diff options
author | Sergey Lukin <sergej.lukin@gmail.com> | 2017-02-22 07:17:17 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-02-22 12:21:48 +0000 |
commit | 072fede08fb5b21fc94d4175e7b9d3a2959c7328 (patch) | |
tree | 33c03b99532b5165c2086bebacc6cc0794c22751 | |
parent | 5a42d95a02f06b6fc32d4ec359159b5d3fca572e (diff) | |
download | aports-072fede08fb5b21fc94d4175e7b9d3a2959c7328.tar.bz2 aports-072fede08fb5b21fc94d4175e7b9d3a2959c7328.tar.xz |
main/wireshark: security fixes #6906
CVE-2017-6014: Memory exhaustion/infinite loop via malformed STANAG 4607 capture file
-rw-r--r-- | main/wireshark/APKBUILD | 24 | ||||
-rw-r--r-- | main/wireshark/CVE-2017-6014.patch | 61 |
2 files changed, 74 insertions, 11 deletions
diff --git a/main/wireshark/APKBUILD b/main/wireshark/APKBUILD index 59b6684744..a3a6399f06 100644 --- a/main/wireshark/APKBUILD +++ b/main/wireshark/APKBUILD @@ -1,9 +1,10 @@ +# Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Contributor: Ćukasz Jendrysik <scadu@yandex.com> # Contributor: Jeremy Thomerson <jeremy@thomersonfamily.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=wireshark pkgver=2.2.4 -pkgrel=0 +pkgrel=1 pkgdesc="A network protocol analyzer - GTK version" url="http://www.wireshark.org" arch="all" @@ -15,11 +16,15 @@ makedepends="bison flex perl-dev glib glib-dev libpcap-dev libcap-dev install="" subpackages="$pkgname-dev $pkgname-doc $pkgname-gtk $pkgname-common tshark" source="http://www.wireshark.org/download/src/$pkgname-$pkgver.tar.bz2 - fix-androiddump.patch" + fix-androiddump.patch + CVE-2017-6014.patch + " -_builddir="$srcdir"/$pkgname-$pkgver +builddir="$srcdir"/$pkgname-$pkgver # security fixes: +# 2.2.4-r1: +# - CVE-2017-6014 # 2.0.5-r0: # - CVE-2016-6505 # - CVE-2016-6506 @@ -31,7 +36,7 @@ _builddir="$srcdir"/$pkgname-$pkgver # - CVE-2016-6513 prepare() { - cd "$_builddir" + cd "$builddir" for i in $source; do case "$i" in *.patch) @@ -43,7 +48,7 @@ prepare() { } build() { - cd "$_builddir" + cd "$builddir" # configure script searches for uic and uic-qt4 but not uic-qt5 # we set path so it finds 'uic' export PATH="$PATH:/usr/lib/qt5/bin" @@ -61,7 +66,7 @@ build() { } package() { - cd "$_builddir" + cd "$builddir" make -j1 DESTDIR="$pkgdir" install || return 1 } @@ -93,9 +98,6 @@ gtk() { mv "$pkgdir"/usr/bin/wireshark-gtk "$subpkgdir"/usr/bin/ } -md5sums="6d0878ba931ea379f6e675d4cba6536b wireshark-2.2.4.tar.bz2 -38a681230ccab441e64d1fc6f52858c4 fix-androiddump.patch" -sha256sums="42a7fb35eed5a32478153e24601a284bb50148b7ba919c3e8452652f4c2a3911 wireshark-2.2.4.tar.bz2 -21aaa55e6b4bb9144146e8e3284512d2c5ee5deee8921b66a513b819b57d8b01 fix-androiddump.patch" sha512sums="f3ff6979fdd1c7cf6abe386ec476fee12045ae6df3c8162568d521532045d5eb6ad689262c38b1766c75c9fc1068f480fcd64f0aa077b3a0ceea7c16dbdabc65 wireshark-2.2.4.tar.bz2 -d462e3289c1350a9f712a21d2d1973977e5dd7989f7beff4b71498551174458f572a23f267c83552f088466cb9d2721df2b2eb807514db6ad1e0877dbc87fc6d fix-androiddump.patch" +d462e3289c1350a9f712a21d2d1973977e5dd7989f7beff4b71498551174458f572a23f267c83552f088466cb9d2721df2b2eb807514db6ad1e0877dbc87fc6d fix-androiddump.patch +eb7c47e208d7278c1f80acc9d4b12fe9efb08a19b024cc13e90efac1fb37c700e739e154ba3b361ff1e5fdf28eeeabb2000d875010af70ae80a6c2baaaba8737 CVE-2017-6014.patch" diff --git a/main/wireshark/CVE-2017-6014.patch b/main/wireshark/CVE-2017-6014.patch new file mode 100644 index 0000000000..23388a97ea --- /dev/null +++ b/main/wireshark/CVE-2017-6014.patch @@ -0,0 +1,61 @@ +From 38b428a31736cb08563442e3c97564951f7f6601 Mon Sep 17 00:00:00 2001 +From: Guy Harris <guy@alum.mit.edu> +Date: Thu, 16 Feb 2017 00:18:30 -0800 +Subject: [PATCH] Report an error for too-short packets. + +The packet length field gives the length of the *entire* packet, so, by +definition, it must not be zero. Make sure it's at least big enough for +the packet header itself plus one segment header. + +Bug: 13416 +Change-Id: I625bd5c0ce75ab1200b3becf12fc1c819fefcd63 +Reviewed-on: https://code.wireshark.org/review/20133 +Reviewed-by: Guy Harris <guy@alum.mit.edu> +(cherry picked from commit c7042bedbb3b12c5f4e19e59e52da370d4ffe62f) +Reviewed-on: https://code.wireshark.org/review/20135 +--- + wiretap/stanag4607.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/wiretap/stanag4607.c b/wiretap/stanag4607.c +index 9aa3105..2572aba 100644 +--- a/wiretap/stanag4607.c ++++ b/wiretap/stanag4607.c +@@ -36,6 +36,9 @@ typedef struct { + time_t base_secs; + } stanag4607_t; + ++#define PKT_HDR_SIZE 32 /* size of a packet header */ ++#define SEG_HDR_SIZE 5 /* size of a segment header */ ++ + static gboolean is_valid_id(guint16 version_id) + { + #define VERSION_21 0x3231 +@@ -53,7 +56,7 @@ static gboolean stanag4607_read_file(wtap *wth, FILE_T fh, struct wtap_pkthdr *p + stanag4607_t *stanag4607 = (stanag4607_t *)wth->priv; + guint32 millisecs, secs, nsecs; + gint64 offset = 0; +- guint8 stanag_pkt_hdr[37]; ++ guint8 stanag_pkt_hdr[PKT_HDR_SIZE+SEG_HDR_SIZE]; + guint32 packet_size; + + *err = 0; +@@ -83,6 +86,16 @@ static gboolean stanag4607_read_file(wtap *wth, FILE_T fh, struct wtap_pkthdr *p + "bigger than maximum of %u", packet_size, WTAP_MAX_PACKET_SIZE); + return FALSE; + } ++ if (packet_size < PKT_HDR_SIZE+SEG_HDR_SIZE) { ++ /* ++ * Probably a corrupt capture file; don't, for example, loop ++ * infinitely if the size is zero. ++ */ ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("stanag4607: File has %" G_GUINT32_FORMAT "d-byte packet, " ++ "smaller than minimum of %u", packet_size, PKT_HDR_SIZE+SEG_HDR_SIZE); ++ return FALSE; ++ } + phdr->caplen = packet_size; + phdr->len = packet_size; + +-- +1.7.9.5 |