diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6421.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6421.patch new file mode 100644 index 0000000..6feb450 --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6421.patch @@ -0,0 +1,16 @@ +diff --git a/epan/dissectors/packet-rtp.c b/epan/dissectors/packet-rtp.c +index 1691cbf..9b9af9a 100644 +--- a/epan/dissectors/packet-rtp.c ++++ b/epan/dissectors/packet-rtp.c +@@ -879,8 +879,9 @@ srtp_add_address(packet_info *pinfo, address *addr, int port, int other_port, + /* + * Update the conversation data. + */ +- /* Free the hash if already exists */ +- rtp_free_hash_dyn_payload(p_conv_data->rtp_dyn_payload); ++ /* Free the hash if a different one already exists */ ++ /* if (p_conv_data->rtp_dyn_payload != rtp_dyn_payload) */ ++ /* rtp_free_hash_dyn_payload(p_conv_data->rtp_dyn_payload); */ + + g_strlcpy(p_conv_data->method, setup_method, MAX_RTP_SETUP_METHOD_SIZE+1); + p_conv_data->frame_number = setup_frame_number; diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6423.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6423.patch new file mode 100644 index 0000000..e3c42ef --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6423.patch @@ -0,0 +1,13 @@ +diff --git a/epan/dissectors/packet-megaco.c b/epan/dissectors/packet-megaco.c +index 4d870d8..ecc3147 100644 +--- a/epan/dissectors/packet-megaco.c ++++ b/epan/dissectors/packet-megaco.c +@@ -3294,7 +3294,7 @@ static void tvb_raw_text_add(tvbuff_t *tvb, proto_tree *tree){ + "%s", tvb_format_text_wsp(tvb,tvb_linebegin, + linelen)); + tvb_linebegin = tvb_lineend; +- } while ( tvb_lineend < tvb_len ); ++ } while ( tvb_lineend < tvb_len && linelen > 0 ); + } + + /* diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6424.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6424.patch new file mode 100644 index 0000000..716e157 --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6424.patch @@ -0,0 +1,13 @@ +diff --git a/epan/dissectors/packet-netflow.c b/epan/dissectors/packet-netflow.c +index ad432c6..99ca89b 100644 +--- a/epan/dissectors/packet-netflow.c ++++ b/epan/dissectors/packet-netflow.c +@@ -5128,7 +5128,7 @@ dissect_v9_v10_pdu_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, + offset_e[i], 4, &ts_end[i]); + } else { + proto_tree_add_time(pdutree, hf_cflow_abstimeend, tvb, +- offset_s[i], 4, &ts_start[i]); ++ offset_e[i], 4, &ts_end[i]); + } + } + } diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6425.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6425.patch new file mode 100644 index 0000000..8a9b5ac --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6425.patch @@ -0,0 +1,22 @@ +diff --git a/epan/dissectors/packet-cups.c b/epan/dissectors/packet-cups.c +index 6f60d9f..bcb8e37 100644 +--- a/epan/dissectors/packet-cups.c ++++ b/epan/dissectors/packet-cups.c +@@ -282,7 +282,7 @@ get_quoted_string(tvbuff_t *tvb, gint offset, gint *next_offset, guint *len) + if (o != -1) { + offset++; + l = o - offset; +- s = tvb_get_ptr(tvb, offset, l); ++ s = tvb_get_ephemeral_string_enc(tvb, offset, l, ENC_ASCII); + offset = o + 1; + } + } +@@ -303,7 +303,7 @@ get_unquoted_string(tvbuff_t *tvb, gint offset, gint *next_offset, guint *len) + o = tvb_pbrk_guint8(tvb, offset, -1, " \t\r\n", NULL); + if (o != -1) { + l = o - offset; +- s = tvb_get_ptr(tvb, offset, l); ++ s = tvb_get_ephemeral_string_enc(tvb, offset, l, ENC_ASCII); + offset = o; + } + diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6426.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6426.patch new file mode 100644 index 0000000..df7bd83 --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6426.patch @@ -0,0 +1,13 @@ +diff --git a/epan/dissectors/packet-hip.c b/epan/dissectors/packet-hip.c +index 7aa6489..463d6b2 100644 +--- a/epan/dissectors/packet-hip.c ++++ b/epan/dissectors/packet-hip.c +@@ -653,7 +653,7 @@ dissect_hip_tlv(tvbuff_t *tvb, int offset, proto_item *ti, int type, int tlv_len + newoffset += (1 + tvb_get_guint8(tvb, newoffset + 2)); + tlv_len -= (1 + tvb_get_guint8(tvb, newoffset + 2)); + } +- if (ti_loc) { ++ if (locator_type <= 2) { + ti_loc = proto_item_add_subtree(ti_loc, ett_hip_locator_data); + /* Traffic type */ + proto_tree_add_item(ti_loc, hf_hip_tlv_locator_traffic_type, tvb, diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6427.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6427.patch new file mode 100644 index 0000000..d9695db --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6427.patch @@ -0,0 +1,29 @@ +diff --git a/epan/dissectors/packet-rtsp.c b/epan/dissectors/packet-rtsp.c +index 7d37413..8e06024 100644 +--- a/epan/dissectors/packet-rtsp.c ++++ b/epan/dissectors/packet-rtsp.c +@@ -442,7 +442,7 @@ static gboolean + is_rtsp_request_or_reply(const guchar *line, size_t linelen, rtsp_type_t *type) + { + guint ii; +- const guchar *next_token; ++ const guchar *token, *next_token; + int tokenlen; + gchar response_chars[4]; + +@@ -453,12 +453,12 @@ is_rtsp_request_or_reply(const guchar *line, size_t linelen, rtsp_type_t *type) + */ + *type = RTSP_REPLY; + /* The first token is the version. */ +- tokenlen = get_token_len(line, line+5, &next_token); ++ tokenlen = get_token_len(line, line+5, &token); + if (tokenlen != 0) { + /* The next token is the status code. */ +- tokenlen = get_token_len(next_token, line+linelen, &next_token); ++ tokenlen = get_token_len(token, line+linelen, &next_token); + if (tokenlen >= 3) { +- memcpy(response_chars, next_token, 3); ++ memcpy(response_chars, token, 3); + response_chars[3] = '\0'; + rtsp_stat_info->response_code = (guint)strtoul(response_chars, NULL, 10); + } diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6428.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6428.patch new file mode 100644 index 0000000..ec9f3c8 --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6428.patch @@ -0,0 +1,12 @@ +diff --git a/epan/dissectors/packet-ses.c b/epan/dissectors/packet-ses.c +index 5164403..81a9f4e 100644 +--- a/epan/dissectors/packet-ses.c ++++ b/epan/dissectors/packet-ses.c +@@ -1043,6 +1043,7 @@ dissect_spdu(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, + type = tvb_get_guint8(tvb, offset); + session.spdu_type = type; + session.abort_type = SESSION_NO_ABORT; ++ session.pres_ctx_id = 0; + session.ros_op = 0; + session.rtse_reassemble = FALSE; + diff --git a/SOURCES/wireshark-1.10.10-CVE-2014-6429.patch b/SOURCES/wireshark-1.10.10-CVE-2014-6429.patch new file mode 100644 index 0000000..cc7c4b5 --- /dev/null +++ b/SOURCES/wireshark-1.10.10-CVE-2014-6429.patch @@ -0,0 +1,88 @@ +diff --git a/wiretap/ngsniffer.c b/wiretap/ngsniffer.c +index 3f987e2..ed61779 100644 +--- a/wiretap/ngsniffer.c ++++ b/wiretap/ngsniffer.c +@@ -2284,7 +2284,8 @@ SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf, + } + + bit_mask = 0; /* don't have any bits yet */ +- while (1) ++ /* Process until we've consumed all the input */ ++ while (pin < pin_end) + { + /* Shift down the bit mask we use to see whats encoded */ + bit_mask = bit_mask >> 1; +@@ -2292,20 +2293,30 @@ SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf, + /* If there are no bits left, time to get another 16 bits */ + if ( 0 == bit_mask ) + { +- bit_mask = 0x8000; /* start with the high bit */ +- bit_value = pletohs(pin); /* get the next 16 bits */ +- pin += 2; /* skip over what we just grabbed */ +- if ( pin >= pin_end ) ++ /* make sure there are at least *three* bytes ++ * available - the two bytes of the bit value, ++ * plus one byte after it */ ++ if ( pin + 2 >= pin_end ) + { +- *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */ ++ *err = WTAP_ERR_UNC_TRUNCATED; + return ( -1 ); + } ++ bit_mask = 0x8000; /* start with the high bit */ ++ bit_value = pletohs(pin); /* get the next 16 bits */ ++ pin += 2; /* skip over what we just grabbed */ + } + + /* Use the bits in bit_value to see what's encoded and what is raw data */ + if ( !(bit_mask & bit_value) ) + { + /* bit not set - raw byte we just copy */ ++ ++ /* If length would put us past end of output, avoid overflow */ ++ if ( pout + 1 > pout_end ) ++ { ++ *err = WTAP_ERR_UNC_OVERFLOW; ++ return ( -1 ); ++ } + *(pout++) = *(pin++); + } + else +@@ -2401,6 +2412,13 @@ SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf, + return ( -1 ); + } + ++ /* Check if offset would cause us to copy on top of ourselves */ ++ if ( pout - offset + length > pout ) ++ { ++ *err = WTAP_ERR_UNC_BAD_OFFSET; ++ return ( -1 ); ++ } ++ + /* Copy the string from previous text to output position, + advance output pointer */ + memcpy( pout, pout - offset, length ); +@@ -2430,6 +2448,12 @@ SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf, + return ( -1 ); + } + ++ /* Check if offset would cause us to copy on top of ourselves */ ++ if ( pout - offset + length > pout ) ++ { ++ *err = WTAP_ERR_UNC_BAD_OFFSET; ++ return ( -1 ); ++ } + /* Copy the string from previous text to output position, + advance output pointer */ + memcpy( pout, pout - offset, length ); +@@ -2437,10 +2461,6 @@ SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf, + break; + } + } +- +- /* If we've consumed all the input, we are done */ +- if ( pin >= pin_end ) +- break; + } + + return (int) ( pout - outbuf ); /* return length of expanded text */ diff --git a/SPECS/wireshark.spec b/SPECS/wireshark.spec index e4884aa..258c1f5 100644 --- a/SPECS/wireshark.spec +++ b/SPECS/wireshark.spec @@ -21,7 +21,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 1.10.3 -Release: 10%{?dist} +Release: 12%{?dist} License: GPL+ Group: Applications/Internet Source0: http://wireshark.org/download/src/%{name}-%{version}.tar.bz2 @@ -51,6 +51,14 @@ Patch13: wireshark-1.10.6-CVE-2014-2281.patch Patch14: wireshark-1.10.6-CVE-2014-2282.patch Patch15: wireshark-1.10.6-CVE-2014-2283.patch Patch16: wireshark-1.10.6-CVE-2014-2299.patch +Patch17: wireshark-1.10.10-CVE-2014-6421.patch +Patch18: wireshark-1.10.10-CVE-2014-6423.patch +Patch19: wireshark-1.10.10-CVE-2014-6424.patch +Patch20: wireshark-1.10.10-CVE-2014-6425.patch +Patch21: wireshark-1.10.10-CVE-2014-6426.patch +Patch22: wireshark-1.10.10-CVE-2014-6427.patch +Patch23: wireshark-1.10.10-CVE-2014-6428.patch +Patch24: wireshark-1.10.10-CVE-2014-6429.patch Url: http://www.wireshark.org/ BuildRequires: libpcap-devel >= 0.9 @@ -159,6 +167,14 @@ and plugins. %patch14 -p1 -b .cve-2014-2282 %patch15 -p1 -b .cve-2014-2283 %patch16 -p1 -b .cve-2014-2299 +%patch17 -p1 -b .cve-2014-6421 +%patch18 -p1 -b .cve.2014-6423 +%patch19 -p1 -b .cve.2014-6424 +%patch20 -p1 -b .cve.2014-6425 +%patch21 -p1 -b .cve.2014-6426 +%patch22 -p1 -b .cve.2014-6427 +%patch23 -p1 -b .cve.2014-6428 +%patch24 -p1 -b .cve.2014-6429 %build %ifarch s390 s390x sparcv9 sparc64 @@ -398,6 +414,21 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %{_datadir}/aclocal/* %changelog +* Mon Oct 13 2014 Peter Hatina - 1.10.3-12 +- security patches +- Related: #1148266 + +* Fri Oct 3 2014 Peter Hatina - 1.10.3-11 +- security patches +- Resolves: CVE-2014-6421 + CVE-2014-6423 + CVE-2014-6424 + CVE-2014-6425 + CVE-2014-6426 + CVE-2014-6427 + CVE-2014-6428 + CVE-2014-6429 + * Mon Mar 10 2014 Peter Hatina - 1.10.3-10 - fix missing tshark's name resolving flag in help message - Related: #1004250