From bb37996d689c5e3f41ef76af4267e4d1c79ee5c9 Mon Sep 17 00:00:00 2001
From: zoedong <zoedong@tencent.com>
Date: Mon, 1 Apr 2024 19:40:46 +0800
Subject: [PATCH] Fix CVE-2024-2955

---
 CVE-2024-2955.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++
 wireshark.spec      |  6 +++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-2955.patch

diff --git a/CVE-2024-2955.patch b/CVE-2024-2955.patch
new file mode 100644
index 0000000..a02904a
--- /dev/null
+++ b/CVE-2024-2955.patch
@@ -0,0 +1,51 @@
+From c04f268605c7035c8907d72aec0508bc487e5381 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Wed, 6 Mar 2024 20:40:42 -0500
+Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope
+
+Fragment data can't be allocated in pinfo->pool scope, as it
+outlives the frame. Set it to be freed when the associated tvb
+is freed, as done in the main reassemble.c code.
+
+Fix #19695
+
+
+(cherry picked from commit 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341)
+---
+ epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++-
+ epan/dissectors/packet-t38.c                   | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c
+index f4c8b2582e4..fe894b3a3e5 100644
+--- a/epan/dissectors/asn1/t38/packet-t38-template.c
++++ b/epan/dissectors/asn1/t38/packet-t38-template.c
+@@ -321,8 +321,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
+ 	  last_fd=fd_i;
+ 	}
+ 
+-	data = (guint8 *) wmem_alloc(pinfo->pool, size);
++	data = (guint8 *) g_malloc(size);
+ 	fd_head->tvb_data = tvb_new_real_data(data, size, size);
++        tvb_set_free_cb(fd_head->tvb_data, g_free);
+ 	fd_head->len = size;		/* record size for caller	*/
+ 
+ 	/* add all data fragments */
+diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c
+index 337b7d22c63..892de72c074 100644
+--- a/epan/dissectors/packet-t38.c
++++ b/epan/dissectors/packet-t38.c
+@@ -366,8 +366,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
+ 	  last_fd=fd_i;
+ 	}
+ 
+-	data = (guint8 *) wmem_alloc(pinfo->pool, size);
++	data = (guint8 *) g_malloc(size);
+ 	fd_head->tvb_data = tvb_new_real_data(data, size, size);
++        tvb_set_free_cb(fd_head->tvb_data, g_free);
+ 	fd_head->len = size;		/* record size for caller	*/
+ 
+ 	/* add all data fragments */
+-- 
+GitLab
+
diff --git a/wireshark.spec b/wireshark.spec
index d8cfac9..0a048f6 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -4,7 +4,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	4.0.10
-Release:	4%{?dist}
+Release:	5%{?dist}
 License:	GPL+
 Url:		http://www.wireshark.org/
 
@@ -16,6 +16,7 @@ Patch0001:	CVE-2023-6174.patch
 Patch0002:	CVE-2023-6175.patch
 Patch0003:	CVE-2024-0208.patch
 Patch0004:	CVE-2024-0209.patch
+Patch0005:	CVE-2024-2955.patch
 Patch3000:	wireshark-0002-Customize-permission-denied-error.patch
 Patch3001:	wireshark-0003-fix-string-overrun-in-plugins-profinet.patch
 Patch3002:	wireshark-0004-Restore-Fedora-specific-groups.patch
@@ -208,6 +209,9 @@ fi
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Mon Apr 01 2024 Miaojun Dong <zoedong@tencent.com> - 4.0.10-5
+- Fix CVE-2024-2955
+
 * Tue Jan 30 2024 Miaojun Dong <zoedong@tencent.com> - 4.0.10-4
 - Fix CVE-2024-0208
 - Fix CVE-2024-0209
-- 
Gitee