wireshark: Fix CVE-2023-0667 & CVE-2023-0668

Backport fixes for: * CVE-2023-0667 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801 && https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a * CVE-2023-0668 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-06-14 05:49:57 +00:00 · 2023-06-27 17:53:33 +05:30
parent 5f94e67479
commit 205b72edaa
4 changed files with 255 additions and 0 deletions
@@ -0,0 +1,153 @@
+From 35418a73f7c9cefebe392b1ea0f012fccaf89801 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Wed, 19 Aug 2020 23:58:20 -0700
+Subject: [PATCH] Add format_text_string(), which gets the length with
+ strlen().
+
+format_text(alloc, string, strlen(string)) is a common idiom; provide
+format_text_string(), which does the strlen(string) for you.  (Any
+string used in a %s to set the text of a protocol tree item, if it was
+directly extracted from the packet, should be run through a format_text
+routine, to ensure that it's valid UTF-8 and that control characters are
+handled correctly.)
+
+Update comments while we're at it.
+
+Change-Id: Ia8549efa1c96510ffce97178ed4ff7be4b02eb6e
+Reviewed-on: https://code.wireshark.org/review/38202
+Petri-Dish: Guy Harris <gharris@sonic.net>
+Tested-by: Petri Dish Buildbot
+Reviewed-by: Guy Harris <gharris@sonic.net>
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801]
+Comment: to backport fix for CVE-2023-0667, add function format_text_string().
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/strutil.c | 33 ++++++++++++++++++++++++++++----
+ epan/strutil.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 76 insertions(+), 8 deletions(-)
+
+diff --git a/epan/strutil.c b/epan/strutil.c
+index 347a173..bc3b19e 100644
+--- a/epan/strutil.c
+++ b/epan/strutil.c
+@@ -193,10 +193,11 @@ get_token_len(const guchar *linep, const guchar *lineend,
+ #define UNPOOP 0x1F4A9
+ 
+ /*
+- * Given a string, expected to be in UTF-8 but possibly containing
+- * invalid sequences (as it may have come from packet data), generate
+- * a valid UTF-8 string from it, allocated with the specified wmem
+- * allocator, that:
+ * Given a wmem scope, a not-necessarily-null-terminated string,
+ * expected to be in UTF-8 but possibly containing invalid sequences
+ * (as it may have come from packet data), and the length of the string,
+ * generate a valid UTF-8 string from it, allocated in the specified
+ * wmem scope, that:
+  *
+  *   shows printable Unicode characters as themselves;
+  *
+@@ -493,6 +494,30 @@ format_text(wmem_allocator_t* allocator, const guchar *string, size_t len)
+     return fmtbuf;
+ }
+ 
+/** Given a wmem scope and a null-terminated string, expected to be in
+ *  UTF-8 but possibly containing invalid sequences (as it may have come
+ *  from packet data), and the length of the string, generate a valid
+ *  UTF-8 string from it, allocated in the specified wmem scope, that:
+ *
+ *   shows printable Unicode characters as themselves;
+ *
+ *   shows non-printable ASCII characters as C-style escapes (octal
+ *   if not one of the standard ones such as LF -> '\n');
+ *
+ *   shows non-printable Unicode-but-not-ASCII characters as
+ *   their universal character names;
+ *
+ *   shows illegal UTF-8 sequences as a sequence of bytes represented
+ *   as C-style hex escapes;
+ *
+ *  and return a pointer to it.
+ */
+gchar *
+format_text_string(wmem_allocator_t* allocator, const guchar *string)
+{
+	return format_text(allocator, string, strlen(string));
+}
+
+ /*
+  * Given a string, generate a string from it that shows non-printable
+  * characters as C-style escapes except a whitespace character
+diff --git a/epan/strutil.h b/epan/strutil.h
+index 2046cb0..705beb5 100644
+--- a/epan/strutil.h
+++ b/epan/strutil.h
+@@ -46,18 +46,61 @@ WS_DLL_PUBLIC
+ int        get_token_len(const guchar *linep, const guchar *lineend,
+     const guchar **next_token);
+ 
+-/** Given a string, generate a string from it that shows non-printable
+- *  characters as C-style escapes, and return a pointer to it.
+/** Given a wmem scope, a not-necessarily-null-terminated string,
+ *  expected to be in UTF-8 but possibly containing invalid sequences
+ *  (as it may have come from packet data), and the length of the string,
+ *  generate a valid UTF-8 string from it, allocated in the specified
+ *  wmem scope, that:
+ *
+ *   shows printable Unicode characters as themselves;
+ *
+ *   shows non-printable ASCII characters as C-style escapes (octal
+ *   if not one of the standard ones such as LF -> '\n');
+ *
+ *   shows non-printable Unicode-but-not-ASCII characters as
+ *   their universal character names;
+ *
+ *   shows illegal UTF-8 sequences as a sequence of bytes represented
+ *   as C-style hex escapes;
+ *
+ *  and return a pointer to it.
+  *
+  * @param allocator The wmem scope
+- * @param line A pointer to the input string
+ * @param string A pointer to the input string
+  * @param len The length of the input string
+  * @return A pointer to the formatted string
+  *
+  * @see tvb_format_text()
+  */
+ WS_DLL_PUBLIC
+-gchar*     format_text(wmem_allocator_t* allocator, const guchar *line, size_t len);
+gchar*     format_text(wmem_allocator_t* allocator, const guchar *string, size_t len);
+
+/** Given a wmem scope and a null-terminated string, expected to be in
+ *  UTF-8 but possibly containing invalid sequences (as it may have come
+ *  from packet data), and the length of the string, generate a valid
+ *  UTF-8 string from it, allocated in the specified wmem scope, that:
+ *
+ *   shows printable Unicode characters as themselves;
+ *
+ *   shows non-printable ASCII characters as C-style escapes (octal
+ *   if not one of the standard ones such as LF -> '\n');
+ *
+ *   shows non-printable Unicode-but-not-ASCII characters as
+ *   their universal character names;
+ *
+ *   shows illegal UTF-8 sequences as a sequence of bytes represented
+ *   as C-style hex escapes;
+ *
+ *  and return a pointer to it.
+ *
+ * @param allocator The wmem scope
+ * @param string A pointer to the input string
+ * @return A pointer to the formatted string
+ *
+ * @see tvb_format_text()
+ */
+WS_DLL_PUBLIC
+gchar*     format_text_string(wmem_allocator_t* allocator, const guchar *string);
+ 
+ /**
+  * Given a string, generate a string from it that shows non-printable
+-- 
+2.25.1
+
@@ -0,0 +1,66 @@
+From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Thu, 18 May 2023 18:06:36 -0400
+Subject: [PATCH] MS-MMS: Use format_text_string()
+
+The length of a string transcoded from UTF-16 to UTF-8 can be
+shorter (or longer) than the original length in bytes in the packet.
+Use the new string length, not the original length.
+
+Use format_text_string, which is a convenience function that
+calls strlen.
+
+Fix #19086
+
+(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b)
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a]
+CVE: CVE-2023-0667
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-ms-mms.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c
+index db1d2cc..3d5c7ee 100644
+--- a/epan/dissectors/packet-ms-mms.c
+++ b/epan/dissectors/packet-ms-mms.c
+@@ -739,7 +739,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro
+                                  transport_info, "Transport: (%s)", transport_info);
+ 
+     col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)",
+-                    format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20));
+                    format_text_string(pinfo->pool, (const guchar*)transport_info));
+ 
+ 
+     /* Try to extract details from this string */
+@@ -836,7 +836,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t
+                             ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version);
+ 
+         col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')",
+-                    format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version)));
+                    format_text_string(pinfo->pool, (const guchar*)server_version));
+     }
+     offset += (server_version_length*2);
+ 
+@@ -890,7 +890,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_
+                         ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info);
+ 
+     col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)",
+-                    format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info)));
+                    format_text_string(pinfo->pool, (const guchar*)player_info));
+ }
+ 
+ /* Dissect info about where client wants to start playing from */
+@@ -965,7 +965,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto
+                         ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file);
+ 
+     col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)",
+-                    format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file)));
+                    format_text_string(pinfo->pool, (const guchar*)server_file));
+ }
+ 
+ /* Dissect media details from server */
+-- 
+2.25.1
+
@@ -0,0 +1,33 @@
+From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 20 May 2023 23:08:08 -0400
+Subject: [PATCH] synphasor: Use val_to_str_const
+
+Don't use a value from packet data to directly index a value_string,
+particularly when the value string doesn't cover all possible values.
+
+Fix #19087
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9]
+CVE: CVE-2023-0668
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-synphasor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c
+index 2d2f4ad..47120f5 100644
+--- a/epan/dissectors/packet-synphasor.c
+++ b/epan/dissectors/packet-synphasor.c
+@@ -1130,7 +1130,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c
+ 
+ 		data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4,
+ 							       ett_conf_phflags, NULL, "Phasor Data flags: %s",
+-							       conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr);
+							       val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown"));
+ 
+ 		/* first and second bytes - phasor modification flags*/
+ 		phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags,
+-- 
+2.25.1
+
@@ -14,6 +14,9 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://CVE-2023-2856.patch \
           file://CVE-2023-2858.patch \
           file://CVE-2023-2952.patch \
+           file://CVE-2023-0667-pre1.patch \
+           file://CVE-2023-0667.patch \
+           file://CVE-2023-0668.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"