--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Balint Reczey <bal...@balintreczey.hu>
* New upstream release.
- CVE-2024-0208: GVCP dissector crash
- CVE-2024-0209: IEEE 1609.2 dissector crash
- CVE-2024-2955: T.38 dissector crash (Closes: #1068111)
- CVE-2024-4853: Editcap byte chopping crash
- CVE-2024-4854: MONGO dissector infinite loop
- CVE-2024-4855: Editcap use-after-free
- CVE-2024-8250: NTLMSSP dissector crash (Closes: #1080298)
- CVE-2024-8645: SPRT dissector crash
* CVE-2024-0211: DOCSIS dissector crash
* Closes: #1059925
This updates bookworm to the final 4.0 release,
and adds the first additional CVE fix.
The attached debdiff contains only the changes to debian/
diff -Nru wireshark-4.0.11/debian/changelog wireshark-4.0.17/debian/changelog
--- wireshark-4.0.11/debian/changelog 2023-11-17 14:38:45.000000000 +0200
+++ wireshark-4.0.17/debian/changelog 2024-09-30 10:55:30.000000000 +0300
@@ -1,3 +1,20 @@
+wireshark (4.0.17-0+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream release.
+ - CVE-2024-0208: GVCP dissector crash
+ - CVE-2024-0209: IEEE 1609.2 dissector crash
+ - CVE-2024-2955: T.38 dissector crash (Closes: #1068111)
+ - CVE-2024-4853: Editcap byte chopping crash
+ - CVE-2024-4854: MONGO dissector infinite loop
+ - CVE-2024-4855: Editcap use-after-free
+ - CVE-2024-8250: NTLMSSP dissector crash (Closes: #1080298)
+ - CVE-2024-8645: SPRT dissector crash
+ * CVE-2024-0211: DOCSIS dissector crash
+ * Closes: #1059925
+
+ -- Adrian Bunk <b...@debian.org> Mon, 30 Sep 2024 10:55:30 +0300
+
wireshark (4.0.11-1~deb12u1) bookworm-security; urgency=medium
* New upstream version
diff -Nru wireshark-4.0.11/debian/libwireshark16.symbols
wireshark-4.0.17/debian/libwireshark16.symbols
--- wireshark-4.0.11/debian/libwireshark16.symbols 2023-11-17
14:38:45.000000000 +0200
+++ wireshark-4.0.17/debian/libwireshark16.symbols 2024-09-30
10:55:30.000000000 +0300
@@ -273,6 +273,7 @@
decode_zcl_time_in_100ms@Base 2.5.2
decode_zcl_time_in_minutes@Base 2.5.2
decode_zcl_time_in_seconds@Base 2.5.2
+ decrement_dissection_depth@Base 4.0.17-0+deb12u1~
delete_itu_tcap_subdissector@Base 1.9.1
deregister_depend_dissector@Base 2.1.0
destroy_print_stream@Base 1.12.0~rc1
@@ -969,6 +970,7 @@
ieee80211_supported_rates_vals_ext@Base 1.99.1
ieee802a_add_oui@Base 1.9.1
in_cksum@Base 1.9.1
+ increment_dissection_depth@Base 4.0.17-0+deb12u1~
init_srt_table@Base 1.99.8
init_srt_table_row@Base 1.99.8
ip_checksum@Base 1.99.0
diff -Nru wireshark-4.0.11/debian/libwiretap13.symbols
wireshark-4.0.17/debian/libwiretap13.symbols
--- wireshark-4.0.11/debian/libwiretap13.symbols 2023-11-17
14:38:45.000000000 +0200
+++ wireshark-4.0.17/debian/libwiretap13.symbols 2024-09-30
10:55:30.000000000 +0300
@@ -20,6 +20,7 @@
open_routines@Base 1.12.0~rc1
pcapng_process_options@Base 3.5.0
pcapng_process_bytes_option@Base 3.5.0
+ pcapng_process_int64_option@Base 4.0.17-0+deb12u1~
pcapng_process_string_option@Base 3.5.0
pcapng_process_timestamp_option@Base 3.5.0
pcapng_process_uint8_option@Base 3.5.0
@@ -33,6 +34,9 @@
wtap_block_add_bytes_option@Base 3.5.0
wtap_block_add_bytes_option_borrow@Base 3.5.0
wtap_block_add_if_filter_option@Base 3.5.0
+ wtap_block_add_int32_option@Base 4.0.17-0+deb12u1~
+ wtap_block_add_int64_option@Base 4.0.17-0+deb12u1~
+ wtap_block_add_int8_option@Base 4.0.17-0+deb12u1~
wtap_block_add_ipv4_option@Base 2.1.2
wtap_block_add_ipv6_option@Base 2.1.2
wtap_block_add_nflx_custom_option@Base 3.5.0
@@ -43,12 +47,17 @@
wtap_block_add_uint64_option@Base 2.1.2
wtap_block_add_uint8_option@Base 2.1.2
wtap_block_array_free@Base 2.1.2
+ wtap_block_array_ref@Base 4.0.17-0+deb12u1~
+ wtap_block_array_unref@Base 4.0.17-0+deb12u1~
wtap_block_copy@Base 2.1.2
wtap_block_count_option@Base 3.5.0
wtap_block_create@Base 2.1.2
wtap_block_foreach_option@Base 2.1.2
wtap_block_get_bytes_option_value@Base 3.5.0
wtap_block_get_if_filter_option_value@Base 3.5.0
+ wtap_block_get_int32_option_value@Base 4.0.17-0+deb12u1~
+ wtap_block_get_int64_option_value@Base 4.0.17-0+deb12u1~
+ wtap_block_get_int8_option_value@Base 4.0.17-0+deb12u1~
wtap_block_get_ipv4_option_value@Base 2.1.2
wtap_block_get_ipv6_option_value@Base 2.1.2
wtap_block_get_mandatory_data@Base 2.1.2
@@ -67,6 +76,9 @@
wtap_block_remove_option@Base 2.2.0
wtap_block_set_bytes_option_value@Base 3.5.0
wtap_block_set_if_filter_option_value@Base 3.5.0
+ wtap_block_set_int32_option_value@Base 4.0.17-0+deb12u1~
+ wtap_block_set_int64_option_value@Base 4.0.17-0+deb12u1~
+ wtap_block_set_int8_option_value@Base 4.0.17-0+deb12u1~
wtap_block_set_ipv4_option_value@Base 2.1.2
wtap_block_set_ipv6_option_value@Base 2.1.2
wtap_block_set_nth_bytes_option_value@Base 3.5.0
diff -Nru
wireshark-4.0.11/debian/patches/0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch
wireshark-4.0.17/debian/patches/0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch
---
wireshark-4.0.11/debian/patches/0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch
1970-01-01 02:00:00.000000000 +0200
+++
wireshark-4.0.17/debian/patches/0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch
2024-09-30 10:55:30.000000000 +0300
@@ -0,0 +1,237 @@
+From fba14cbf9893338a9d068e59e169b564eb7efd51 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthac...@gmail.com>
+Date: Mon, 1 Jan 2024 09:06:25 -0500
+Subject: DOCSIS: Extended EH Elements are not recursive
+
+Extended EH Elements, which are still not defined as of DOCSIS 4.0
+and must be ignored (CM-SP-MULPIv4.0-I08-231211), are not recursive
+but instead have a full byte each for type and length instead of
+a nibble, allowing specifying more than 15 extended header types or
+extended header types with length longer than 15.
+
+Increment the position for the first type/length byte to make the
+logic more straightforward.
+
+Part of #19557
+
+(backported from commit 77b0583568836554bd51ee8fde54ba5a3d000c0e)
+---
+ epan/dissectors/packet-docsis.c | 105 ++++++++++++++++++--------------
+ 1 file changed, 59 insertions(+), 46 deletions(-)
+
+diff --git a/epan/dissectors/packet-docsis.c b/epan/dissectors/packet-docsis.c
+index 4d886db03a..a91704ab5e 100644
+--- a/epan/dissectors/packet-docsis.c
++++ b/epan/dissectors/packet-docsis.c
+@@ -108,6 +108,8 @@ static int hf_docsis_len = -1;
+ static int hf_docsis_eh_type = -1;
+ static int hf_docsis_eh_len = -1;
+ static int hf_docsis_eh_val = -1;
++static int hf_docsis_ehx_type = -1;
++static int hf_docsis_ehx_len = -1;
+ static int hf_docsis_frag_rsvd = -1;
+ static int hf_docsis_frag_first = -1;
+ static int hf_docsis_frag_last = -1;
+@@ -312,7 +314,7 @@ dissect_ehdr (tvbuff_t * tvb, proto_tree * tree,
packet_info * pinfo, gboolean *
+ }
+
+ eh_length_item = proto_tree_add_item (ehdr_tree, hf_docsis_eh_len, tvb,
pos, 1, ENC_BIG_ENDIAN);
+-
++ pos++;
+
+ switch ((type >> 4) & 0x0F)
+ {
+@@ -320,8 +322,8 @@ dissect_ehdr (tvbuff_t * tvb, proto_tree * tree,
packet_info * pinfo, gboolean *
+ /* Request: Minislots Requested */
+ if (len == 3)
+ {
+- proto_tree_add_item(ehdr_tree, hf_docsis_mini_slots, tvb, pos + 1,
1, ENC_NA);
+- proto_tree_add_item(ehdr_tree, hf_docsis_sid, tvb, pos + 2, 2,
ENC_BIG_ENDIAN);
++ proto_tree_add_item(ehdr_tree, hf_docsis_mini_slots, tvb, pos, 1,
ENC_NA);
++ proto_tree_add_item(ehdr_tree, hf_docsis_sid, tvb, pos + 1, 2,
ENC_BIG_ENDIAN);
+ }
+ else
+ {
+@@ -333,7 +335,7 @@ dissect_ehdr (tvbuff_t * tvb, proto_tree * tree,
packet_info * pinfo, gboolean *
+ /* Deprecated in DOCSIS 3.1 */
+ if (len == 2)
+ {
+- proto_tree_add_item(ehdr_tree, hf_docsis_sid, tvb, pos + 1, 2,
ENC_BIG_ENDIAN);
++ proto_tree_add_item(ehdr_tree, hf_docsis_sid, tvb, pos, 2,
ENC_BIG_ENDIAN);
+ }
+ else
+ {
+@@ -343,110 +345,111 @@ dissect_ehdr (tvbuff_t * tvb, proto_tree * tree,
packet_info * pinfo, gboolean *
+ break;
+ case EH_BP_UP:
+ /* Upstream Privacy EH Element or Upstream Privacy with fragmentation
*/
+- proto_tree_add_item (ehdr_tree, hf_docsis_key_seq, tvb, pos + 1, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_key_seq, tvb, pos, 1,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ver, tvb, pos + 1, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ver, tvb, pos, 1,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item_ret_boolean (ehdr_tree, hf_docsis_bpi_en, tvb,
pos + 2, 1,
++ proto_tree_add_item_ret_boolean (ehdr_tree, hf_docsis_bpi_en, tvb,
pos + 1, 1,
+ ENC_BIG_ENDIAN, is_encrypted);
+- proto_tree_add_item (ehdr_tree, hf_docsis_toggle_bit, tvb, pos + 2,
++ proto_tree_add_item (ehdr_tree, hf_docsis_toggle_bit, tvb, pos + 1,
+ 1, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_sid, tvb, pos + 2, 2,
++ proto_tree_add_item (ehdr_tree, hf_docsis_sid, tvb, pos + 1, 2,
+ ENC_BIG_ENDIAN);
+- frag_sid = tvb_get_guint8 (tvb, pos+2) & 0xCFFF;
+- proto_tree_add_item (ehdr_tree, hf_docsis_mini_slots, tvb, pos + 4,
++ frag_sid = tvb_get_guint8 (tvb, pos+1) & 0xCFFF;
++ proto_tree_add_item (ehdr_tree, hf_docsis_mini_slots, tvb, pos + 3,
+ 1, ENC_BIG_ENDIAN);
+ if (pinfo->fragmented)
+ {
+- proto_tree_add_item (ehdr_tree, hf_docsis_frag_rsvd, tvb, pos+5,
++ proto_tree_add_item (ehdr_tree, hf_docsis_frag_rsvd, tvb, pos+4,
+ 1, ENC_BIG_ENDIAN);
+- frag_flags = tvb_get_guint8 (tvb, pos+5) & 0x30;
+- proto_tree_add_item (ehdr_tree, hf_docsis_frag_first, tvb, pos+5,
++ frag_flags = tvb_get_guint8 (tvb, pos+4) & 0x30;
++ proto_tree_add_item (ehdr_tree, hf_docsis_frag_first, tvb, pos+4,
+ 1, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_frag_last, tvb, pos+5,
++ proto_tree_add_item (ehdr_tree, hf_docsis_frag_last, tvb, pos+4,
+ 1, ENC_BIG_ENDIAN);
+- frag_seq = tvb_get_guint8 (tvb, pos+5) & 0x0F;
+- proto_tree_add_item (ehdr_tree, hf_docsis_frag_seq, tvb, pos+5,
++ frag_seq = tvb_get_guint8 (tvb, pos+4) & 0x0F;
++ proto_tree_add_item (ehdr_tree, hf_docsis_frag_seq, tvb, pos+4,
+ 1, ENC_BIG_ENDIAN);
+ }
+ break;
+ case EH_BP_DOWN:
+ /* Downstream Privacy EH Element */
+- proto_tree_add_item (ehdr_tree, hf_docsis_key_seq, tvb, pos + 1, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_key_seq, tvb, pos, 1,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ver, tvb, pos + 1, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ver, tvb, pos, 1,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item_ret_boolean (ehdr_tree, hf_docsis_bpi_en, tvb,
pos + 2, 1,
++ proto_tree_add_item_ret_boolean (ehdr_tree, hf_docsis_bpi_en, tvb,
pos + 1, 1,
+ ENC_BIG_ENDIAN, is_encrypted);
+- proto_tree_add_item (ehdr_tree, hf_docsis_toggle_bit, tvb, pos + 2,
++ proto_tree_add_item (ehdr_tree, hf_docsis_toggle_bit, tvb, pos + 1,
+ 1, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_said, tvb, pos + 2, 2,
++ proto_tree_add_item (ehdr_tree, hf_docsis_said, tvb, pos + 1, 2,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_reserved, tvb, pos + 4, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_reserved, tvb, pos + 3, 1,
+ ENC_BIG_ENDIAN);
+ break;
+ case EH_SFLOW_HDR_DOWN:
+ /* Deprecated in DOCSIS 3.1, was Downstream Service Flow EH Element
in earlier revisions */
+ case EH_SFLOW_HDR_UP:
+ /* Deprecated in DOCSIS 3.1, was Upstream Service Flow EH Element in
earlier revisions */
+- proto_tree_add_item(ehdr_tree, hf_docsis_ehdr_phsi, tvb, pos+1, 1,
ENC_BIG_ENDIAN);
++ proto_tree_add_item(ehdr_tree, hf_docsis_ehdr_phsi, tvb, pos, 1,
ENC_BIG_ENDIAN);
+
+ if (len == 2)
+ {
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_qind, tvb, pos+2, 1,
ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_grants, tvb, pos+2,
1, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_qind, tvb, pos+1, 1,
ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_grants, tvb, pos+1,
1, ENC_BIG_ENDIAN);
+ }
+ break;
+ case EH_BP_UP2:
+ /* Upstream Privacy EH Element, version 2, with no piggyback request
*/
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_key_seq, tvb,
pos + 1, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_key_seq, tvb,
pos, 1,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_ver, tvb, pos +
1, 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_ver, tvb, pos, 1,
+ ENC_BIG_ENDIAN);
+- proto_tree_add_item_ret_boolean (ehdr_tree,
hf_docsis_ehdr_bpup2_bpi_en, tvb, pos + 2, 1,
++ proto_tree_add_item_ret_boolean (ehdr_tree,
hf_docsis_ehdr_bpup2_bpi_en, tvb, pos + 1, 1,
+ ENC_BIG_ENDIAN, is_encrypted);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_toggle_bit, tvb,
pos + 2,
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_toggle_bit, tvb,
pos + 1,
+ 1, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_sid, tvb, pos +
2, 2,
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_bpup2_sid, tvb, pos +
1, 2,
+ ENC_BIG_ENDIAN);
+ break;
+ case EH_DS_SERVICE:
+ /* Downstream Service EH Element */
+- proto_tree_add_item(ehdr_tree, hf_docsis_ehdr_ds_traffic_pri, tvb,
pos+1, 1, ENC_BIG_ENDIAN);
++ proto_tree_add_item(ehdr_tree, hf_docsis_ehdr_ds_traffic_pri, tvb,
pos, 1, ENC_BIG_ENDIAN);
+
+ if (len == 3)
+ {
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_dsid, tvb, pos+1,
3, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_dsid, tvb, pos,
3, ENC_BIG_ENDIAN);
+ }
+
+ if (len == 5)
+ {
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_seq_chg_cnt, tvb,
pos+1, 1, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_dsid, tvb, pos+1,
3, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_pkt_seq_num, tvb,
pos+4, 2, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_seq_chg_cnt, tvb,
pos, 1, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_dsid, tvb, pos,
3, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_ds_pkt_seq_num, tvb,
pos+3, 2, ENC_BIG_ENDIAN);
+ }
+ break;
+ case EH_PATH_VERIFY:
+ /* Path Verify EH Element */
+ if (len == 5)
+ {
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_pv_st_refpt, tvb,
pos+1, 1, ENC_BIG_ENDIAN);
+- proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_pv_timestamp, tvb,
pos+2, 4, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_pv_st_refpt, tvb,
pos, 1, ENC_BIG_ENDIAN);
++ proto_tree_add_item (ehdr_tree, hf_docsis_ehdr_pv_timestamp, tvb,
pos+1, 4, ENC_BIG_ENDIAN);
+ }
+ break;
+ case EH_EXTENDED:
+- /* Extended EH Element, one or more Sub EH fields may follow; simply
recurse */
+- {
+- tvbuff_t *subset = tvb_new_subset_remaining(tvb, pos);
+- dissect_ehdr (subset, ehdr_tree, pinfo, is_encrypted);
+- }
+- break;
++ /* Extended EH Element, ignore eh_len */
++ proto_tree_add_item(ehdr_tree, hf_docsis_ehx_type, tvb, pos, 1,
ENC_NA);
++ pos++;
++ proto_tree_add_item(ehdr_tree, hf_docsis_ehx_len, tvb, pos, 1,
ENC_NA);
++ len = tvb_get_guint8(tvb, pos);
++ pos++;
++ /* FALLTHROUGH */
+ default:
+ if (len > 0)
+- proto_tree_add_item (ehdr_tree, hf_docsis_eh_val, tvb, pos + 1,
++ proto_tree_add_item (ehdr_tree, hf_docsis_eh_val, tvb, pos,
+ len, ENC_NA);
+ }
+- pos += len + 1;
++ pos += len;
+ }
+
+ return;
+@@ -953,6 +956,16 @@ proto_register_docsis (void)
+ FT_BYTES, BASE_NONE, NULL, 0x0,
+ "TLV Value", HFILL}
+ },
++ {&hf_docsis_ehx_type,
++ {"Extended Type", "docsis.ehdr.ehx_type",
++ FT_UINT8, BASE_DEC, NULL, 0x0,
++ "TLV Type", HFILL}
++ },
++ {&hf_docsis_ehx_len,
++ {"Extended Length", "docsis.ehdr.ehx_len",
++ FT_UINT8, BASE_DEC, NULL, 0x0,
++ "TLV Len", HFILL}
++ },
+ {&hf_docsis_frag_rsvd,
+ {"Reserved", "docsis.frag_rsvd",
+ FT_UINT8, BASE_DEC, NULL, 0xC0,
+--
+2.30.2
+
diff -Nru wireshark-4.0.11/debian/patches/series
wireshark-4.0.17/debian/patches/series
--- wireshark-4.0.11/debian/patches/series 2023-11-17 14:38:45.000000000
+0200
+++ wireshark-4.0.17/debian/patches/series 2024-09-30 10:55:30.000000000
+0300
@@ -1,2 +1,3 @@
09_idl2wrs.patch
0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch
+0001-DOCSIS-Extended-EH-Elements-are-not-recursive.patch
--- End Message ---
