aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSergey Lukin <sergej.lukin@gmail.com>2017-02-22 07:17:17 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2017-02-22 12:21:48 +0000
commit072fede08fb5b21fc94d4175e7b9d3a2959c7328 (patch)
tree33c03b99532b5165c2086bebacc6cc0794c22751
parent5a42d95a02f06b6fc32d4ec359159b5d3fca572e (diff)
downloadaports-072fede08fb5b21fc94d4175e7b9d3a2959c7328.tar.bz2
aports-072fede08fb5b21fc94d4175e7b9d3a2959c7328.tar.xz
main/wireshark: security fixes #6906
CVE-2017-6014: Memory exhaustion/infinite loop via malformed STANAG 4607 capture file
-rw-r--r--main/wireshark/APKBUILD24
-rw-r--r--main/wireshark/CVE-2017-6014.patch61
2 files changed, 74 insertions, 11 deletions
diff --git a/main/wireshark/APKBUILD b/main/wireshark/APKBUILD
index 59b6684744..a3a6399f06 100644
--- a/main/wireshark/APKBUILD
+++ b/main/wireshark/APKBUILD
@@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Ɓukasz Jendrysik <scadu@yandex.com>
# Contributor: Jeremy Thomerson <jeremy@thomersonfamily.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=wireshark
pkgver=2.2.4
-pkgrel=0
+pkgrel=1
pkgdesc="A network protocol analyzer - GTK version"
url="http://www.wireshark.org"
arch="all"
@@ -15,11 +16,15 @@ makedepends="bison flex perl-dev glib glib-dev libpcap-dev libcap-dev
install=""
subpackages="$pkgname-dev $pkgname-doc $pkgname-gtk $pkgname-common tshark"
source="http://www.wireshark.org/download/src/$pkgname-$pkgver.tar.bz2
- fix-androiddump.patch"
+ fix-androiddump.patch
+ CVE-2017-6014.patch
+ "
-_builddir="$srcdir"/$pkgname-$pkgver
+builddir="$srcdir"/$pkgname-$pkgver
# security fixes:
+# 2.2.4-r1:
+# - CVE-2017-6014
# 2.0.5-r0:
# - CVE-2016-6505
# - CVE-2016-6506
@@ -31,7 +36,7 @@ _builddir="$srcdir"/$pkgname-$pkgver
# - CVE-2016-6513
prepare() {
- cd "$_builddir"
+ cd "$builddir"
for i in $source; do
case "$i" in
*.patch)
@@ -43,7 +48,7 @@ prepare() {
}
build() {
- cd "$_builddir"
+ cd "$builddir"
# configure script searches for uic and uic-qt4 but not uic-qt5
# we set path so it finds 'uic'
export PATH="$PATH:/usr/lib/qt5/bin"
@@ -61,7 +66,7 @@ build() {
}
package() {
- cd "$_builddir"
+ cd "$builddir"
make -j1 DESTDIR="$pkgdir" install || return 1
}
@@ -93,9 +98,6 @@ gtk() {
mv "$pkgdir"/usr/bin/wireshark-gtk "$subpkgdir"/usr/bin/
}
-md5sums="6d0878ba931ea379f6e675d4cba6536b wireshark-2.2.4.tar.bz2
-38a681230ccab441e64d1fc6f52858c4 fix-androiddump.patch"
-sha256sums="42a7fb35eed5a32478153e24601a284bb50148b7ba919c3e8452652f4c2a3911 wireshark-2.2.4.tar.bz2
-21aaa55e6b4bb9144146e8e3284512d2c5ee5deee8921b66a513b819b57d8b01 fix-androiddump.patch"
sha512sums="f3ff6979fdd1c7cf6abe386ec476fee12045ae6df3c8162568d521532045d5eb6ad689262c38b1766c75c9fc1068f480fcd64f0aa077b3a0ceea7c16dbdabc65 wireshark-2.2.4.tar.bz2
-d462e3289c1350a9f712a21d2d1973977e5dd7989f7beff4b71498551174458f572a23f267c83552f088466cb9d2721df2b2eb807514db6ad1e0877dbc87fc6d fix-androiddump.patch"
+d462e3289c1350a9f712a21d2d1973977e5dd7989f7beff4b71498551174458f572a23f267c83552f088466cb9d2721df2b2eb807514db6ad1e0877dbc87fc6d fix-androiddump.patch
+eb7c47e208d7278c1f80acc9d4b12fe9efb08a19b024cc13e90efac1fb37c700e739e154ba3b361ff1e5fdf28eeeabb2000d875010af70ae80a6c2baaaba8737 CVE-2017-6014.patch"
diff --git a/main/wireshark/CVE-2017-6014.patch b/main/wireshark/CVE-2017-6014.patch
new file mode 100644
index 0000000000..23388a97ea
--- /dev/null
+++ b/main/wireshark/CVE-2017-6014.patch
@@ -0,0 +1,61 @@
+From 38b428a31736cb08563442e3c97564951f7f6601 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Thu, 16 Feb 2017 00:18:30 -0800
+Subject: [PATCH] Report an error for too-short packets.
+
+The packet length field gives the length of the *entire* packet, so, by
+definition, it must not be zero. Make sure it's at least big enough for
+the packet header itself plus one segment header.
+
+Bug: 13416
+Change-Id: I625bd5c0ce75ab1200b3becf12fc1c819fefcd63
+Reviewed-on: https://code.wireshark.org/review/20133
+Reviewed-by: Guy Harris <guy@alum.mit.edu>
+(cherry picked from commit c7042bedbb3b12c5f4e19e59e52da370d4ffe62f)
+Reviewed-on: https://code.wireshark.org/review/20135
+---
+ wiretap/stanag4607.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/wiretap/stanag4607.c b/wiretap/stanag4607.c
+index 9aa3105..2572aba 100644
+--- a/wiretap/stanag4607.c
++++ b/wiretap/stanag4607.c
+@@ -36,6 +36,9 @@ typedef struct {
+ time_t base_secs;
+ } stanag4607_t;
+
++#define PKT_HDR_SIZE 32 /* size of a packet header */
++#define SEG_HDR_SIZE 5 /* size of a segment header */
++
+ static gboolean is_valid_id(guint16 version_id)
+ {
+ #define VERSION_21 0x3231
+@@ -53,7 +56,7 @@ static gboolean stanag4607_read_file(wtap *wth, FILE_T fh, struct wtap_pkthdr *p
+ stanag4607_t *stanag4607 = (stanag4607_t *)wth->priv;
+ guint32 millisecs, secs, nsecs;
+ gint64 offset = 0;
+- guint8 stanag_pkt_hdr[37];
++ guint8 stanag_pkt_hdr[PKT_HDR_SIZE+SEG_HDR_SIZE];
+ guint32 packet_size;
+
+ *err = 0;
+@@ -83,6 +86,16 @@ static gboolean stanag4607_read_file(wtap *wth, FILE_T fh, struct wtap_pkthdr *p
+ "bigger than maximum of %u", packet_size, WTAP_MAX_PACKET_SIZE);
+ return FALSE;
+ }
++ if (packet_size < PKT_HDR_SIZE+SEG_HDR_SIZE) {
++ /*
++ * Probably a corrupt capture file; don't, for example, loop
++ * infinitely if the size is zero.
++ */
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup_printf("stanag4607: File has %" G_GUINT32_FORMAT "d-byte packet, "
++ "smaller than minimum of %u", packet_size, PKT_HDR_SIZE+SEG_HDR_SIZE);
++ return FALSE;
++ }
+ phdr->caplen = packet_size;
+ phdr->len = packet_size;
+
+--
+1.7.9.5