6d fix-androiddump.patch" +d462e3289c1350a9f712a21d2d1973977e5dd7989f7beff4b71498551174458f572a23f267c83552f088466cb9d2721df2b2eb807514db6ad1e0877dbc87fc6d fix-androiddump.patch +eb7c47e208d7278c1f80acc9d4b12fe9efb08a19b024cc13e90efac1fb37c700e739e154ba3b361ff1e5fdf28eeeabb2000d875010af70ae80a6c2baaaba8737 CVE-2017-6014.patch" diff --git a/main/wireshark/CVE-2017-6014.patch b/main/wireshark/CVE-2017-6014.patch new file mode 100644 index 0000000000..23388a97ea --- /dev/null +++ b/main/wireshark/CVE-2017-6014.patch @@ -0,0 +1,61 @@ +From 38b428a31736cb08563442e3c97564951f7f6601 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 16 Feb 2017 00:18:30 -0800 +Subject: [PATCH] Report an error for too-short packets. + +The packet length field gives the length of the *entire* packet, so, by +definition, it must not be zero. Make sure it's at least big enough for +the packet header itself plus one segment header. + +Bug: 13416 +Change-Id: I625bd5c0ce75ab1200b3becf12fc1c819fefcd63 +Reviewed-on: https://code.wireshark.org/review/20133 +Reviewed-by: Guy Harris +(cherry picked from commit c7042bedbb3b12c5f4e19e59e52da370d4ffe62f) +Reviewed-on: https://code.wireshark.org/review/20135 +--- + wiretap/stanag4607.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/wiretap/stanag4607.c b/wiretap/stanag4607.c +index 9aa3105..2572aba 100644 +--- a/wiretap/stanag4607.c ++++ b/wiretap/stanag4607.c +@@ -36,6 +36,9 @@ typedef struct { + time_t base_secs; + } stanag4607_t; + ++#define PKT_HDR_SIZE 32 /* size of a packet header */ ++#define SEG_HDR_SIZE 5 /* size of a segment header */ ++ + static gboolean is_valid_id(guint16 version_id) + { + #define VERSION_21 0x3231 +@@ -53,7 +56,7 @@ static gboolean stanag4607_read_file(wtap *wth, FILE_T fh, struct wtap_pkthdr *p + stanag4607_t *stanag4607 = (stanag4607_t *)wth->priv; + guint32 millisecs, secs, nsecs; + gint64 offset = 0; +- guint8 stanag_pkt_hdr[37]; ++ guint8 stanag_pkt_hdr[PKT_HDR_SIZE+SEG_HDR_SIZE]; + guint32 packet_size; + + *err = 0; +@@ -83,6 +86,16 @@ static gboolean stanag4607_read_file(wtap *wth, FILE_T fh, struct wtap_pkthdr *p + "bigger than maximum of %u", packet_size, WTAP_MAX_PACKET_SIZE); + return FALSE; + } ++ if (packet_size < PKT_HDR_SIZE+SEG_HDR_SIZE) { ++ /* ++ * Probably a corrupt capture file; don't, for example, loop ++ * infinitely if the size is zero. ++ */ ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("stanag4607: File has %" G_GUINT32_FORMAT "d-byte packet, " ++ "smaller than minimum of %u", packet_size, PKT_HDR_SIZE+SEG_HDR_SIZE); ++ return FALSE; ++ } + phdr->caplen = packet_size; + phdr->len = packet_size; + +-- +1.7.9.5 -- 2.11.1 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---