XPost: linux.debian.devel.release
From: jspricke@debian.org
--HS9MFyT4c9dgdbSr
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Forgot to attach the patch, sorry.
* Jochen Sprickerhof [2026-02-14 16:44]:
>Package: release.debian.org
>Severity: normal
>Tags: bookworm
>X-Debbugs-Cc: wireshark@packages.debian.org, Balint Reczey
>Control: affects -1 + src:wireshark
>User: release.debian.org@packages.debian.org
>Usertags: pu
>
>[ Reason ]
>Several security issues have been found in Wireshark. They have all been
>tagged no-DSA by the security team and Balint agreed that I can take
>care of the update.
>
>[ Impact ]
>All crashes or denial of service when analyzing network data.
>
>[ Tests ]
>autopkgtest and manual tests with the sample data from upstream.
>
>[ Risks ]
>Low risk. This is a userland tool and patches mostly add bound checks.
>
>[ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable (and stable)
>
--HS9MFyT4c9dgdbSr
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="wireshark_bookworm.patch"
Content-Transfer-Encoding: quoted-printable
diff --git a/debian/changelog b/debian/changelog
index 25987ad4c3..71cc9c42e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+wireshark (4.0.17-0+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2024-11596: ECMP dissector crash allows denial of service via
+ packet injection or crafted capture file.
+ * Fix CVE-2025-5601: Column handling crashes allows denial of service via
+ packet injection or crafted capture file.
+ * Fix CVE-2024-9781: AppleTalk and RELOAD Framing dissector crash allows
+ denial of service via packet injection or crafted capture file.
+ * Fix CVE-2025-11626: MONGO dissector infinite loop allows denial of
+ service.
+ * Fix CVE-2025-13499: Kafka dissector crash allows denial of service.
+ * Fix CVE-2025-13945: HTTP3 dissector crash allows denial of service.
+ * Fix CVE-2025-13946: MEGACO dissector infinite loop in allows denial of
+ service.
+ * Fix CVE-2025-9817: SSH dissector crash allows denial of service.
+ * Fix CVE-2026-0960: HTTP3 protocol dissector infinite loop allows denial of
+ service.
+ * Fix CVE-2025-1492: Bundle Protocol and CBOR dissector crashes allows
+ denial of service via packet injection or crafted capture file.
+
+ -- Jochen Sprickerhof Wed, 28 Jan 2026 13:22:40 +0100
+
wireshark (4.0.17-0+deb12u1) bookworm; urgency=medium
* Non-maintainer upload.
diff --git a/debian/patches/CVE-2024-11596.patch b/debian/patche
/CVE-2024-11596.patch
new file mode 100644
index 0000000000..188344e6e5
--- /dev/null
+++ b/debian/patches/CVE-2024-11596.patch
@@ -0,0 +1,162 @@
+From: Gerald Combs
+Date: Thu, 14 Nov 2024 10:56:37 -0800
+Subject: ECMP: Exorcise a string buffer arithmetic gremlin
+
+Use a wmem_strbuf instead of manually allocating a string and managing
+its offsets.
+
+Avoid appending a dangling space to our string.
+
+Fixes #20214
+
+(cherry picked from commit c8e58870733f88f275ca9a6fa115ed085f987d94)
+
+Conflicts:
+ epan/dissectors/packet-ecmp.c
+
+origin: https://gitlab.com/wireshark/wireshark/-/merge_requests
18076/diffs?commit_id=06e0b0bb0925fe4b99cfb7243cce473031b09dee
+---
+ epan/dissectors/packet-ecmp.c | 77 +++++++++------------------
---------------
+ 1 file changed, 16 insertions(+), 61 deletions(-)
+
+diff --git a/epan/dissectors/packet-ecmp.c b/epan/dissectors/packet-ecmp.c
+index 5b0ed6a..a1e351b 100644
+--- a/epan/dissectors/packet-ecmp.c
++++ b/epan/dissectors/packet-ecmp.c
+@@ -1122,72 +1122,54 @@ static int display_raw_cyclic_data(guint8 display,
int offset, guint16 buffer_si
+ proto_tree_add_bytes_format_value(ecmp_current_tree, hf_ecmp_cyclic_data,
tvb, offset-1, 0, NULL, "No data");
+ } else {
+ /* define some variables */
+- gchar* pdata = NULL; /* pointer to array that stores the formatted data
string */
+- guint16 idx = 0; /* counts through formatted string array */
+- guint8 value8 = 0; /* placeholder for extracted 8-bit data */
+- guint16 value16 = 0; /* placeholder for extracted 16-bit data */
+- guint32 value32 = 0; /* placeholder for extracted 32-bit data */
++ wmem_strbuf_t* pdata = wmem_strbuf_new(wmem_packet_scope(), ""); /*
formatted data string */
+ guint16 num_elements_total = 0; /* contains total number of elements
(byte/word/long) to be processed */
+ const guint16 num_byte_elements_per_line = 16; /* number of byte (8-bit)
elements per line e.g. "1B " (3 chars per element) */
+ const guint16 num_word_elements_per_line = 16; /* number of word (16-bit)
elements per line e.g. "A81B " (5 chars per element) */
+ const guint16 num_long_elements_per_line = 8; /* number of long (32-bit)
elements per line e.g. "01F4A81B " (9 chars per element) */
+ guint16 num_elements_per_line = 8; /* counts the current number of
elements per line */
+ guint16 num_elements = 0; /* counts the number of elements in the format
string */
+- guint16 format_string_size = 0; /* size of dynamic array to hold the
formatted string */
+ guint16 a = 0; /* value used for looping */
+ int start_offset, line_offset;
+
+- /* calculate format string array size and other stuf
*/
+- /
*/
+- /* Note: format string does require a nul-terminator (the + 1 in the
equations) */
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
