[oe] [meta-networking][dunfell][PATCH] wireshark: Fix CVE-2022-0585-CVE-2023-2879

Mon, 13 Nov 2023 21:44:30 -0800 

Upstream-Status: Backport from 
https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f
 && 
https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677

Signed-off-by: Hitendra Prajapati <[email protected]>
---
 .../files/CVE-2022-0585-CVE-2023-2879.patch   | 93 +++++++++++++++++++
 .../wireshark/wireshark_3.2.18.bb             |  1 +
 2 files changed, 94 insertions(+)
 create mode 100644 
meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch

diff --git 
a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch
 
b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch
new file mode 100644
index 000000000..1fc4a5fe3
--- /dev/null
+++ 
b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch
@@ -0,0 +1,93 @@
+From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
+From: John Thacker <[email protected]>
+Date: Sat, 13 May 2023 21:45:16 -0400
+Subject: GDSDB: Make sure our offset advances.
+
+add_uint_string() returns the next offset to use, not the number
+of bytes consumed. So to consume all the bytes and make sure the
+offset advances, return the entire reported tvb length, not the
+number of bytes remaining.
+
+Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
+
+Fixes #19068
+
+Upstream-Status: Backport 
[https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f
 && 
https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
+CVE: CVE-2022-0585 & CVE-2023-2879
+Signed-off-by: Hitendra Prajapati <[email protected]>
+---
+ epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
+index 95fed7e..950d68f 100644
+--- a/epan/dissectors/packet-gdsdb.c
++++ b/epan/dissectors/packet-gdsdb.c
+@@ -15,6 +15,7 @@
+ #include "config.h"
+ 
+ #include <epan/packet.h>
++#include <epan/expert.h>
+ 
+ void proto_register_gdsdb(void);
+ void proto_reg_handoff_gdsdb(void);
+@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
+ static int hf_gdsdb_sqlresponse_messages = -1;
+ #endif
+ 
++static expert_field ei_gdsdb_invalid_length = EI_INIT;
++
+ enum
+ {
+       op_void                   = 0,
+@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int 
hf_string, tvbuff_t *tvb, int o
+                                               offset, 4, 
ENC_ASCII|ENC_BIG_ENDIAN);
+       length = dword_align(tvb_get_ntohl(tvb, offset))+4;
+       proto_item_set_len(ti, length);
+-      return offset + length;
++      int ret_offset = offset + length;
++      if (length < 4 || ret_offset < offset) {
++              expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, 
"Invalid length: %d", length);
++              return tvb_reported_length(tvb);
++      }
++      return ret_offset;
+ }
+ 
+ static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t 
*tvb, int offset)
+@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, 
proto_tree *tree, void *data _U
+                                                               offset, 4, 
ENC_BIG_ENDIAN);
+ 
+               /* opcode < op_max */
++              int old_offset = offset;
+               offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, 
offset+4);
++              if (offset <= old_offset) {
++                      expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
++                      return tvb_reported_length_remaining(tvb, old_offset);
++              }
+               if (offset < 0)
+               {
+                       /* But at this moment we don't know how much we will 
need */
+@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
+               &ett_gdsdb_connect_pref
+       };
+ 
++/* Expert info */
++      static ei_register_info ei[] = {
++              { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", 
PI_MALFORMED, PI_ERROR,
++                      "Invalid length", EXPFILL }},
++      };
++
+       proto_gdsdb = proto_register_protocol(
+               "Firebird SQL Database Remote Protocol",
+               "FB/IB GDS DB", "gdsdb");
+ 
+       proto_register_field_array(proto_gdsdb, hf, array_length(hf));
+       proto_register_subtree_array(ett, array_length(ett));
++      expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
++      expert_register_field_array(expert_gdsdb, ei, array_length(ei));
+ }
+ 
+ void
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb 
b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index b4425cb66..b35c24328 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -19,6 +19,7 @@ SRC_URI = 
"https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
            file://CVE-2023-0668.patch \
            file://CVE-2023-2906.patch \
            file://CVE-2023-3649.patch \
+           file://CVE-2022-0585-CVE-2023-2879.patch \
            "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src";
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#106698): 
https://lists.openembedded.org/g/openembedded-devel/message/106698
Mute This Topic: https://lists.openembedded.org/mt/102578713/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to