Bug#1038975: sngrep: CVE-2023-36192
Victor Seva
linuxmaniac at torreviejawireless.org
Mon Jun 26 08:23:54 BST 2023
Hi,
I've just uploaded to Sid sngrep 1.7.0-2 with [2] included.
I've prepared sngrep 1.6.0-2 for bookworm.
Waiting for you reply,
Victor
[0] https://security-tracker.debian.org/tracker/CVE-2023-36192
https://www.cve.org/CVERecord?id=CVE-2023-36192
[1] https://github.com/irontec/sngrep/issues/438
[2] https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc
--
-----------------------------------------------------------------
| ,''`. Victor Seva |
| : :' : linuxmaniac at torreviejawireless.org |
| `. `' PGP Key ID: 0x51A09B18CF5A5068 |
| `- Debian Developer |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sngrep_1.6.0-2.dsc
Type: text/prs.lines.tag
Size: 1691 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20230626/8a92ad34/attachment-0001.bin>
-------------- next part --------------
diff -Nru sngrep-1.6.0/debian/changelog sngrep-1.6.0/debian/changelog
--- sngrep-1.6.0/debian/changelog 2022-09-03 08:13:32.000000000 +0200
+++ sngrep-1.6.0/debian/changelog 2023-06-26 08:55:18.000000000 +0200
@@ -1,3 +1,9 @@
+sngrep (1.6.0-2) bookworm-security; urgency=high
+
+ * fix from upstream for CVE-2023-36192
+
+ -- Victor Seva <vseva at debian.org> Mon, 26 Jun 2023 08:55:18 +0200
+
sngrep (1.6.0-1) unstable; urgency=medium
* New upstream version 1.6.0
diff -Nru sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch
--- sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch 1970-01-01 01:00:00.000000000 +0100
+++ sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch 2023-06-26 08:55:18.000000000 +0200
@@ -0,0 +1,42 @@
+From ad1daf15c8387bfbb48097c25197bf330d2d98fc Mon Sep 17 00:00:00 2001
+From: Kaian <kaian at irontec.com>
+Date: Fri, 9 Jun 2023 14:29:29 +0200
+Subject: [PATCH] capture: properly validate WS packet payload size #438
+
+---
+ src/capture.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/capture.c b/src/capture.c
+index 62ff08fb..3cbabeeb 100644
+--- a/src/capture.c
++++ b/src/capture.c
+@@ -901,8 +901,8 @@ capture_ws_check_packet(packet_t *packet)
+ size_payload = packet_payloadlen(packet);
+ payload = packet_payload(packet);
+
+- // Check we have payload
+- if (size_payload == 0)
++ // Check we have enough payload (base)
++ if (size_payload == 0 || size_payload <= 2)
+ return 0;
+
+ // Flags && Opcode
+@@ -931,8 +931,17 @@ capture_ws_check_packet(packet_t *packet)
+ return 0;
+ }
+
++ // Check we have enough payload (base + extended payload headers)
++ if ((int32_t) size_payload - ws_off <= 0) {
++ return 0;
++ }
++
+ // Get Masking key if mask is enabled
+ if (ws_mask) {
++ // Check we have enough payload (base + extended payload headers + mask)
++ if ((int32_t) size_payload - ws_off - 4 <= 0) {
++ return 0;
++ }
+ memcpy(ws_mask_key, (payload + ws_off), 4);
+ ws_off += 4;
+ }
diff -Nru sngrep-1.6.0/debian/patches/series sngrep-1.6.0/debian/patches/series
--- sngrep-1.6.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ sngrep-1.6.0/debian/patches/series 2023-06-26 08:55:18.000000000 +0200
@@ -0,0 +1,3 @@
+# https://security-tracker.debian.org/tracker/CVE-2023-36192
+# https://github.com/irontec/sngrep/issues/438
+ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch
More information about the Pkg-voip-maintainers
mailing list