!204 [sync] PR-197: Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

CVE-2023-0666.patch

@@ -0,0 +1,116 @@
+From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Thu, 18 May 2023 13:52:48 -0700
+Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes
+
+Use the proper dest_size in various g_strlcpy calls.
+
+Fixes #19085
+---
+ epan/dissectors/packet-rtps.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
+index c152d50..f4da449 100644
+--- a/epan/dissectors/packet-rtps.c
++++ b/epan/dissectors/packet-rtps.c
+@@ -4487,7 +4487,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+     ++tk_id;
+   }
+ 
+-  (void) g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40);
++  (void) g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name));
+ 
+     /* Structure of the typecode data:
+      *
+@@ -4658,7 +4658,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+                     member_name, -1, NULL, ndds_40_hack);
+         }
+         /* Finally prints the name of the struct (if provided) */
+-        (void) g_strlcpy(type_name, "}", 40);
++        (void) g_strlcpy(type_name, "}", sizeof(type_name));
+         break;
+ 
+     } /* end of case UNION */
+@@ -4829,7 +4829,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+           }
+         }
+         /* Finally prints the name of the struct (if provided) */
+-        (void) g_strlcpy(type_name, "}", 40);
++        (void) g_strlcpy(type_name, "}", sizeof(type_name));
+         break;
+       }
+ 
+@@ -4921,7 +4921,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+         offset += 4;
+         alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII);
+         offset = check_offset_addition(offset, alias_name_length, tree, NULL, tvb);
+-        (void) g_strlcpy(type_name, alias_name, 40);
++        (void) g_strlcpy(type_name, alias_name, sizeof(type_name));
+         break;
+     }
+ 
+@@ -4956,7 +4956,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
+         if (tk_id == RTI_CDR_TK_VALUE_PARAM) {
+           type_id_name = "valueparam";
+         }
+-        g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name);
++        g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name);
+         break;
+     }
+   } /* switch(tk_id) */
+@@ -5120,7 +5120,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree,
+   long_number = tvb_get_guint32(tvb, offset_tmp, encoding);
+   name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII);
+   if (info)
+-    (void) g_strlcpy(info->member_name, name, long_number);
++    (void) g_strlcpy(info->member_name, name, sizeof(info->member_name));
+ 
+   proto_item_append_text(tree, " %s", name);
+   offset = check_offset_addition(offset, member_length, tree, NULL, tvb);
+@@ -5296,13 +5296,13 @@ static gint rtps_util_add_type_member(proto_tree *tree,
+   proto_item_append_text(tree, " %s (ID: %d)", name, member_id);
+   if (member_object) {
+     member_object->member_id = member_id;
+-    (void) g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256);
++    (void) g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name));
+     member_object->type_id = member_type_id;
+   }
+   if (info && info->extensibility == EXTENSIBILITY_MUTABLE) {
+       mutable_member_mapping * mutable_mapping = NULL;
+       mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping);
+-      (void) g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256);
++      (void) g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name));
+       mutable_mapping->struct_type_id = info->type_id;
+       mutable_mapping->member_type_id = member_type_id;
+       mutable_mapping->member_id = member_id;
+@@ -5357,7 +5357,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree,
+     union_member_mapping * mapping = NULL;
+ 
+     mapping = wmem_new(wmem_file_scope(), union_member_mapping);
+-    (void) g_strlcpy(mapping->member_name, object.member_name, 256);
++    (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name));
+     mapping->member_type_id = object.type_id;
+     mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT;
+     mapping->union_type_id = union_type_id + mapping->discriminator;
+@@ -5370,7 +5370,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree,
+     union_member_mapping * mapping = NULL;
+ 
+     mapping = wmem_new(wmem_file_scope(), union_member_mapping);
+-    (void) g_strlcpy(mapping->member_name, object.member_name, 256);
++    (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name));
+     mapping->member_type_id = object.type_id;
+     mapping->discriminator = -1;
+     mapping->union_type_id = union_type_id + mapping->discriminator;
+@@ -5390,7 +5390,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree,
+     ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding);
+     offset_tmp += 4;
+ 
+-    (void) g_strlcpy(mapping->member_name, object.member_name, 256);
++    (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name));
+     mapping->member_type_id = object.type_id;
+     mapping->discriminator = discriminator_case;
+     mapping->union_type_id = union_type_id + discriminator_case;
+-- 
+2.33.0
+

CVE-2023-5371.patch

@@ -0,0 +1,48 @@
+From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Wed, 6 Sep 2023 06:13:23 -0400
+Subject: [PATCH] RTPS: Check for signed overflow
+
+Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add
+
+The offset is a signed integer, and we use negative offsets
+to mean "offset counting from the end of the tvb." That means
+that we can still have an excessive loop without unsigned overflow
+or running off the end of the tvb, if the result of adding a large
+unsigned integer to the offset results in a small negative number.
+
+Just check if the result of the addition makes the offset move
+backwards.
+
+Fix #19322
+
+(backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4)
+---
+ epan/dissectors/packet-rtps.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
+index 82ac8f9436b..c152d50dfc6 100644
+--- a/epan/dissectors/packet-rtps.c
++++ b/epan/dissectors/packet-rtps.c
+@@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = {
+     "RTPS fragments"
+ };
+ 
+-static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
++static gint check_offset_addition(gint offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
+ {
+-    if (offset > G_MAXUINT32 - value) {
++    gint new_offset = offset + (gint)value;
++    if (new_offset < offset) {
+         proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value);
+         THROW(ReportedBoundsError);
+     }
+-    return offset + value;
++    return new_offset;
+ }
+ 
+ static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset,
+-- 
+GitLab
+

CVE-2023-6175.patch

@@ -0,0 +1,254 @@
+From 197e96f05303af0340b7e626f2b15c2edbf350b0 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 17 Oct 2023 22:08:42 -0700
+Subject: [PATCH] netscreen: do bounds checking for each byte of packet data.
+
+Make sure each byte we add to the packet data from the file fits in the
+buffer, rather than stuffing bytes into the buffer and checking
+afterwards.
+
+This prevents a buffer overflow.
+
+Fixes #19404, which was filed as part of Trend Micro's Zero Day
+Initiative as ZDI-CAN-22164.
+
+While we're at it, expand a comment and make error messages give some
+more detail.
+
+(backported from commit 3be1c99180a6fc48c34ae4bfc79bfd840b29ae3e)
+---
+ wiretap/netscreen.c | 129 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 96 insertions(+), 33 deletions(-)
+
+diff --git a/wiretap/netscreen.c b/wiretap/netscreen.c
+index de872cdb8b1..6880171e0d1 100644
+--- a/wiretap/netscreen.c
++++ b/wiretap/netscreen.c
+@@ -59,7 +59,12 @@ static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off,
+ static gboolean parse_netscreen_packet(FILE_T fh, wtap_rec *rec,
+ 	Buffer* buf, char *line, int *err, gchar **err_info);
+ static int parse_single_hex_dump_line(char* rec, guint8 *buf,
+-	guint byte_offset);
++	guint byte_offset, guint pkt_len);
++
++/* Error returns from parse_single_hex_dump_line() */
++#define PARSE_LINE_INVALID_CHARACTER	-1
++#define PARSE_LINE_NO_BYTES_SEEN	-2
++#define PARSE_LINE_TOO_MANY_BYTES_SEEN	-3
+ 
+ static int netscreen_file_type_subtype = -1;
+ 
+@@ -245,13 +250,40 @@ netscreen_seek_read(wtap *wth, gint64 seek_off,	wtap_rec *rec, Buffer *buf,
+               2c 21 b6 d3 20 60 0c 8c 35 98 88 cf 20 91 0e a9     ,!...`..5.......
+               1d 0b                                               ..
+ 
++ * The first line of a packet is in the form
++
++<secs>.<dsecs>: <iface>({i,o}) len=<length>:<llinfo>>
+ 
++ * where:
++ *
++ *   <secs> and <dsecs> are a time stamp in seconds and deciseconds,
++ *     giving the time since the firewall was booted;
++ *
++ *   <iface> is the name of the interface on which the packet was
++ *     received or on which it was transmitted;
++ *
++ *   {i,o} is i for a received packet and o for a transmitted packet;
++ *
++ *   <length> is the length of the packet on the network;
++ *
++ *   <llinfo>, at least for Ethernet, appears to be a source MAC
++ *     address, folowed by "->", folowed by a destination MAC
++ *     address, followed by a sequence of Ethertypes, each
++ *     preceded by a "/" (multiple Ethertypes if there are VLAN
++ *     tags and the like), possibly followed by ", tag <tag>".
++ *
++ * Following that may be some "info lines", each of which is indented
++ * by 14 spaces, giving a dissection of the payload after the
++ * link-layer header.
++ *
++ * Following that is a hex/ASCII dump of the contents of the
++ * packet, with 16 octets per line.
+  */
+ static gboolean
+ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf,
+     char *line, int *err, gchar **err_info)
+ {
+-	int		pkt_len;
++	guint		pkt_len;
+ 	int		sec;
+ 	int		dsec;
+ 	char		cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
+@@ -271,25 +303,20 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf,
+ 	memset(cap_int, 0, sizeof(cap_int));
+ 	memset(cap_dst, 0, sizeof(cap_dst));
+ 
+-	if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/",
++	if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/",
+ 		   &sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) {
+ 		*err = WTAP_ERR_BAD_FILE;
+ 		*err_info = g_strdup("netscreen: Can't parse packet-header");
+ 		return -1;
+ 	}
+-	if (pkt_len < 0) {
+-		*err = WTAP_ERR_BAD_FILE;
+-		*err_info = g_strdup("netscreen: packet header has a negative packet length");
+-		return FALSE;
+-	}
+-	if ((guint)pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
++	if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+ 		/*
+ 		 * Probably a corrupt capture file; don't blow up trying
+ 		 * to allocate space for an immensely-large packet.
+ 		 */
+ 		*err = WTAP_ERR_BAD_FILE;
+ 		*err_info = g_strdup_printf("netscreen: File has %u-byte packet, bigger than maximum of %u",
+-		    (guint)pkt_len, WTAP_MAX_PACKET_SIZE_STANDARD);
++		    pkt_len, WTAP_MAX_PACKET_SIZE_STANDARD);
+ 		return FALSE;
+ 	}
+ 
+@@ -328,44 +355,71 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf,
+ 			break;
+ 		}
+ 
+-		n = parse_single_hex_dump_line(p, pd, offset);
++		n = parse_single_hex_dump_line(p, pd, offset, pkt_len);
+ 
+-		/* the smallest packet has a length of 6 bytes, if
+-		 * the first hex-data is less then check whether
+-		 * it is a info-line and act accordingly
++		/*
++		 * The smallest packet has a length of 6 bytes.
++		 * If the first line either gets an error when
++		 * parsed as hex data, or has fewer than 6
++		 * bytes of hex data, check whether it's an
++		 * info line by see if it has at least
++		 * NETSCREEN_SPACES_ON_INFO_LINE spaces at the
++		 * beginning.
++		 *
++		 * If it does, count this line and, if we have,
++		 * so far, skipped no more than NETSCREEN_MAX_INFOLINES
++		 * lines, skip this line.
+ 		 */
+ 		if (offset == 0 && n < 6) {
+ 			if (info_line(line)) {
++				/* Info line */
+ 				if (++i <= NETSCREEN_MAX_INFOLINES) {
++					/* Skip this line */
+ 					continue;
+ 				}
+ 			} else {
+-				*err = WTAP_ERR_BAD_FILE;
+-				*err_info = g_strdup("netscreen: cannot parse hex-data");
+-				return FALSE;
++				if (n >= 0) {
++					*err = WTAP_ERR_BAD_FILE;
++					*err_info = g_strdup("netscreen: first line of packet data has only %d hex bytes, < 6");
++					return FALSE;
++				}
++				/* Otherwise, fall through to report error */
+ 			}
+ 		}
+ 
+ 		/* If there is no more data and the line was not empty,
+ 		 * then there must be an error in the file
+ 		 */
+-		if (n == -1) {
+-			*err = WTAP_ERR_BAD_FILE;
+-			*err_info = g_strdup("netscreen: cannot parse hex-data");
++		if (n < 0) {
++			switch (n) {
++
++			case PARSE_LINE_INVALID_CHARACTER:
++				*err = WTAP_ERR_BAD_FILE;
++				*err_info = g_strdup("netscreen: invalid character in hex data");
++				break;
++
++			case PARSE_LINE_NO_BYTES_SEEN:
++				*err = WTAP_ERR_BAD_FILE;
++				*err_info = g_strdup("netscreen: no hex bytes seen in hex data");
++				break;
++
++			case PARSE_LINE_TOO_MANY_BYTES_SEEN:
++				*err = WTAP_ERR_BAD_FILE;
++				*err_info = g_strdup("netscreen: number of hex bytes seen in hex data is greater than the packet length");
++				break;
++
++			default:
++				*err = WTAP_ERR_INTERNAL;
++				*err_info = g_strdup_printf("netscreen: unknown error %d from parse_single_hex_dump_line()", n);
++				break;
++			}
++
+ 			return FALSE;
+ 		}
+ 
+ 		/* Adjust the offset to the data that was just added to the buffer */
+ 		offset += n;
+ 
+-		/* If there was more hex-data than was announced in the len=x
+-		 * header, then then there must be an error in the file
+-		 */
+-		if (offset > pkt_len) {
+-			*err = WTAP_ERR_BAD_FILE;
+-			*err_info = g_strdup("netscreen: too much hex-data");
+-			return FALSE;
+-		}
+ 	}
+ 
+ 	/*
+@@ -405,7 +459,7 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf,
+  *
+  * Returns number of bytes successfully read, -1 if bad.  */
+ static int
+-parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset)
++parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset, guint pkt_len)
+ {
+ 	int num_items_scanned;
+ 	guint8 character;
+@@ -424,7 +478,7 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset)
+ 			/* Nothing more to parse */
+ 			break;
+ 		} else
+-			return -1; /* not a hex digit, space before ASCII dump, or EOL */
++			return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit, space before ASCII dump, or EOL */
+ 		byte <<= 4;
+ 		character = *rec++ & 0xFF;
+ 		if (character >= '0' && character <= '9')
+@@ -434,7 +488,16 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset)
+ 		else if (character >= 'a' && character <= 'f')
+ 			byte += character - 'a' + 0xa;
+ 		else
+-			return -1; /* not a hex digit */
++			return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit */
++
++		/* If there was more hex-data than was announced in the len=x
++		 * header, then there must be an error in the file; quit
++		 * now, as adding this byte will overflow the buffer.
++		 */
++		if (byte_offset + num_items_scanned >= pkt_len) {
++			return PARSE_LINE_TOO_MANY_BYTES_SEEN;
++		}
++
+ 		buf[byte_offset + num_items_scanned] = byte;
+ 		character = *rec++ & 0xFF;
+ 		if (character == '\0' || character == '\r' || character == '\n') {
+@@ -442,11 +505,11 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset)
+ 			break;
+ 		} else if (character != ' ') {
+ 			/* not space before ASCII dump */
+-			return -1;
++			return PARSE_LINE_INVALID_CHARACTER;
+ 		}
+ 	}
+ 	if (num_items_scanned == 0)
+-		return -1;
++		return PARSE_LINE_NO_BYTES_SEEN;
+ 
+ 	return num_items_scanned;
+ }
+-- 
+GitLab
+

CVE-2024-0208.patch

@@ -0,0 +1,42 @@
+From 4953fa99e78ce86e98c18d438dac00669956965c Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Thu, 23 Nov 2023 13:47:51 -0500
+Subject: [PATCH] gvcp: Don't try to add a NULL string to a column
+
+Origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/13417
+
+This was caught as an invalid argument by g_strlcpy before 4.2,
+but it was never a good idea.
+
+Fix #19496
+
+(backported from commit a8586fde3a6512466afb2a660538ef3fe712076b)
+---
+ epan/dissectors/packet-gvcp.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/epan/dissectors/packet-gvcp.c b/epan/dissectors/packet-gvcp.c
+index a7c13684f03..732db590e4a 100644
+--- a/epan/dissectors/packet-gvcp.c
++++ b/epan/dissectors/packet-gvcp.c
+@@ -2222,15 +2222,12 @@ static void dissect_readreg_ack(proto_tree *gvcp_telegram_tree, tvbuff_t *tvb, p
+ 			if (addr_list_size > 0)
+ 			{
+ 				address_string = get_register_name_from_address(*((guint32*)wmem_array_index(gvcp_trans->addr_list, 0)), gvcp_info, &is_custom_register);
++				col_append_str(pinfo->cinfo, COL_INFO, address_string);
+ 			}
+ 
+ 			if (num_registers)
+ 			{
+-				col_append_fstr(pinfo->cinfo, COL_INFO, "%s Value=0x%08X", address_string, tvb_get_ntohl(tvb, offset));
+-			}
+-			else
+-			{
+-				col_append_str(pinfo->cinfo, COL_INFO, address_string);
++				col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "Value=0x%08X", tvb_get_ntohl(tvb, offset));
+ 			}
+ 		}
+ 	}
+-- 
+GitLab
+

CVE-2024-4853.patch

@@ -0,0 +1,33 @@
+From 683166c81bc1f8a6268f4955654bfd64ca98c07a Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Fri, 29 Mar 2024 09:42:44 -0400
+Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer
+
+When moving from the begining with a beginning offset specified,
+don't run off the end. Subtract the source memory area's full offset
+from the beginning of the buffer from the capture length.
+
+Fix #19724
+
+
+(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282)
+---
+ editcap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/editcap.c b/editcap.c
+index 3b5a70127ee..f64a8155576 100644
+--- a/editcap.c
++++ b/editcap.c
+@@ -2462,7 +2462,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr,
+         if (chop.off_begin_pos > 0) {
+             memmove(*buf + chop.off_begin_pos,
+                     *buf + chop.off_begin_pos + chop.len_begin,
+-                    out_phdr->caplen - chop.len_begin);
++                    out_phdr->caplen - (chop.off_begin_pos + chop.len_begin));
+         } else {
+             *buf += chop.len_begin;
+         }
+-- 
+GitLab
+

CVE-2024-4854.patch

@@ -0,0 +1,48 @@
+From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 30 Mar 2024 08:07:26 -0400
+Subject: [PATCH] Mongo: Ensure the offset advances
+
+The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths.
+dissect_bson_document checks for bogus values and ensures that a
+non-negative (and at least 5) size is returned, but we need to make
+sure to use that return value instead of trusting the value read
+from the packet in dissect_op_msg_section.
+
+Fix #19726
+
+
+(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f)
+---
+ epan/dissectors/packet-mongo.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
+index b5a8bbffc2a..8e5f6370fbf 100644
+--- a/epan/dissectors/packet-mongo.c
++++ b/epan/dissectors/packet-mongo.c
+@@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
+ 
+   switch (e_type) {
+     case KIND_BODY:
+-      dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
++      section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
++      /* If section_len is bogus (e.g., negative), dissect_bson_document sets
++       * an expert info and can return a different value than read above.
++       */
+       break;
+     case KIND_DOCUMENT_SEQUENCE: {
+       gint32 dsi_length;
+@@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
+       proto_tree *documents_tree;
+ 
+       proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
++      /* This is redundant with the lengths in the documents, we don't use this
++       * size at all. We could still report an expert info if it's bogus.
++       */
+       offset += 4;
+       to_read -= 4;
+ 
+-- 
+GitLab
+

CVE-2024-4855.patch

@@ -0,0 +1,158 @@
+From f6cb547426d1ee5df2038809b5a6f23380edc932 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 20 Apr 2024 13:15:16 +0000
+Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after
+ freeing
+
+wtap_dump_close frees the passed in GArray of initial DSBs, used
+by editcap for injecting DSBs from a file or list of files.
+
+Add functions to increment and decrement the reference count of
+an array of wtap blocks. Dereference the block of initial DSBs
+in wtap_dump_close() instead of freeing it. In editcap, before
+closing the dump file in cases where we intend to open a new
+file (e.g., with a maximum time value or a maximum packet count),
+reference the block.
+
+Fix #19782, #19783, #19784.
+
+
+(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847)
+
+Co-authored-by: John Thacker <johnthacker@gmail.com>
+---
+ editcap.c               |  9 +++++++++
+ wiretap/file_access.c   |  2 +-
+ wiretap/wtap.h          |  3 ++-
+ wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++
+ wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++
+ 5 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/editcap.c b/editcap.c
+index 45091e5..50597c5 100644
+--- a/editcap.c
++++ b/editcap.c
+@@ -1858,6 +1858,10 @@ main(int argc, char *argv[])
+                 }
+                 while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */
+ 
++                    /* We presumably want to write the DSBs from files given
++                     * on the command line to every file.
++                     */
++                    wtap_block_array_ref(params.dsbs_initial);
+                     if (!wtap_dump_close(pdh, &write_err, &write_err_info)) {
+                         cfile_close_failure_message(filename, write_err,
+                                                     write_err_info);
+@@ -1890,6 +1894,11 @@ main(int argc, char *argv[])
+         if (split_packet_count != 0) {
+             /* time for the next file? */
+             if (written_count > 0 && (written_count % split_packet_count) == 0) {
++
++                /* We presumably want to write the DSBs from files given
++                 * on the command line to every file.
++                 */
++                wtap_block_array_ref(params.dsbs_initial);
+                 if (!wtap_dump_close(pdh, &write_err, &write_err_info)) {
+                     cfile_close_failure_message(filename, write_err,
+                                                 write_err_info);
+diff --git a/wiretap/file_access.c b/wiretap/file_access.c
+index ff7a640..50d1fb1 100644
+--- a/wiretap/file_access.c
++++ b/wiretap/file_access.c
+@@ -2655,7 +2655,7 @@ wtap_dump_close_new_temp(wtap_dumper *wdh, gboolean *needs_reload,
+ 		*needs_reload = wdh->needs_reload;
+ 	g_free(wdh->priv);
+ 	wtap_block_array_free(wdh->interface_data);
+-	wtap_block_array_free(wdh->dsbs_initial);
++	wtap_block_array_unref(wdh->dsbs_initial);
+ 	g_free(wdh);
+ 	return ret;
+ }
+diff --git a/wiretap/wtap.h b/wiretap/wtap.h
+index d592884..75e4fc6 100644
+--- a/wiretap/wtap.h
++++ b/wiretap/wtap.h
+@@ -1419,7 +1419,8 @@ typedef struct addrinfo_lists {
+  * @note The shb_hdr, idb_inf, and nrb_hdr arguments will be used until
+  *     wtap_dump_close() is called, but will not be free'd by the dumper. If
+  *     you created them, you must free them yourself after wtap_dump_close().
+- *     dsbs_initial will be freed by wtap_dump_close(),
++ *     dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse
++ *     them for another dump file, call wtap_block_array_ref() before closing.
+  *     dsbs_growing typically refers to another wth->dsbs.
+  *
+  * @see wtap_dump_params_init, wtap_dump_params_cleanup.
+diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c
+index 2068743..d4a9602 100644
+--- a/wiretap/wtap_opttypes.c
++++ b/wiretap/wtap_opttypes.c
+@@ -436,6 +436,32 @@ void wtap_block_array_free(GArray* block_array)
+     g_array_free(block_array, TRUE);
+ }
+ 
++void wtap_block_array_ref(GArray* block_array)
++{
++    unsigned block;
++
++    if (block_array == NULL)
++        return;
++
++    for (block = 0; block < block_array->len; block++) {
++        wtap_block_ref(g_array_index(block_array, wtap_block_t, block));
++    }
++    g_array_ref(block_array);
++}
++
++void wtap_block_array_unref(GArray* block_array)
++{
++    unsigned block;
++
++    if (block_array == NULL)
++        return;
++
++    for (block = 0; block < block_array->len; block++) {
++        wtap_block_unref(g_array_index(block_array, wtap_block_t, block));
++    }
++    g_array_unref(block_array);
++}
++
+ /*
+  * Make a copy of a block.
+  */
+diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h
+index 58d3103..5d130c5 100644
+--- a/wiretap/wtap_opttypes.h
++++ b/wiretap/wtap_opttypes.h
+@@ -572,6 +572,29 @@ wtap_block_unref(wtap_block_t block);
+ WS_DLL_PUBLIC void
+ wtap_block_array_free(GArray* block_array);
+ 
++/** Decrement the reference count of an array of blocks
++ *
++ * Decrement the reference count of each block in the array
++ * and the GArray itself. Any element whose reference count
++ * drops to 0 will be freed. If the GArray and every block
++ * has a reference count of 1, this is the same as
++ * wtap_block_array_free().
++ *
++ * @param[in] block_array Array of blocks to be dereferenced
++ */
++WS_DLL_PUBLIC void
++wtap_block_array_unref(GArray* block_array);
++
++/** Increment the reference count of an array of blocks
++ *
++ * Increment the reference count of each block in the array
++ * and the GArray itself.
++ *
++ * @param[in] block_array Array of blocks to be referenced
++ */
++WS_DLL_PUBLIC void
++wtap_block_array_ref(GArray* block_array);
++
+ /** Provide type of a block
+  *
+  * @param[in] block Block from which to retrieve mandatory data
+-- 
+2.33.0
+

wireshark.spec

@@ -5,7 +5,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	3.6.14
-Release:	3
+Release:	8
 Epoch:		1
 License:	GPL+
 Url:		http://www.wireshark.org/
@@ -27,6 +27,16 @@ Patch10:	CVE-2023-2906.patch
 Patch11:	CVE-2023-4513-1.patch
 Patch12:	CVE-2023-4513-2.patch
 Patch13:	CVE-2023-4511.patch
+Patch14:	CVE-2023-5371.patch
+# https://gitlab.com/wireshark/wireshark/-/commit/197e96f05303af0340b7e626f2b15c2edbf350b0
+Patch15:        CVE-2023-6175.patch
+Patch16:        CVE-2024-0208.patch
+Patch17:        CVE-2024-0209.patch
+# https://gitlab.com/wireshark/wireshark/-/commit/28fdce547c417b868c521f87fb58f71ca6b1e3f7
+Patch18:        CVE-2023-0666.patch
+Patch19:        CVE-2024-4853.patch
+Patch20:        CVE-2024-4854.patch
+Patch21:        CVE-2024-4855.patch
 
 Requires:	xdg-utils
 Requires:	hicolor-icon-theme
@@ -201,6 +211,21 @@ exit 0
 %{_mandir}/man?/*
 
 %changelog
+* Wed May 15 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-8
+- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855
+
+* Mon Mar 25 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-7
+- Fix CVE-2023-0666
+
+* Thu Jan 04 2024 wangkai <13474090681@163.com> - 1:3.6.14-6
+- Fix CVE-2024-0208,CVE-2024-0209
+
+* Tue Nov 21 2023 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-5
+- Fix CVE-2023-6175
+
+* Sat Oct 07 2023 wangkai <13474090681@163.com> - 1:3.6.14-4
+- Fix CVE-2023-5371
+
 * Wed Sep 06 2023 wangkai <13474090681@163.com> - 1:3.6.14-3
 - Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513