Bug 171220 - [vuxml][patch] net/wireshark: fix DoS in DRDA dissector
[vuxml][patch] net/wireshark: fix DoS in DRDA dissector
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Joe Marcus Clarke
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-31 21:00 UTC by Eygene Ryabinkin
Modified: 2012-09-05 17:10 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin freebsd_committer 2012-08-31 21:00:24 UTC
Wireshark's DRDA dissector is prone to the infinite loop problem
if specially crafted traffic is fed into it [1].

Fix: 

The patch at
  http://codelabs.ru/fbsd/ports/wireshark/1.8.2-fix-cve-2012-3548.diff
fixes the issue for me.  Here is the quality assurance page:
  http://codelabs.ru/fbsd/ports/qa/net/wireshark/1.8.2_1

When you'll be updating the port, please, include the line
{{{
Security: http://www.vuxml.org/freebsd/5415f1b3-f33d-11e1-8bd8-0022156e8794.html
}}}
into the commit log message.  The version specification inside
VuXML entry (security/vuxml/vuln.xml) should be changed from "1.9"
to the port version that will receive the fix for this CVE.
How-To-Repeat: 
[1] http://www.vuxml.org/freebsd/5415f1b3-f33d-11e1-8bd8-0022156e8794.html
Comment 1 Edwin Groothuis freebsd_committer 2012-08-31 21:00:35 UTC
Responsible Changed
From-To: freebsd-ports-bugs->marcus

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Eygene Ryabinkin freebsd_committer 2012-09-04 09:57:32 UTC
Ping!
-- 
Eygene Ryabinkin                                        ,,,^..^,,,
[ Life's unfair - but root password helps!           | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
Comment 3 dfilter freebsd_committer 2012-09-05 17:00:39 UTC
Author: marcus
Date: Wed Sep  5 15:59:55 2012
New Revision: 303711
URL: http://svn.freebsd.org/changeset/ports/303711

Log:
  Add a fix for CVE-2012-3548.
  
  PR:		171220
  Submitted by:	rea
  Obtained from:	Wireshark bug 9009

Added:
  head/net/wireshark/files/patch-cve-2012-3548   (contents, props changed)
Modified:
  head/net/wireshark/Makefile

Modified: head/net/wireshark/Makefile
==============================================================================
--- head/net/wireshark/Makefile	Wed Sep  5 15:43:33 2012	(r303710)
+++ head/net/wireshark/Makefile	Wed Sep  5 15:59:55 2012	(r303711)
@@ -7,6 +7,7 @@
 
 PORTNAME?=	wireshark
 PORTVERSION=	1.8.2
+PORTREVISION=	1
 CATEGORIES=	net ipv6
 MASTER_SITES=	http://www.wireshark.org/download/src/ \
 		http://ftp.uni-kl.de/pub/wireshark/src/ \

Added: head/net/wireshark/files/patch-cve-2012-3548
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/wireshark/files/patch-cve-2012-3548	Wed Sep  5 15:59:55 2012	(r303711)
@@ -0,0 +1,23 @@
+Obtained-from: https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9009&action=diff&context=patch&collapsed=&headers=1&format=raw
+
+--- epan/dissectors/packet-drda.c	(revision 44689)
++++ epan/dissectors/packet-drda.c	(working copy)
+@@ -55,6 +55,7 @@ 
+ #include <epan/packet.h>
+ #include <epan/conversation.h>
+ #include <epan/prefs.h>
++#include <epan/expert.h>
+ #include "packet-tcp.h"
+ 
+ static int proto_drda = -1;
+@@ -696,6 +697,10 @@ 
+     {
+         iCommand = tvb_get_ntohs(tvb, offset + 8);
+         iLength = tvb_get_ntohs(tvb, offset + 0);
++        if (iLength < 10) {
++            expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR, "Invalid length detected (%u): should be at least 10 bytes long", iLength);
++            break;
++        }
+         /* iCommandEnd is the length of the packet up to the end of the current command */
+         iCommandEnd += iLength;
+ 
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 4 Joe Marcus Clarke freebsd_committer 2012-09-05 17:02:16 UTC
State Changed
From-To: open->closed

Committed, thanks!