From 1c4fee072406954c820563fbcce754527ee0e527 Mon Sep 17 00:00:00 2001
From: Bo Liu <liubo03@inspur.com>
Date: Fri, 12 Jan 2024 17:03:44 +0800
Subject: [PATCH] Fix cve-2023-2856 cve-2023-0666 cve-2023-2952

Signed-off-by: Bo Liu <liubo03@inspur.com>
---
 wireshark-0030-cve-2023-2856.patch | 67 +++++++++++++++++++++
 wireshark-0031-cve-2023-0666.patch | 64 ++++++++++++++++++++
 wireshark-0032-cve-2023-2952.patch | 97 ++++++++++++++++++++++++++++++
 wireshark.spec                     | 14 ++++-
 4 files changed, 241 insertions(+), 1 deletion(-)
 create mode 100644 wireshark-0030-cve-2023-2856.patch
 create mode 100644 wireshark-0031-cve-2023-0666.patch
 create mode 100644 wireshark-0032-cve-2023-2952.patch

diff --git a/wireshark-0030-cve-2023-2856.patch b/wireshark-0030-cve-2023-2856.patch
new file mode 100644
index 0000000..a9c2336
--- /dev/null
+++ b/wireshark-0030-cve-2023-2856.patch
@@ -0,0 +1,67 @@
+From da017472e69453011ea28571f192cbc79cba7f5c Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 18 May 2023 15:03:23 -0700
+Subject: [PATCH] vms: fix the search for the packet length field.
+
+The packet length field is of the form
+
+    Total Length = DDD = ^xXXX
+
+where "DDD" is the length in decimal and "XXX" is the length in
+hexadecimal.
+
+Search for "length ". not just "Length", as we skip past "Length ", not
+just "Length", so if we assume we found "Length " but only found
+"Length", we'd skip past the end of the string.
+
+While we're at it, fail if we don't find a length field, rather than
+just blithely acting as if the packet length were zero.
+
+Fixes #19083.
+
+
+(cherry picked from commit db5135826de3a5fdb3618225c2ff02f4207012ca)
+---
+ wiretap/vms.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wiretap/vms.c b/wiretap/vms.c
+index 00da6ff359e..c21b26e6be0 100644
+--- a/wiretap/vms.c
++++ b/wiretap/vms.c
+@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ {
+     char    line[VMS_LINE_LENGTH + 1];
+     int     num_items_scanned;
++    gboolean have_pkt_len = FALSE;
+     guint32 pkt_len = 0;
+     int     pktnum;
+     int     csec = 101;
+@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 return FALSE;
+             }
+         }
+-        if ( (! pkt_len) && (p = strstr(line, "Length"))) {
++        if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
+             p += sizeof("Length ");
+             while (*p && ! g_ascii_isdigit(*p))
+                 p++;
+@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 *err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
+                 return FALSE;
+             }
++            have_pkt_len = TRUE;
+             break;
+         }
+     } while (! isdumpline(line));
++    if (! have_pkt_len) {
++        *err = WTAP_ERR_BAD_FILE;
++        *err_info = g_strdup_printf("vms: Length field not found");
++        return FALSE;
++    }
+     if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+         /*
+          * Probably a corrupt capture file; return an error,
+-- 
+GitLab
+
diff --git a/wireshark-0031-cve-2023-0666.patch b/wireshark-0031-cve-2023-0666.patch
new file mode 100644
index 0000000..6acd25f
--- /dev/null
+++ b/wireshark-0031-cve-2023-0666.patch
@@ -0,0 +1,64 @@
+From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Thu, 18 May 2023 13:52:48 -0700
+Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes
+
+Use the proper dest_size in various g_strlcpy calls.
+
+Fixes #19085
+---
+ epan/dissectors/packet-rtps.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
+index 2884e86faa1..a39202952f6 100644
+--- a/epan/dissectors/packet-rtps.c
++++ b/epan/dissectors/packet-rtps.c
+@@ -4944,7 +4944,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+     ++tk_id;
+   }
+ 
+-  g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40);
++  g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name));
+ 
+     /* Structure of the typecode data:
+      *
+@@ -5115,7 +5115,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+                     member_name, -1, NULL, ndds_40_hack);
+         }
+         /* Finally prints the name of the struct (if provided) */
+-        g_strlcpy(type_name, "}", 40);
++        g_strlcpy(type_name, "}", sizeof(type_name));
+         break;
+ 
+     } /* end of case UNION */
+@@ -5286,7 +5286,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+           }
+         }
+         /* Finally prints the name of the struct (if provided) */
+-        g_strlcpy(type_name, "}", 40);
++        g_strlcpy(type_name, "}", sizeof(type_name));
+         break;
+       }
+ 
+@@ -5378,7 +5378,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+         offset += 4;
+         alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII);
+         offset += alias_name_length;
+-        g_strlcpy(type_name, alias_name, 40);
++        g_strlcpy(type_name, alias_name, sizeof(type_name));
+         break;
+     }
+ 
+@@ -5413,7 +5413,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+         if (tk_id == RTI_CDR_TK_VALUE_PARAM) {
+           type_id_name = "valueparam";
+         }
+-        g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name);
++        g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name);
+         break;
+     }
+   } /* switch(tk_id) */
+-- 
+GitLab
+
diff --git a/wireshark-0032-cve-2023-2952.patch b/wireshark-0032-cve-2023-2952.patch
new file mode 100644
index 0000000..9ada247
--- /dev/null
+++ b/wireshark-0032-cve-2023-2952.patch
@@ -0,0 +1,97 @@
+From e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 23 May 2023 13:52:03 -0700
+Subject: [PATCH] XRA: Fix an infinite loop
+
+C compilers don't care what size a value was on the wire. Use
+naturally-sized ints, including in dissect_message_channel_mb where we
+would otherwise overflow and loop infinitely.
+
+Fixes #19100
+
+(cherry picked from commit ce87eac0325581b600b3093fcd75080df14ccfda)
+
+Conflicts:
+	epan/dissectors/packet-xra.c
+---
+ epan/dissectors/packet-xra.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
+index ef8437e9382..4c3713db94b 100644
+--- a/epan/dissectors/packet-xra.c
++++ b/epan/dissectors/packet-xra.c
+@@ -445,7 +445,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -500,7 +500,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -534,7 +534,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
+   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -574,7 +574,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
+   it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
+ 
+   while (tlv_index < tlv_length) {
+@@ -620,14 +620,14 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+
+   /*If not present, this contains stuff from other packet. We can't do much in this case*/
+   if(packet_start_pointer_field_present) {
+-    guint16 docsis_start = 3 + packet_start_pointer;
++    unsigned docsis_start = 3 + packet_start_pointer;
+     if(docsis_start +6 < remaining_length) {
+       /*DOCSIS header in packet*/
+       guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
+       if (fc == 0xFF) {
+         return;
+       }
+-      guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
++      unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+       if (docsis_start + 6 + docsis_length <= remaining_length) {
+         /*DOCSIS packet included in packet*/
+         tvbuff_t *docsis_tvb;
+@@ -797,7 +797,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
+ static int
+ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
+ 
+-  guint16 offset = 0;
++  int offset = 0;
+   proto_tree *plc_tree;
+   proto_item *plc_item;
+   tvbuff_t *mb_tvb;
+@@ -857,7 +857,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
+ 
+ static int
+ dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
+-  guint16 offset = 0;
++  int offset = 0;
+   proto_tree *ncp_tree;
+   proto_item *ncp_item;
+   tvbuff_t *ncp_mb_tvb;
+-- 
+GitLab
+
diff --git a/wireshark.spec b/wireshark.spec
index 441f52e..1699a25 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -6,7 +6,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	2.6.2
-Release:	16%{?dist}
+Release:	17%{?dist}
 Epoch:          1
 License:	GPL+
 Url:		http://www.wireshark.org/
@@ -64,6 +64,13 @@ Patch27:	wireshark-0027-ibm-smc.patch
 #Change in libssh header files forces a different technique on finding definitons
 Patch28:	wireshark-0028-find-libssh.patch
 Patch29:	wireshark-0029-cve-2023-2858.patch
+# https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca
+Patch30:	wireshark-0030-cve-2023-2856.patch
+# https://gitlab.com/wireshark/wireshark/-/commit/28fdce547c417b868c521f87fb58f71ca6b1e3f7
+Patch31:	wireshark-0031-cve-2023-0666.patch
+# https://gitlab.com/wireshark/wireshark/-/commit/ce87eac0325581b600b3093fcd75080df14ccfda
+Patch32:	wireshark-0032-cve-2023-2952.patch
+
 
 #install tshark together with wireshark GUI
 Requires:	%{name}-cli = %{epoch}:%{version}-%{release}
@@ -312,6 +319,11 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Fri Jan 12 2024 Bo Liu <liubo03@inspur.com> - 1:2.6.2-17
+- Fix CVE-2023-2856
+- Fix CVE-2023-0666
+- Fix CVE-2023-2952
+
 * Tue Dec 26 2023 Bo Liu <liubo03@inspur.com> - 1:2.6.2-16
 - Fix CVE-2023-2858
 
-- 
Gitee