~ubuntu-branches/ubuntu/gutsy/wireshark/gutsy-security

Viewing changes to debian/patches/13_CVE-2007-6439.dpatch

Committer: Bazaar Package Importer
Author(s): Emanuele Gentili
Date: 2008-03-24 03:21:13 UTC
Revision ID: james.westby@ubuntu.com-20080324032113-d1j4zykc3du9kg4l

Tags: 0.99.6rel-3ubuntu0.2

* SECURITY UPDATE: (LP: #172283)
+ CVE-2007-6438
  - Vulnerability in the SMB dissector in Wireshark 0.99.6 allows remote
    attackers to cause a denial of service via unknown vectors.
+ CVE-2007-6539
  - Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause
    a denial of service (infinite or large loop) via the (1) IPv6 or (2)
    USB dissector, which can trigger resource consumption or a crash.
+ CVE-2007-6441
  - The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows
    remote attackers to cause a denial of service (crash) via unknown
    vectors related to "unaligned access on some platforms."
+ CVE-2007-6450
  - The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6
    allows remote attackers to cause a denial of service (infinite loop)
    via unknown vectors.
+ CVE-2007-6451
  - vulnerability in the CIP dissector in Wireshark (formerly Ethereal)
    0.9.14 to 0.99.6 allows remote attackers to cause a denial of service
    (crash) via unknown vectors that trigger allocation of large amounts
    of memory.
+ CVE-2008-1070
  - The SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through
    0.99.7 allows remote attackers to cause a denial of service (crash)
    via a malformed packet.
+ CVE-2008-1071
  - The SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through
    0.99.7 allows remote attackers to cause a denial of service (crash)
    via a malformed packet. (not vulnerable in Gutsy)
+ CVE-2008-1072
  - The TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through
    0.99.7, when running on Ubuntu 7.10, allows remote attackers to caus
    e a denial of service (crash or memory consumption) via a malformed
    packet, possibly related to a Cairo library bug.

+ debian/patches/13_CVE-2007-6438.dpatch
  - Applied patch by upstream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-smb.c?r1=23412&r2=23593&pathrev=23593
+ debian/patches/13_CVE-2007-6439.dpatch
  - Applied patch by upstream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-ipv6.c?r1=23412&r2=23593&pathrev=23593
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-usb.c?r1=23412&r2=23593&pathrev=23593
+ debian/patches/13_CVE-2007-6441.dpatch
  - Applied patch by upstream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/plugins/
    wimax/wimax_bits.h?r1=23412&r2=23787&pathrev=23555
+ debian/patches/13_CVE-2007-6450.dpatch
  - Applied patch by upstream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-rpl.c?r1=23412&r2=23687&pathrev=23687
+ debian/patches/13_CVE-2007-6451.dpatch
  - Applied patch by upstream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-cip.c?r1=23412&r2=12070&pathrev=12070
+ debian/patches/14_CVE-2008-1070.dpatch
  - Applied patch by upastream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-sctp.c?r1=24295&r2=24471&pathrev=24563
+ debian/patches/14_CVE-2008-1072.dpatch
  - Applied patch by upstream
  - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/
    dissectors/packet-tftp.c?r1=23412&r2=23962&pathrev=23962

* References
+ http://www.wireshark.org/security/wnpa-sec-2007-03.html
  - CVE-2007-6438
  - CVE-2007-6439
  - CVE-2007-6441
  - CVE-2007-6450
  - CVE-2007-6451
+ http://www.wireshark.org/security/wnpa-sec-2008-01.html
  - CVE-2008-1070
  - CVE-2008-1071 (not vulnerable in gutsy and not patched.)
  - CVE-2008-1072

files added:
debian/patches/13_CVE-2007-6438.dpatch

debian/patches/13_CVE-2007-6439.dpatch

debian/patches/13_CVE-2007-6441.dpatch

debian/patches/13_CVE-2007-6450.dpatch

debian/patches/13_CVE-2007-6451.dpatch

debian/patches/14_CVE-2008-1070.dpatch

debian/patches/14_CVE-2008-1072.dpatch

files modified:
debian/changelog

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/13_CVE-2007-6439.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

## 13_CVE-2007-6439.dpatch by Emanuele Gentili <emgent@emanuele-gentili.com>

## All lines beginning with `## DP:' are a description of the patch.

## DP: No description.

@DPATCH@

diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-ipv6.c wireshark-0.99.6rel/epan/dissectors/packet-ipv6.c

--- wireshark-0.99.6rel~/epan/dissectors/packet-ipv6.c 2007-07-05 21:25:02.000000000 +0200

+++ wireshark-0.99.6rel/epan/dissectors/packet-ipv6.c 2008-03-24 01:48:31.000000000 +0100

@@ -61,6 +61,7 @@

static int proto_ipv6 = -1;

static int hf_ipv6_version = -1;

+static int hf_ip_version = -1;

static int hf_ipv6_class = -1;

static int hf_ipv6_flow = -1;

static int hf_ipv6_plen = -1;

@@ -136,6 +137,7 @@

static int hf_ipv6_shim6_opt_fii = -1;

static gint ett_ipv6 = -1;

+static gint ett_ipv6_version = -1;

static gint ett_ipv6_shim6 = -1;

static gint ett_ipv6_shim6_option = -1;

static gint ett_ipv6_shim6_locators = -1;

@@ -775,7 +777,7 @@

}

static void

-dissect_shim6_opt_loc_pref(proto_tree * opt_tree, tvbuff_t * tvb, gint *offset, gint len)

+dissect_shim6_opt_loc_pref(proto_tree * opt_tree, tvbuff_t * tvb, gint *offset, gint len, packet_info *pinfo)

{

proto_tree * subtree;

proto_item * it;

@@ -791,6 +793,15 @@

optlen = tvb_get_guint8(tvb, p);

proto_tree_add_item(opt_tree, hf_ipv6_shim6_opt_elemlen, tvb, p, 1, FALSE);

+ if (optlen < 1 || optlen > 3) {

+ it = proto_tree_add_text(opt_tree, tvb, p, 1,

+ "Invalid element length: %u", optlen);

+ expert_add_info_format(pinfo, it, PI_MALFORMED, PI_ERROR,

+ "Invalid element length: %u", optlen);

+ return;

+ }

p++;

/* Locator Preferences */

@@ -823,7 +834,7 @@

static int

-dissect_shimopts(tvbuff_t *tvb, int offset, proto_tree *tree)

+dissect_shimopts(tvbuff_t *tvb, int offset, proto_tree *tree, packet_info *pinfo)

{

int len, total_len;

gint p;

@@ -874,7 +885,7 @@

dissect_shim6_opt_loclist(opt_tree, tvb, &p);

break;

case SHIM6_OPT_LOCPREF:

- dissect_shim6_opt_loc_pref(opt_tree, tvb, &p, offset+len+4);

+ dissect_shim6_opt_loc_pref(opt_tree, tvb, &p, offset+len+4, pinfo);

if (total_len-(len+4) > 0)

proto_tree_add_text(opt_tree, tvb, p, total_len-(len+4), "Padding");

break;

@@ -1206,7 +1217,7 @@

/* Options */

while (p < offset+len) {

- p += dissect_shimopts(tvb, p, shim_tree);

+ p += dissect_shimopts(tvb, p, shim_tree, pinfo);

}

@@ -1257,13 +1268,20 @@

SET_ADDRESS(&pinfo->dst, AT_IPv6, 16, tvb_get_ptr(tvb, offset + IP6H_DST, 16));

if (tree) {

+ proto_tree* pt;

+ proto_item* pi;

/* !!! specify length */

ti = proto_tree_add_item(tree, proto_ipv6, tvb, offset, 40, FALSE);

ipv6_tree = proto_item_add_subtree(ti, ett_ipv6);

/* !!! warning: version also contains 4 Bit priority */

- proto_tree_add_item(ipv6_tree, hf_ipv6_version, tvb,

+ pi = proto_tree_add_item(ipv6_tree, hf_ipv6_version, tvb,

+ offset + offsetof(struct ip6_hdr, ip6_vfc), 1, FALSE);

+ pt = proto_item_add_subtree(pi,ett_ipv6_version);

+ pi = proto_tree_add_item(pt, hf_ip_version, tvb,

offset + offsetof(struct ip6_hdr, ip6_vfc), 1, FALSE);

+ PROTO_ITEM_SET_GENERATED(pi);

proto_tree_add_item(ipv6_tree, hf_ipv6_class, tvb,

100

offset + offsetof(struct ip6_hdr, ip6_flow), 4, FALSE);

101

@@ -1504,6 +1522,10 @@

102

{ &hf_ipv6_version,

103

{ "Version", "ipv6.version",

104

FT_UINT8, BASE_DEC, NULL, 0xF0, "", HFILL }},

105

+ { &hf_ip_version,

106

+ { "This field makes the filter \"ip.version == 6\" possible",

107

+"ip.version",

108

+ FT_UINT8, BASE_DEC, NULL, 0xF0, "", HFILL }},

109

{ &hf_ipv6_class,

110

{ "Traffic class", "ipv6.class",

111

FT_UINT32, BASE_HEX, NULL, 0x0FF00000, "", HFILL }},

112

@@ -1827,6 +1849,7 @@

113

};

114

static gint *ett[] = {

115

&ett_ipv6,

116

+ &ett_ipv6_version,

117

&ett_ipv6_shim6,

118

&ett_ipv6_shim6_option,

119

&ett_ipv6_shim6_locators,

120

diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-usb.c wireshark-0.99.6rel/epan/dissectors/packet-usb.c

121

--- wireshark-0.99.6rel~/epan/dissectors/packet-usb.c 2007-07-05 21:24:58.000000000 +0200

122

+++ wireshark-0.99.6rel/epan/dissectors/packet-usb.c 2008-03-24 01:53:52.000000000 +0100

123

@@ -34,6 +34,7 @@

124

#include <epan/emem.h>

125

#include <epan/tap.h>

126

#include <epan/conversation.h>

127

+#include <epan/expert.h>

128

#include <string.h>

129

#include "packet-usb.h"

130

131

@@ -506,6 +507,7 @@

132

usb_trans_info->interface_info=se_alloc(sizeof(usb_conv_info_t));

133

usb_trans_info->interface_info->interfaceClass=tvb_get_guint8(tvb, offset);

134

usb_trans_info->interface_info->transactions=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "usb transactions");

135

+ usb_trans_info->interface_info->class_data=NULL;

136

}

137

offset++;

138

139

@@ -652,6 +654,13 @@

140

proto_tree_add_item(tree, hf_usb_bLength, tvb, offset, 1, TRUE);

141

bLength = tvb_get_guint8(tvb, offset);

142

offset++;

143

+ if (bLength < 3) {

144

+ item = proto_tree_add_text(parent_tree, tvb, offset - 1, 1,

145

+ "Invalid bLength: %u", bLength);

146

+ expert_add_info_format(pinfo, item, PI_MALFORMED, PI_ERROR,

147

+ "Invalid bLength: %u", bLength);

148

+ return offset;

149

+ }

150

151

/* bDescriptorType */

152

proto_tree_add_item(tree, hf_usb_bDescriptorType, tvb, offset, 1, TRUE);

Older »