Version in base suite: 4.0.17-0+deb12u1 Version in overlay suite: 4.0.17-0+deb12u2 Base version: wireshark_4.0.17-0+deb12u2 Target version: wireshark_4.0.17-0+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/w/wireshark/wireshark_4.0.17-0+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/w/wireshark/wireshark_4.0.17-0+deb12u3.dsc changelog | 9 ++++ patches/CVE-2026-5405.patch | 27 ++++++++++++++ patches/CVE-2026-5653.patch | 83 ++++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-6529.patch | 35 ++++++++++++++++++ patches/CVE-2026-6530.patch | 23 ++++++++++++ patches/series | 4 ++ 6 files changed, 181 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7mkl3qxs/wireshark_4.0.17-0+deb12u2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7mkl3qxs/wireshark_4.0.17-0+deb12u3.dsc: no acceptable signature found diff -Nru wireshark-4.0.17/debian/changelog wireshark-4.0.17/debian/changelog --- wireshark-4.0.17/debian/changelog 2026-01-28 12:22:40.000000000 +0000 +++ wireshark-4.0.17/debian/changelog 2026-05-03 15:17:57.000000000 +0000 @@ -1,3 +1,12 @@ +wireshark (4.0.17-0+deb12u3) bookworm-security; urgency=medium + + * CVE-2026-5405 + * CVE-2026-5653 + * CVE-2026-6529 + * CVE-2026-6530 + + -- Moritz Mühlenhoff Sun, 03 May 2026 17:17:57 +0200 + wireshark (4.0.17-0+deb12u2) bookworm; urgency=medium * Non-maintainer upload. diff -Nru wireshark-4.0.17/debian/patches/CVE-2026-5405.patch wireshark-4.0.17/debian/patches/CVE-2026-5405.patch --- wireshark-4.0.17/debian/patches/CVE-2026-5405.patch 1970-01-01 00:00:00.000000000 +0000 +++ wireshark-4.0.17/debian/patches/CVE-2026-5405.patch 2026-05-03 15:08:56.000000000 +0000 @@ -0,0 +1,27 @@ +From 45eb952b12e95dfe72e0994976d2ec2714fd193a Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Mon, 23 Mar 2026 13:02:49 +0000 +Subject: [PATCH] RDP: Check for too long segments on the uncompressed path + +--- wireshark-4.0.17.orig/epan/tvbuff_rdp.c ++++ wireshark-4.0.17/epan/tvbuff_rdp.c +@@ -155,7 +155,8 @@ static const zgfx_token_t ZGFX_MATCH_TAB + { 9, 382, 24, 17094304 }, // 101111110 + }; + +- ++/* Limits from [MS-RDPEGFX] 3.1.9.1.2 (So failures here are malformed ++ * packets, not limitations of the implementation.) */ + struct _zgfx_context_t{ + guint8 historyBuffer[2500000]; + guint32 historyIndex; +@@ -334,6 +335,9 @@ rdp8_decompress_segment(zgfx_context_t * + len--; + + if (!(flags & ZGX_PACKET_COMPRESSED)) { ++ if (len > 65535) { ++ return false; ++ } + tvbuff_t *raw = tvb_new_subset_remaining(tvb, 1); + zgfx_write_history_buffer_tvb(zgfx, raw, len); + return TRUE; diff -Nru wireshark-4.0.17/debian/patches/CVE-2026-5653.patch wireshark-4.0.17/debian/patches/CVE-2026-5653.patch --- wireshark-4.0.17/debian/patches/CVE-2026-5653.patch 1970-01-01 00:00:00.000000000 +0000 +++ wireshark-4.0.17/debian/patches/CVE-2026-5653.patch 2026-05-03 15:12:24.000000000 +0000 @@ -0,0 +1,83 @@ +From 96c437e8a4baf098f47e9b22636ab90fe40c2cf2 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 28 Mar 2026 02:30:04 +0000 +Subject: [PATCH] ETSI DCP: Fix heap buffer overflow + +--- wireshark-4.0.17.orig/epan/dissectors/packet-dcp-etsi.c ++++ wireshark-4.0.17/epan/dissectors/packet-dcp-etsi.c +@@ -228,9 +228,9 @@ dissect_dcp_etsi_heur(tvbuff_t * tvb, pa + return TRUE; + } + +-#define PFT_RS_N_MAX 207 +-#define PFT_RS_K 255 +-#define PFT_RS_P (PFT_RS_K - PFT_RS_N_MAX) ++#define PFT_RS_K_MAX 207 ++#define PFT_RS_N 255 ++#define PFT_RS_P (PFT_RS_N - PFT_RS_K_MAX) + + + static +@@ -253,11 +253,23 @@ gboolean rs_correct_data(guint8 *deinter + { + guint32 i, index_coded = 0, index_out = 0; + int err_corr; ++ /* 7.3.1 Reed Solomon ++ * When the calculated value for k is less than 207 (PFT_RS_K_MAX), ++ * bytes k to 206 (inclusive) encoded by the RS(255,207) code shall ++ * all be zero and shall not be included in the resulting RS Block, ++ * thus producing a RS(k+p,k) code. [I.e., a punctured code.] ++ * ++ * This is a method of decoding it all in place, but it does require ++ * that output have extra space at the end for the parity bytes (PFT_RS_P) ++ * and any extra zeros (PFT_RS_K_MAX - rsk) beyond the real output, or ++ * PFT_RS_N - rsk. ++ */ + for (i=0; i PFT_RS_K_MAX) { ++ return NULL; ++ } + + decoded_size = fcount*plen; + c_max = fcount*plen/(rsk+PFT_RS_P); /* rounded down */ +@@ -367,15 +387,21 @@ dissect_pft_fec_detailed(tvbuff_t * tvb, + const guint8 *input = tvb_get_ptr(new_tvb, 0, -1); + guint32 reassembled_size = tvb_captured_length(new_tvb); + guint8 *deinterleaved = (guint8*) wmem_alloc(pinfo->pool, reassembled_size); +- guint8 *output = (guint8*) wmem_alloc(pinfo->pool, decoded_size); + rs_deinterleave(input, deinterleaved, plen, fcount); + + dtvb = tvb_new_child_real_data(tvb, deinterleaved, reassembled_size, reassembled_size); + add_new_data_source(pinfo, dtvb, "Deinterleaved"); + ++ uint8_t *output = (uint8_t*) wmem_alloc(pinfo->pool, decoded_size + PFT_RS_N - rsk); + decoded = rs_correct_data(deinterleaved, output, c_max, rsk, rsz); + proto_tree_add_boolean (tree, hf_edcp_rs_ok, tvb, offset, 2, decoded); + ++#if 0 ++ /* We don't need to realloc here because it's pinfo->pool memory that ++ * will soon be freed and < 255 bytes of savings. It's a no-op most ++ * likely with the fast block allocator anyway. */ ++ output = wmem_realloc(pinfo->pool, output, decoded_size); ++#endif + new_tvb = tvb_new_child_real_data(dtvb, output, decoded_size, decoded_size); + add_new_data_source(pinfo, new_tvb, "RS Error Corrected Data"); + } diff -Nru wireshark-4.0.17/debian/patches/CVE-2026-6529.patch wireshark-4.0.17/debian/patches/CVE-2026-6529.patch --- wireshark-4.0.17/debian/patches/CVE-2026-6529.patch 1970-01-01 00:00:00.000000000 +0000 +++ wireshark-4.0.17/debian/patches/CVE-2026-6529.patch 2026-05-03 15:15:55.000000000 +0000 @@ -0,0 +1,35 @@ +From 78ccbcb6affb7d1e46d8c65e9c4f165ec0f07060 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Fri, 3 Apr 2026 13:33:52 +0000 +Subject: [PATCH] iLBC codec: Report proper decoded length in multiframe case + +--- wireshark-4.0.17.orig/plugins/codecs/iLBC/iLBCdecode.c ++++ wireshark-4.0.17/plugins/codecs/iLBC/iLBCdecode.c +@@ -77,16 +77,24 @@ codec_iLBC_decode(void *ctx, const void + #endif + int16_t *dataOut = (int16_t *)outputSamples; + ilbc_ctx_t *dataCtx = (ilbc_ctx_t *)ctx; +- size_t outputSamplesCount; ++ size_t outputSamplesCount, outputFramesCount; + + if (!outputSamples || !outputSamplesSize) + { ++ /* XXX - If the payload size is a multiple of 950 (the GCM of the ++ * 20 ms and 30 ms payload lengths), we don't know which variant it ++ * is and the iLBC library doesn't seem to autodetect but uses what ++ * we initialize as. RFC 3952 3.2 is of no help here, suggesting ++ * only this algorithm. ++ * Do we need a codec preference? */ + if (0 == inputBytesSize%ILBC_PAYLOAD_LEN_20MS) { + /* 20ms packet size = 160 samples = 320 bytes */ +- return BLOCKL_20MS*SAMPLE_SIZE; ++ outputFramesCount = inputBytesSize / ILBC_PAYLOAD_LEN_20MS; ++ return outputFramesCount*BLOCKL_20MS*SAMPLE_SIZE; + } else if (0 == inputBytesSize%ILBC_PAYLOAD_LEN_30MS) { + /* 30ms packet size = 240 samples = 480 bytes */ +- return BLOCKL_30MS*SAMPLE_SIZE; ++ outputFramesCount = inputBytesSize / ILBC_PAYLOAD_LEN_30MS; ++ return outputFramesCount*BLOCKL_30MS*SAMPLE_SIZE; + } else { + /* unknown packet size */ + return 0; diff -Nru wireshark-4.0.17/debian/patches/CVE-2026-6530.patch wireshark-4.0.17/debian/patches/CVE-2026-6530.patch --- wireshark-4.0.17/debian/patches/CVE-2026-6530.patch 1970-01-01 00:00:00.000000000 +0000 +++ wireshark-4.0.17/debian/patches/CVE-2026-6530.patch 2026-05-03 15:17:44.000000000 +0000 @@ -0,0 +1,23 @@ +From cea357ad0501b8d4ab281716564833999308142f Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Fri, 3 Apr 2026 07:03:40 -0400 +Subject: [PATCH] DCP ETSI: Check that all fragments are the same size with R-S + +--- wireshark-4.0.17.orig/epan/dissectors/packet-dcp-etsi.c ++++ wireshark-4.0.17/epan/dissectors/packet-dcp-etsi.c +@@ -384,8 +384,14 @@ dissect_pft_fec_detailed(tvbuff_t * tvb, + if(new_tvb && tvb_captured_length(new_tvb) > 0) { + gboolean decoded; + tvbuff_t *dtvb = NULL; +- const guint8 *input = tvb_get_ptr(new_tvb, 0, -1); + guint32 reassembled_size = tvb_captured_length(new_tvb); ++ /* "Note that when Reed Solomon has been used, all fragments will ++ * be of length s" [i.e., plen]" */ ++ if (reassembled_size != fcount * plen) { ++ proto_tree_add_expert_format(tree, pinfo, &ei_edcp_reassembly, new_tvb, 0, -1, "[All fragments must be the same size when Reed Solomon is used]"); ++ return NULL; ++ } ++ const uint8_t *input = tvb_get_ptr(new_tvb, 0, reassembled_size); + guint8 *deinterleaved = (guint8*) wmem_alloc(pinfo->pool, reassembled_size); + rs_deinterleave(input, deinterleaved, plen, fcount); + diff -Nru wireshark-4.0.17/debian/patches/series wireshark-4.0.17/debian/patches/series --- wireshark-4.0.17/debian/patches/series 2026-01-28 12:22:40.000000000 +0000 +++ wireshark-4.0.17/debian/patches/series 2026-05-03 15:17:23.000000000 +0000 @@ -11,3 +11,7 @@ CVE-2025-13946.patch CVE-2026-0960.patch CVE-2025-1492.patch +CVE-2026-5405.patch +CVE-2026-5653.patch +CVE-2026-6529.patch +CVE-2026-6530.patch