Bug#1038975: sngrep: CVE-2023-36192

[Victor Seva]

Hi,

I've just uploaded to Sid sngrep 1.7.0-2 with [2] included.
I've prepared sngrep 1.6.0-2 for bookworm.

Waiting for you reply,
Victor

[0] https://security-tracker.debian.org/tracker/CVE-2023-36192
     https://www.cve.org/CVERecord?id=CVE-2023-36192
[1] https://github.com/irontec/sngrep/issues/438
[2] 
https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc

-- 
-----------------------------------------------------------------
|   ,''`.                                             Victor Seva |
|  : :' :                      linuxman...@torreviejawireless.org |
|  `. `'                           PGP Key ID: 0x51A09B18CF5A5068 |
|    `-                                          Debian Developer |
  -----------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (quilt)
Source: sngrep
Binary: sngrep
Architecture: any
Version: 1.6.0-2
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Uploaders:  Ivan Alonso <ka...@irontec.com>, Victor Seva <vs...@debian.org>,
Homepage: https://github.com/irontec/sngrep
Standards-Version: 4.6.0.1
Vcs-Browser: https://salsa.debian.org/pkg-voip-team/sngrep/
Vcs-Git: https://salsa.debian.org/pkg-voip-team/sngrep.git
Build-Depends: debhelper-compat (= 12), libgcrypt20-dev, libgnutls28-dev | gnutls-dev, libncurses5-dev, libncursesw5-dev, libpcap-dev, libpcre2-dev
Package-List:
 sngrep deb comm optional arch=any
Checksums-Sha1:
 16120e0aa70606cc17697c7ba51557387b7daac6 248091 sngrep_1.6.0.orig.tar.gz
 e3f515e3f286c418918a909253a2d35ccb9fd776 488 sngrep_1.6.0.orig.tar.gz.asc
 63b5db9b18325c2514ff795da81f6a6392b0f99e 5384 sngrep_1.6.0-2.debian.tar.xz
Checksums-Sha256:
 fd80964d6560f2ff57b4f5bef2353d1a6f7c48d2f1a5f0a167c854bd2e801999 248091 sngrep_1.6.0.orig.tar.gz
 9170a813db1e0e9073a23550adfffa5d54a0dc32225067405f26191b40ea70e2 488 sngrep_1.6.0.orig.tar.gz.asc
 fb2c0f761cdf155fa9da66e656b78a3e404d1187acf39417eb425dd7dcf78187 5384 sngrep_1.6.0-2.debian.tar.xz
Files:
 1519ca6cd1167c0722debfb96e2ac173 248091 sngrep_1.6.0.orig.tar.gz
 bb6562ad778c8860fd2a55887bacbdec 488 sngrep_1.6.0.orig.tar.gz.asc
 f8907522f313a087c82b68bc9202c329 5384 sngrep_1.6.0-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iIcEARYKAC8WIQQq6AO8RS0zF4SC1vh9e2XEKg7IsgUCZJk4HxEcdnNldmFAZGVi
aWFuLm9yZwAKCRB9e2XEKg7IsrjmAP98coucWWUFpF0w5CoLmogrQgRQyLw+8xOq
YEZ3OBATrQD+IJt0HV5u6S1hxIZGe+aUkTWcXFuRW0BqSYZbaJKv6w0=
=Vfcg
-----END PGP SIGNATURE-----

diff -Nru sngrep-1.6.0/debian/changelog sngrep-1.6.0/debian/changelog
--- sngrep-1.6.0/debian/changelog       2022-09-03 08:13:32.000000000 +0200
+++ sngrep-1.6.0/debian/changelog       2023-06-26 08:55:18.000000000 +0200
@@ -1,3 +1,9 @@
+sngrep (1.6.0-2) bookworm-security; urgency=high
+
+  * fix from upstream for CVE-2023-36192
+
+ -- Victor Seva <vs...@debian.org>  Mon, 26 Jun 2023 08:55:18 +0200
+
 sngrep (1.6.0-1) unstable; urgency=medium
 
   * New upstream version 1.6.0
diff -Nru 
sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch 
sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch
--- sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch  
1970-01-01 01:00:00.000000000 +0100
+++ sngrep-1.6.0/debian/patches/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch  
2023-06-26 08:55:18.000000000 +0200
@@ -0,0 +1,42 @@
+From ad1daf15c8387bfbb48097c25197bf330d2d98fc Mon Sep 17 00:00:00 2001
+From: Kaian <ka...@irontec.com>
+Date: Fri, 9 Jun 2023 14:29:29 +0200
+Subject: [PATCH] capture: properly validate WS packet payload size #438
+
+---
+ src/capture.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/capture.c b/src/capture.c
+index 62ff08fb..3cbabeeb 100644
+--- a/src/capture.c
++++ b/src/capture.c
+@@ -901,8 +901,8 @@ capture_ws_check_packet(packet_t *packet)
+     size_payload = packet_payloadlen(packet);
+     payload = packet_payload(packet);
+ 
+-    // Check we have payload
+-    if (size_payload == 0)
++    // Check we have enough payload (base)
++    if (size_payload == 0 || size_payload <= 2)
+         return 0;
+ 
+     // Flags && Opcode
+@@ -931,8 +931,17 @@ capture_ws_check_packet(packet_t *packet)
+             return 0;
+     }
+ 
++    // Check we have enough payload (base + extended payload headers)
++    if ((int32_t) size_payload - ws_off <= 0) {
++        return 0;
++    }
++
+     // Get Masking key if mask is enabled
+     if (ws_mask) {
++        // Check we have enough payload (base + extended payload headers + 
mask)
++        if ((int32_t) size_payload - ws_off - 4 <= 0) {
++            return 0;
++        }
+         memcpy(ws_mask_key, (payload + ws_off), 4);
+         ws_off += 4;
+     }
diff -Nru sngrep-1.6.0/debian/patches/series sngrep-1.6.0/debian/patches/series
--- sngrep-1.6.0/debian/patches/series  1970-01-01 01:00:00.000000000 +0100
+++ sngrep-1.6.0/debian/patches/series  2023-06-26 08:55:18.000000000 +0200
@@ -0,0 +1,3 @@
+# https://security-tracker.debian.org/tracker/CVE-2023-36192
+# https://github.com/irontec/sngrep/issues/438
+ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch