Fix CVE-2023-2856

(cherry picked from commit b2e40596d4d8b7c5bf86df74c00088a41cf805ee)
2023-05-31 10:30:57 +08:00 · 2023-05-31 10:30:57 +08:00 · 559e6a01ae
commit 559e6a01ae
parent a41ba7e94c
2 changed files with 72 additions and 1 deletions
--- a/CVE-2023-2856.patch
+++ b/CVE-2023-2856.patch
@ -0,0 +1,66 @@
+From 1c264ced5701dd7ec22f425ee82c9e7abc45fe94 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 18 May 2023 15:03:23 -0700
+Subject: [PATCH] vms: fix the search for the packet length field.
+
+The packet length field is of the form
+
+    Total Length = DDD = ^xXXX
+
+where "DDD" is the length in decimal and "XXX" is the length in
+hexadecimal.
+
+Search for "length ". not just "Length", as we skip past "Length ", not
+just "Length", so if we assume we found "Length " but only found
+"Length", we'd skip past the end of the string.
+
+While we're at it, fail if we don't find a length field, rather than
+just blithely acting as if the packet length were zero.
+
+Fixes #19083.
+
+(backported from commit db5135826de3a5fdb3618225c2ff02f4207012ca)
+---
+ wiretap/vms.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wiretap/vms.c b/wiretap/vms.c
+index 600282e506c..7f82461570c 100644
+--- a/wiretap/vms.c
+++ b/wiretap/vms.c
+@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ {
+     char    line[VMS_LINE_LENGTH + 1];
+     int     num_items_scanned;
+    gboolean have_pkt_len = FALSE;
+     guint32 pkt_len = 0;
+     int     pktnum;
+     int     csec = 101;
+@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 return FALSE;
+             }
+         }
+-        if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+        if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
+             p += sizeof("Length ");
+             while (*p && ! g_ascii_isdigit(*p))
+                 p++;
+@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 *err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
+                 return FALSE;
+             }
+            have_pkt_len = TRUE;
+             break;
+         }
+     } while (! isdumpline(line));
+    if (! have_pkt_len) {
+        *err = WTAP_ERR_BAD_FILE;
+        *err_info = g_strdup_printf("vms: Length field not found");
+        return FALSE;
+    }
+     if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+         /*
+          * Probably a corrupt capture file; return an error,
+-- 
+GitLab
+
--- a/wireshark.spec
+++ b/wireshark.spec
@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        21
+Release:        22
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC
@ -63,6 +63,8 @@ Patch6045:      CVE-2021-22207.patch
 Patch6046:      CVE-2021-4181.patch
 #https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
 Patch6047:      CVE-2021-4185.patch
+#https://gitlab.com/wireshark/wireshark/-/commit/1c264ced5701dd7ec22f425ee82c9e7abc45fe94
+Patch6048:      CVE-2023-2856.patch

 Requires:	%{name}-help = %{epoch}:%{version}-%{release}
 Requires(pre):  shadow-utils
@ -170,6 +172,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*

 %changelog
+* Wed May 31 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.6.2-22
+- Fix CVE-2023-2856
+
 * Fri Apr 1 2022 yaoxin <yaoxin30@huawei.com> - 2.6.2-21
 - Fix CVE-2021-22191 CVE-2021-22207 CVE-2021-4181 CVE-2021-4185