Bug 10471

Summary:	wireshark new releases 1.6.16 and 1.8.8 fix security issues
Product:	Mageia	Reporter:	Oden Eriksson <oe>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	luigiwalser, martynvidler, rverschelde, sysadmin-bugs
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/554059/
Whiteboard:	MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok MGA3-64-ok
Source RPM:	wireshark	CVE:
Status comment:

Description Oden Eriksson 2013-06-10 09:43:27 CEST

======================================================
Name: CVE-2013-4074
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-capwap.c?r1=43716&r2=43715&pathrev=43716
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=43716
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-32.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8725

The dissect_capwap_data function in epan/dissectors/packet-capwap.c in
the CAPWAP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before
1.8.8 incorrectly uses a -1 data value to represent an error
condition, which allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



======================================================
Name: CVE-2013-4075
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-gmr1_bcch.c?r1=44674&r2=44673&pathrev=44674
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=44674
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-33.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8726

epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in
Wireshark 1.8.x before 1.8.8 does not properly initialize memory,
which allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



======================================================
Name: CVE-2013-4076
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4076
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ppp.c?r1=46128&r2=46127&pathrev=46128
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=46128
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-34.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7880
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8727

Buffer overflow in the dissect_iphc_crtp_fh function in
epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x
before 1.8.8 allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



======================================================
Name: CVE-2013-4077
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4077
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49418
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-35.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8697

Array index error in the NBAP dissector in Wireshark 1.8.x before
1.8.8 allows remote attackers to cause a denial of service
(application crash) via a crafted packet, related to nbap.cnf and
packet-nbap.c.



======================================================
Name: CVE-2013-4078
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4078
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=45566
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=46158
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-36.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7862
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8729

epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x
before 1.8.8 does not validate return values during checks for data
availability, which allows remote attackers to cause a denial of
service (application crash) via a crafted packet.



======================================================
Name: CVE-2013-4079
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4079
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-gsm_cbch.c?r1=49686&r2=49685&pathrev=49686
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49686
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-37.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730

The dissect_schedule_message function in
epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in
Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial
of service (infinite loop and application hang) via a crafted packet.



======================================================
Name: CVE-2013-4080
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4080
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-assa_r3.c?r1=49744&r2=49743&pathrev=49744
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49744
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-38.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8764

The dissect_r3_upstreamcommand_queryconfig function in
epan/dissectors/packet-assa_r3.c in the Assa Abloy R3 dissector in
Wireshark 1.8.x before 1.8.8 does not properly handle a zero-length
item, which allows remote attackers to cause a denial of service
(infinite loop, and CPU and memory consumption) via a crafted packet.



======================================================
Name: CVE-2013-4081
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-http.c?r1=49623&r2=49622&pathrev=49623
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49623
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-39.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733

The http_payload_subdissector function in
epan/dissectors/packet-http.c in the HTTP dissector in Wireshark 1.6.x
before 1.6.16 and 1.8.x before 1.8.8 does not properly determine when
to use a recursive approach, which allows remote attackers to cause a
denial of service (stack consumption) via a crafted packet.



======================================================
Name: CVE-2013-4082
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4082
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/wiretap/vwr.c?r1=49739&r2=49738&pathrev=49739
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49739
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-40.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760

The vwr_read function in wiretap/vwr.c in Ixia IxVeriWave file parser
in Wireshark 1.8.x before 1.8.8 does not validate the relationship
between a record length and a trailer length, which allows remote
attackers to cause a denial of service (heap-based buffer overflow and
application crash) via a crafted packet.



======================================================
Name: CVE-2013-4083
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcp-etsi.c?r1=49802&r2=49801&pathrev=49802
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49802
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-41.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717

The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the
DCP ETSI dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before
1.8.8, and 1.10.0 does not validate a certain fragment length value,
which allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-06-10 14:46:08 CEST

New versions has been uploaded for all.

Comment 2 David Walser 2013-06-11 18:41:50 CEST

Packages built:
wireshark-1.6.16-1.mga2
libwireshark1-1.6.16-1.mga2
libwireshark-devel-1.6.16-1.mga2
wireshark-tools-1.6.16-1.mga2
tshark-1.6.16-1.mga2
rawshark-1.6.16-1.mga2
dumpcap-1.6.16-1.mga2
wireshark-1.8.8-1.mga3
libwireshark2-1.8.8-1.mga3
libwireshark-devel-1.8.8-1.mga3
wireshark-tools-1.8.8-1.mga3
tshark-1.8.8-1.mga3
rawshark-1.8.8-1.mga3
dumpcap-1.8.8-1.mga3

from SRPMS:
wireshark-1.6.16-1.mga2.src.rpm
wireshark-1.8.8-1.mga3.src.rpm

CC: (none) => luigiwalser

Comment 3 David Walser 2013-06-11 18:44:03 CEST

Upstream announcement from June 7:
http://www.wireshark.org/news/20130607.html

This hasn't yet been fixed in Cauldron, so waiting on that before pushing to QA.

Comment 4 David Walser 2013-06-12 14:21:29 CEST

Mandriva has issued an advisory for this today (June 12):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:172/

David Walser 2013-06-12 23:08:39 CEST

URL: (none) => http://lwn.net/Vulnerabilities/554059/

Comment 5 David Walser 2013-06-16 17:58:57 CEST

Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Assigning to QA.

Advisory (Mageia 2):
========================

Updated wireshark packages fix security vulnerabilities:

The CAPWAP dissector could crash (CVE-2013-4074).

The HTTP dissector could overrun the stack (CVE-2013-4081).

The DCP ETSI dissector could crash (CVE-2013-4083).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
http://www.wireshark.org/security/wnpa-sec-2013-32.html
http://www.wireshark.org/security/wnpa-sec-2013-39.html
http://www.wireshark.org/security/wnpa-sec-2013-41.html
http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
http://www.wireshark.org/news/20130607.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:172/
========================

Updated packages in core/updates_testing:
========================
wireshark-1.6.16-1.mga2
libwireshark1-1.6.16-1.mga2
libwireshark-devel-1.6.16-1.mga2
wireshark-tools-1.6.16-1.mga2
tshark-1.6.16-1.mga2
rawshark-1.6.16-1.mga2
dumpcap-1.6.16-1.mga2

from wireshark-1.6.16-1.mga2.src.rpm


Advisory (Mageia 3):
========================

Updated wireshark packages fix security vulnerability:

The CAPWAP dissector could crash (CVE-2013-4074).

The GMR-1 BCCH dissector could crash (CVE-2013-4075).

The PPP dissector could crash (CVE-2013-4076).

The NBAP dissector could crash (CVE-2013-4077).

The RDP dissector could crash (CVE-2013-4078).

The GSM CBCH dissector could crash (CVE-2013-4079).

The Assa Abloy R3 dissector could consume excessive memory and CPU
(CVE-2013-4080).

The HTTP dissector could overrun the stack (CVE-2013-4081).

The Ixia IxVeriWave file parser could overflow the heap (CVE-2013-4082).

The DCP ETSI dissector could crash (CVE-2013-4083).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
http://www.wireshark.org/security/wnpa-sec-2013-32.html
http://www.wireshark.org/security/wnpa-sec-2013-33.html
http://www.wireshark.org/security/wnpa-sec-2013-34.html
http://www.wireshark.org/security/wnpa-sec-2013-35.html
http://www.wireshark.org/security/wnpa-sec-2013-36.html
http://www.wireshark.org/security/wnpa-sec-2013-37.html
http://www.wireshark.org/security/wnpa-sec-2013-38.html
http://www.wireshark.org/security/wnpa-sec-2013-39.html
http://www.wireshark.org/security/wnpa-sec-2013-40.html
http://www.wireshark.org/security/wnpa-sec-2013-41.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
http://www.wireshark.org/news/20130607.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.8.8-1.mga3
libwireshark2-1.8.8-1.mga3
libwireshark-devel-1.8.8-1.mga3
wireshark-tools-1.8.8-1.mga3
tshark-1.8.8-1.mga3
rawshark-1.8.8-1.mga3
dumpcap-1.8.8-1.mga3

from wireshark-1.8.8-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs
Summary: Multiple vulnerabilities in wireshark => wireshark new releases 1.6.16 and 1.8.8 fix security issues

Comment 6 David Walser 2013-06-18 18:48:29 CEST

Debian has issued an advisory for this on June 17:
http://www.debian.org/security/2013/dsa-2709

from http://lwn.net/Vulnerabilities/555217/

David Walser 2013-06-20 21:53:51 CEST

Version: 2 => 3
Whiteboard: (none) => MGA2TOO

Comment 7 Manuel Hiebel 2013-06-20 22:27:45 CEST

update is ok here

Whiteboard: MGA2TOO => MGA2TOO mga2-64-ok

Comment 8 Rémi Verschelde 2013-06-23 14:26:45 CEST

Testing complete on mga3 i586, following https://wiki.mageia.org/en/QA_procedure:Wireshark

CC: (none) => remi
Whiteboard: MGA2TOO mga2-64-ok => MGA2TOO mga2-64-ok mga3-32-ok

Comment 9 Rémi Verschelde 2013-06-23 14:47:41 CEST

Testing complete on mga2 i586 (VM).

Whiteboard: MGA2TOO mga2-64-ok mga3-32-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok

Comment 10 martyn vidler 2013-06-23 19:49:05 CEST

Tested MGA3 64

Completed test as https://wiki.mageia.org/en/QA_procedure:Wireshark

CC: (none) => martynvidler
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok MGA3-64-ok

Comment 11 Rémi Verschelde 2013-06-23 19:57:17 CEST

Validating the update candidate then.

--

Please push this update from Mageia 2 and Mageia 3. The advisory and list of RPMs/SRPM is in comment 5.

Keywords: (none) => validated_update
Assignee: qa-bugs => sysadmin-bugs
CC: (none) => sysadmin-bugs

Comment 12 Manuel Hiebel 2013-06-23 22:20:46 CEST

(btw we keep bugs assigned to the qa)

Assignee: sysadmin-bugs => qa-bugs

Comment 13 claire robinson 2013-06-26 09:34:54 CEST

Advisories uploaded

Comment 14 Nicolas Vigier 2013-06-26 20:26:59 CEST

http://advisories.mageia.org/MGASA-2013-0180.html
http://advisories.mageia.org/MGASA-2013-0181.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:57 CEST

CC: boklm => (none)