[oe] [zeus] [meta-networking] [PATCH] wireshark: CVE-2019-19553
akuster808
akuster808 at gmail.com
Fri Mar 13 15:35:15 UTC 2020
On 3/12/20 11:58 PM, Zang Ruochen wrote:
> Security Advisory
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19553
Thanks for the CVE fix.
Wireshark 3.0.x series are bug fix only so updating the 3.0.9 would be
preferred.
3.0.9
wnpa-sec-2020-03 <https://www.wireshark.org/security/wnpa-sec-2020-03>
LTE RRC dissector memory leak. Bug 16341
<https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16341>.
wnpa-sec-2020-04 <https://www.wireshark.org/security/wnpa-sec-2020-04>
WiMax DLMAP dissector crash. Bug 16368
<https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16368>.
wnpa-sec-2020-05 <https://www.wireshark.org/security/wnpa-sec-2020-05>
EAP dissector crash. Bug 16397
<https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397>.
3.0.8
wnpa-sec-2020-02 <https://www.wireshark.org/security/wnpa-sec-2020-02>
BT ATT dissector crash. Bug 16258
<https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258>.
CVE-2020-7045
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7045>.
3.0.7
wnpa-sec-2019-22 <https://www.wireshark.org/security/wnpa-sec-2019-22>
CMS dissector crash. Bug 15961
<https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961>.
CVE-2019-19553
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19553>.
- armin
>
> Signed-off-by: Zang Ruochen <zangrc.fnst at cn.fujitsu.com>
> ---
> ..._identifier_id-after-dissecting-Cont.patch | 204 ++++++++++++++++++
> .../wireshark/wireshark_3.0.6.bb | 3 +-
> 2 files changed, 206 insertions(+), 1 deletion(-)
> create mode 100644 meta-networking/recipes-support/wireshark/wireshark/0001-CMS-reset-object_identifier_id-after-dissecting-Cont.patch
>
> diff --git a/meta-networking/recipes-support/wireshark/wireshark/0001-CMS-reset-object_identifier_id-after-dissecting-Cont.patch b/meta-networking/recipes-support/wireshark/wireshark/0001-CMS-reset-object_identifier_id-after-dissecting-Cont.patch
> new file mode 100644
> index 000000000..08060db04
> --- /dev/null
> +++ b/meta-networking/recipes-support/wireshark/wireshark/0001-CMS-reset-object_identifier_id-after-dissecting-Cont.patch
> @@ -0,0 +1,204 @@
> +From e1731e2bc1d2a78b67e18fa66e7440acb9bea563 Mon Sep 17 00:00:00 2001
> +From: Zang Ruochen <zangrc.fnst at cn.fujitsu.com>
> +Date: Fri, 13 Mar 2020 13:54:50 +0800
> +Subject: [PATCH] CMS: reset object_identifier_id after dissecting ContentInfo
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=utf8
> +Content-Transfer-Encoding: 8bit
> +
> +Bug: 15961
> +Change-Id: I3d6b3e96103b69f88fcb512da81fa20ff6a1c40e
> +Reviewed-on: https://code.wireshark.org/review/34960
> +Petri-Dish: Pascal Quantin <pascal at wireshark.org>
> +Tested-by: Petri Dish Buildbot
> +Reviewed-by: Stig Bjørlykke <stig at bjorlykke.org>
> +Reviewed-by: Roland Knall <rknall at gmail.com>
> +(cherry picked from commit 23850a3342d64b9c9808f14c20bfea6d22b7dc08)
> +Conflicts:
> + epan/dissectors/packet-cms.c
> +Reviewed-on: https://code.wireshark.org/review/34975
> +Reviewed-by: Pascal Quantin <pascal at wireshark.org>
> +---
> + epan/dissectors/asn1/cms/cms.cnf | 1 +
> + .../dissectors/asn1/cms/packet-cms-template.c | 2 +-
> + epan/dissectors/packet-cms.c | 31 ++++++++++---------
> + 3 files changed, 18 insertions(+), 16 deletions(-)
> +
> +diff --git a/epan/dissectors/asn1/cms/cms.cnf b/epan/dissectors/asn1/cms/cms.cnf
> +index ab94f8c..8feef01 100644
> +--- a/epan/dissectors/asn1/cms/cms.cnf
> ++++ b/epan/dissectors/asn1/cms/cms.cnf
> +@@ -122,6 +122,7 @@ FirmwarePackageLoadError/version fwErrorVersion
> + top_tree = tree;
> + %(DEFAULT_BODY)s
> + content_tvb = NULL;
> ++ object_identifier_id = NULL;
> + top_tree = NULL;
> +
> + #.FN_PARS ContentType
> +diff --git a/epan/dissectors/asn1/cms/packet-cms-template.c b/epan/dissectors/asn1/cms/packet-cms-template.c
> +index 2e803ec..931fd4f 100644
> +--- a/epan/dissectors/asn1/cms/packet-cms-template.c
> ++++ b/epan/dissectors/asn1/cms/packet-cms-template.c
> +@@ -43,7 +43,7 @@ static int hf_cms_ci_contentType = -1;
> + static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */
> +
> +
> +-static const char *object_identifier_id;
> ++static const char *object_identifier_id = NULL;
> + static tvbuff_t *content_tvb = NULL;
> +
> + static proto_tree *top_tree=NULL;
> +diff --git a/epan/dissectors/packet-cms.c b/epan/dissectors/packet-cms.c
> +index 690513d..2a6942f 100644
> +--- a/epan/dissectors/packet-cms.c
> ++++ b/epan/dissectors/packet-cms.c
> +@@ -311,7 +311,7 @@ static gint ett_cms_FirmwarePackageMessageDigest = -1;
> + static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */
> +
> +
> +-static const char *object_identifier_id;
> ++static const char *object_identifier_id = NULL;
> + static tvbuff_t *content_tvb = NULL;
> +
> + static proto_tree *top_tree=NULL;
> +@@ -373,7 +373,7 @@ cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, const char *alg, tvbuff
> +
> + int
> + dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 131 "./asn1/cms/cms.cnf"
> ++#line 132 "./asn1/cms/cms.cnf"
> + const char *name = NULL;
> +
> + offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &object_identifier_id);
> +@@ -393,7 +393,7 @@ dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
> +
> + static int
> + dissect_cms_T_content(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 141 "./asn1/cms/cms.cnf"
> ++#line 142 "./asn1/cms/cms.cnf"
> + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
> +
> +
> +@@ -417,6 +417,7 @@ dissect_cms_ContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
> + ContentInfo_sequence, hf_index, ett_cms_ContentInfo);
> +
> + content_tvb = NULL;
> ++ object_identifier_id = NULL;
> + top_tree = NULL;
> +
> +
> +@@ -470,7 +471,7 @@ dissect_cms_DigestAlgorithmIdentifiers(gboolean implicit_tag _U_, tvbuff_t *tvb
> +
> + static int
> + dissect_cms_T_eContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 145 "./asn1/cms/cms.cnf"
> ++#line 146 "./asn1/cms/cms.cnf"
> +
> + offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &content_tvb);
> +
> +@@ -504,7 +505,7 @@ dissect_cms_EncapsulatedContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
> +
> + static int
> + dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 175 "./asn1/cms/cms.cnf"
> ++#line 176 "./asn1/cms/cms.cnf"
> + const char *name = NULL;
> +
> + offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id);
> +@@ -524,7 +525,7 @@ dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
> +
> + static int
> + dissect_cms_AttributeValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 185 "./asn1/cms/cms.cnf"
> ++#line 186 "./asn1/cms/cms.cnf"
> +
> + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
> +
> +@@ -786,7 +787,7 @@ dissect_cms_T_otherRevInfoFormat(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, i
> +
> + static int
> + dissect_cms_T_otherRevInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 169 "./asn1/cms/cms.cnf"
> ++#line 170 "./asn1/cms/cms.cnf"
> + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
> +
> +
> +@@ -1123,7 +1124,7 @@ dissect_cms_T_keyAttrId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
> +
> + static int
> + dissect_cms_T_keyAttr(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 164 "./asn1/cms/cms.cnf"
> ++#line 165 "./asn1/cms/cms.cnf"
> + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
> +
> +
> +@@ -1311,7 +1312,7 @@ dissect_cms_T_oriType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _
> +
> + static int
> + dissect_cms_T_oriValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 158 "./asn1/cms/cms.cnf"
> ++#line 159 "./asn1/cms/cms.cnf"
> + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
> +
> +
> +@@ -1388,14 +1389,14 @@ dissect_cms_ContentEncryptionAlgorithmIdentifier(gboolean implicit_tag _U_, tvbu
> +
> + static int
> + dissect_cms_EncryptedContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 235 "./asn1/cms/cms.cnf"
> ++#line 236 "./asn1/cms/cms.cnf"
> + tvbuff_t *encrypted_tvb;
> + proto_item *item;
> +
> + offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
> + &encrypted_tvb);
> +
> +-#line 240 "./asn1/cms/cms.cnf"
> ++#line 241 "./asn1/cms/cms.cnf"
> +
> + item = actx->created_item;
> +
> +@@ -1553,7 +1554,7 @@ dissect_cms_AuthenticatedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
> +
> + static int
> + dissect_cms_MessageDigest(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 189 "./asn1/cms/cms.cnf"
> ++#line 190 "./asn1/cms/cms.cnf"
> + proto_item *pi;
> + int old_offset = offset;
> +
> +@@ -1637,7 +1638,7 @@ dissect_cms_KeyWrapAlgorithm(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
> +
> + static int
> + dissect_cms_RC2ParameterVersion(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 225 "./asn1/cms/cms.cnf"
> ++#line 226 "./asn1/cms/cms.cnf"
> + guint32 length = 0;
> +
> + offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
> +@@ -1715,7 +1716,7 @@ dissect_cms_DigestInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
> +
> + static int
> + dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 207 "./asn1/cms/cms.cnf"
> ++#line 208 "./asn1/cms/cms.cnf"
> + const char *name = NULL;
> +
> + offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id);
> +@@ -1736,7 +1737,7 @@ dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
> +
> + static int
> + dissect_cms_T_parameters(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
> +-#line 218 "./asn1/cms/cms.cnf"
> ++#line 219 "./asn1/cms/cms.cnf"
> +
> + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
> +
> +--
> +2.20.1
> +
> diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.0.6.bb b/meta-networking/recipes-support/wireshark/wireshark_3.0.6.bb
> index ccaa0c94a..9bac5bde4 100644
> --- a/meta-networking/recipes-support/wireshark/wireshark_3.0.6.bb
> +++ b/meta-networking/recipes-support/wireshark/wireshark_3.0.6.bb
> @@ -8,7 +8,8 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi
>
> DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native "
>
> -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz"
> +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \
> + file://0001-CMS-reset-object_identifier_id-after-dissecting-Cont.patch"
>
> UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
>
More information about the Openembedded-devel
mailing list