head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2 pkgsrc-2010Q4:1.1.0.4 pkgsrc-2010Q4-base:1.1 pkgsrc-2010Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2011.01.12.00.16.31; author tron; state dead; branches; next 1.1; 1.1 date 2011.01.04.15.39.34; author tron; state Exp; branches 1.1.2.1 1.1.4.1; next ; 1.1.2.1 date 2011.01.04.15.39.34; author sbd; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.01.05.21.34.34; author sbd; state Exp; branches; next ; 1.1.4.1 date 2011.01.12.07.26.07; author sbd; state dead; branches; next ; desc @@ 1.2 log @Update "wireshark" package to version 1.4.3. Changes since 1.4.2: - Bug Fixes The following vulnerabilities have been fixed. See the security advisory for details and a workaround. - FRAsse discovered that the MAC-LTE dissector could overflow a buffer. (Bug 5530) Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2. - FRAsse discovered that the ENTTEC dissector could overflow a buffer. (Bug 5539) Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2. CVE-2010-4538 - The ASN.1 BER dissector could assert and make Wireshark exit prematurely. (Bug 5537) Versions affected: 1.4.0 to 1.4.2. The following bugs have been fixed: - AMQP failed assertion. (Bug 4048) - Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141) - Fuzz testing reports possible dissector bug: TCP. (Bug 4211) - Wrong length calculation in new_octet_aligned_subset_bits() (PER dissector). (Bug 5393) - Function dissect_per_bit_string_display might read more bytes than available (PER dissector). (Bug 5394) - Cannot load wpcap.dll & packet.dll from Wireshark program directory. (Bug 5420) - Wireshark crashes with Copy -> Description on date/time fields. (Bug 5421) - DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426) - Information element Error for supported channels. (Bug 5430) - Assert when using ASN.1 dissector with loading a 'type table'. (Bug 5447) - Bug with RWH parsing in Infiniband dissector. (Bug 5444) - Help->About Wireshark mis-reports OS. (Bug 5453) - Delegated-IPv6-Prefix(123) is shown incorrect as X-Ascend-Call-Attempt-Limit(123). (Bug 5455) - "tshark -r file -T fields" is truncating exported data. (Bug 5463) - gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet Flow Identifier. (Bug 5475) - Improper decode of TLS 1.2 packet containing both CertificateRequest and ServerHelloDone messages. (Bug 5485) - LTE-PDCP UL and DL problem. (Bug 5505) - CIGI 3.2/3.3 support broken. (Bug 5510) - Prepare Filter in RTP Streams dialog does not work correctly. (Bug 5513) - Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517) - WPS: RF bands decryption. (Bug 5523) - Incorrect LTP SDNV value handling. (Bug 5521) - LTP bug found by randpkt. (Bug 5323) - Buffer overflow in SNMP EngineID preferences. (Bug 5530) - Updated Protocol Support AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC, GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T, RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS - New and Updated Capture File Support Endace ERF, Microsoft Network Monitor, VMS TCPtrace. @ text @$NetBSD: patch-SA42767,v 1.1 2011/01/04 15:39:34 tron Exp $ Patch for security vulnerability reported in SA42767. The patch was taken from the Wireshark SVN repository: http://anonsvn.wireshark.org/viewvc?view=rev&revision=35318 --- epan/dissectors/packet-enttec.c.orig 2010-11-18 21:30:35.000000000 +0000 +++ epan/dissectors/packet-enttec.c 2011-01-04 14:30:58.000000000 +0000 @@@@ -193,8 +193,8 @@@@ "%3u: %s" }; - static guint8 dmx_data[512]; - static guint16 dmx_data_offset[513]; /* 1 extra for last offset */ + guint8 *dmx_data = ep_alloc(512 * sizeof(guint8)); + guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */ emem_strbuf_t *dmx_epstr; proto_tree *hi,*si; @@@@ -225,10 +225,10 @@@@ length = 512; if (type == ENTTEC_DATA_TYPE_RLE) { - /* uncompres the DMX data */ + /* uncompress the DMX data */ ui = 0; ci = 0; - while (ci < length) { + while (ci < length && ui < 512) { v = tvb_get_guint8(tvb, offset+ci); if (v == 0xFE) { ci++; @@@@ -236,7 +236,7 @@@@ ci++; v = tvb_get_guint8(tvb, offset+ci); ci++; - for (i=0;i < count;i++) { + for (i=0;i < count && ui < 512;i++) { dmx_data[ui] = v; dmx_data_offset[ui] = ci-3; ui++; @ 1.1 log @Add patch from the Wireshark SVN repository to fix the security vulnerability reported in SA42767 which affects the ENTTEC dissector. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.4.1 log @Pullup ticket #3320 - requested by tron net/wireshark security update Revisions pulled up: - net/wireshark/Makefile 1.57 - net/wireshark/distinfo 1.39 - net/wireshark/patches/patch-SA42767 deleted ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Wed Jan 12 00:16:31 UTC 2011 Modified Files: pkgsrc/net/wireshark: Makefile distinfo Removed Files: pkgsrc/net/wireshark/patches: patch-SA42767 Log Message: Update "wireshark" package to version 1.4.3. Changes since 1.4.2: - Bug Fixes The following vulnerabilities have been fixed. See the security advisory for details and a workaround. - FRAsse discovered that the MAC-LTE dissector could overflow a buffer. (Bug 5530) Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2. - FRAsse discovered that the ENTTEC dissector could overflow a buffer. (Bug 5539) Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2. CVE-2010-4538 - The ASN.1 BER dissector could assert and make Wireshark exit prematurely. (Bug 5537) Versions affected: 1.4.0 to 1.4.2. The following bugs have been fixed: - AMQP failed assertion. (Bug 4048) - Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141) - Fuzz testing reports possible dissector bug: TCP. (Bug 4211) - Wrong length calculation in new_octet_aligned_subset_bits() (PER dissector). (Bug 5393) - Function dissect_per_bit_string_display might read more bytes than available (PER dissector). (Bug 5394) - Cannot load wpcap.dll & packet.dll from Wireshark program directory. (Bug 5420) - Wireshark crashes with Copy -> Description on date/time fields. (Bug 5421) - DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426) - Information element Error for supported channels. (Bug 5430) - Assert when using ASN.1 dissector with loading a 'type table'. (Bug 5447) - Bug with RWH parsing in Infiniband dissector. (Bug 5444) - Help->About Wireshark mis-reports OS. (Bug 5453) - Delegated-IPv6-Prefix(123) is shown incorrect as X-Ascend-Call-Attempt-Limit(123). (Bug 5455) - "tshark -r file -T fields" is truncating exported data. (Bug 5463) - gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet Flow Identifier. (Bug 5475) - Improper decode of TLS 1.2 packet containing both CertificateRequest and ServerHelloDone messages. (Bug 5485) - LTE-PDCP UL and DL problem. (Bug 5505) - CIGI 3.2/3.3 support broken. (Bug 5510) - Prepare Filter in RTP Streams dialog does not work correctly. (Bug 5513) - Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517) - WPS: RF bands decryption. (Bug 5523) - Incorrect LTP SDNV value handling. (Bug 5521) - LTP bug found by randpkt. (Bug 5323) - Buffer overflow in SNMP EngineID preferences. (Bug 5530) - Updated Protocol Support AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC, GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T, RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS - New and Updated Capture File Support Endace ERF, Microsoft Network Monitor, VMS TCPtrace. @ text @d1 1 a1 1 $NetBSD: patch-SA42767,v 1.1 2011/01/04 15:39:34 tron Exp $ @ 1.1.2.1 log @file patch-SA42767 was added on branch pkgsrc-2010Q3 on 2011-01-05 21:34:34 +0000 @ text @d1 43 @ 1.1.2.2 log @Pullup ticket #3316 - requested by tron Security patch for wireshark Revisions pulled up: - pkgsrc/net/wireshark/Makefile 1.58 - pkgsrc/net/wireshark/distinfo 1.38 - pkgsrc/net/wireshark/patches/patch-SA42767 1.1 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Tue Jan 4 15:39:34 UTC 2011 Modified Files: pkgsrc/net/wireshark: Makefile distinfo Added Files: pkgsrc/net/wireshark/patches: patch-SA42767 Log Message: Add patch from the Wireshark SVN repository to fix the security vulnerability reported in SA42767 which affects the ENTTEC dissector. @ text @a0 43 $NetBSD: patch-SA42767,v 1.1 2011/01/04 15:39:34 tron Exp $ Patch for security vulnerability reported in SA42767. The patch was taken from the Wireshark SVN repository: http://anonsvn.wireshark.org/viewvc?view=rev&revision=35318 --- epan/dissectors/packet-enttec.c.orig 2010-11-18 21:30:35.000000000 +0000 +++ epan/dissectors/packet-enttec.c 2011-01-04 14:30:58.000000000 +0000 @@@@ -193,8 +193,8 @@@@ "%3u: %s" }; - static guint8 dmx_data[512]; - static guint16 dmx_data_offset[513]; /* 1 extra for last offset */ + guint8 *dmx_data = ep_alloc(512 * sizeof(guint8)); + guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */ emem_strbuf_t *dmx_epstr; proto_tree *hi,*si; @@@@ -225,10 +225,10 @@@@ length = 512; if (type == ENTTEC_DATA_TYPE_RLE) { - /* uncompres the DMX data */ + /* uncompress the DMX data */ ui = 0; ci = 0; - while (ci < length) { + while (ci < length && ui < 512) { v = tvb_get_guint8(tvb, offset+ci); if (v == 0xFE) { ci++; @@@@ -236,7 +236,7 @@@@ ci++; v = tvb_get_guint8(tvb, offset+ci); ci++; - for (i=0;i < count;i++) { + for (i=0;i < count && ui < 512;i++) { dmx_data[ui] = v; dmx_data_offset[ui] = ci-3; ui++; @