Bug 12962

Summary: wireshark new releases 1.8.13 and 1.10.6 fix security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marc.lattemann, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/590188/
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK
Source RPM: wireshark-1.10.5-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-08 06:58:25 CET 
Upstream has issued new versions on March 7:
http://www.wireshark.org/news/20140307.html

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory (Mageia 3):
========================

Updated wireshark packages fix security vulnerabilities:

The NFS dissector could crash (CVE-2014-2281).

The RLC dissector could crash (CVE-2014-2283).

The MPEG file parser could overflow a buffer (CVE-2014-2299).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299
https://www.wireshark.org/security/wnpa-sec-2014-01.html
https://www.wireshark.org/security/wnpa-sec-2014-03.html
https://www.wireshark.org/security/wnpa-sec-2014-04.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.13.html
http://www.wireshark.org/news/20140307.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.8.13-1.mga3
libwireshark2-1.8.13-1.mga3
libwireshark-devel-1.8.13-1.mga3
wireshark-tools-1.8.13-1.mga3
tshark-1.8.13-1.mga3
rawshark-1.8.13-1.mga3
dumpcap-1.8.13-1.mga3

from wireshark-1.8.13-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated wireshark packages fix security vulnerabilities:

The NFS dissector could crash (CVE-2014-2281).

The M3UA dissector could crash (CVE-2014-2282).

The RLC dissector could crash (CVE-2014-2283).

The MPEG file parser could overflow a buffer (CVE-2014-2299).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299
https://www.wireshark.org/security/wnpa-sec-2014-01.html
https://www.wireshark.org/security/wnpa-sec-2014-02.html
https://www.wireshark.org/security/wnpa-sec-2014-03.html
https://www.wireshark.org/security/wnpa-sec-2014-04.html
http://www.wireshark.org/docs/relnotes/wireshark-1.10.6.html
http://www.wireshark.org/news/20140307.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.10.6-1.mga4
libwireshark3-1.10.6-1.mga4
libwiretap3-1.10.6-1.mga4
libwsutil3-1.10.6-1.mga4
libwireshark-devel-1.10.6-1.mga4
wireshark-tools-1.10.6-1.mga4
tshark-1.10.6-1.mga4
rawshark-1.10.6-1.mga4
dumpcap-1.10.6-1.mga4

from wireshark-1.10.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-08 06:58:31 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Marc Lattemann 2014-03-08 13:28:43 CET 
poc for CVE-2014-2281:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672

poc for CVE-2014-2283:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9730

poc for CVE-2014-2299:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843

CC: (none) => marc.lattemann

Comment 2 Marc Lattemann 2014-03-08 13:57:29 CET 
testing on MGA4 64bit:

after activating of update_testing repos and run urpmi wireshark, 
the dependencies  dumpcap, lib64wireshark3, ib64wiretap3 and lib64wsutil3 will not be updated...

e.g.
[root@localhost marc]# rpm -qa | grep wireshark
wireshark-1.10.6-1.mga4
lib64wireshark3-1.10.5-1.mga4
[root@localhost marc]#

sample file for CVE-2014-2281 and CVE-2014-2299 are causing segmentation fault until dependencies are updated manually as well... After new installation of wireshark (with all dependencies) from update_testing repos) fixed both bugs.

Did I made a mistake here?


Furthermore I don't know how to get CVE-2014-2283 to work. Never got same messages like in the linked bugreport... (same result prior and after update). But I think that I'm doing something wrong, since I don't get tshark/dumpcap running without being root

Whiteboard: MGA3TOO => MGA3TOO has_procedure feedback

Comment 3 Thomas Backlund 2014-03-08 14:05:58 CET 
(In reply to Marc Lattemann from comment #2)
> testing on MGA4 64bit:
> 
> after activating of update_testing repos and run urpmi wireshark, 
> the dependencies  dumpcap, lib64wireshark3, ib64wiretap3 and lib64wsutil3
> will not be updated...
> 
> e.g.
> [root@localhost marc]# rpm -qa | grep wireshark
> wireshark-1.10.6-1.mga4
> lib64wireshark3-1.10.5-1.mga4
> [root@localhost marc]#
> 
> sample file for CVE-2014-2281 and CVE-2014-2299 are causing segmentation
> fault until dependencies are updated manually as well... After new
> installation of wireshark (with all dependencies) from update_testing repos)
> fixed both bugs.
> 
> Did I made a mistake here?
>

Nope, when using the updates_testing packages you usually need to manually select the deps as you dont have it as an "update" repo.

when it ends up in updates, urpmi and  update applet will update all the packages ...

This is actually something I think we should improve in packaging, as it will be needed to be able to do cherrypicking of backports

CC: (none) => tmb
Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure

Comment 4 Marc Lattemann 2014-03-08 15:00:12 CET 
(In reply to Thomas Backlund from comment #3)

> Nope, when using the updates_testing packages you usually need to manually
> select the deps as you dont have it as an "update" repo.

Thanks for the info, Thomas


(In reply to Marc Lattemann from comment #2)

> Furthermore I don't know how to get CVE-2014-2283 to work. Never got same
> messages like in the linked bugreport... (same result prior and after
> update). But I think that I'm doing something wrong, since I don't get
> tshark/dumpcap running without being root

Ok- got it working as usual user, however, can't reproduce bug. Since no regression after updating packages and update will fix other bugs, I put tested tag for mga4 64bit to whiteboard. Please feel free to remove since someone will test-procedure for CVE-2014-2283.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-OK

Comment 5 Marc Lattemann 2014-03-08 18:23:56 CET 
same result in mga3 32bit:

CVE-2014-2281 and CVE-2014-2299 could be reproduced in old version and are solved after upgrade.
CVE-2014-2283 could not be reproduced, but basic wireshark functions are tested and no regression detected.

Whiteboard: MGA3TOO has_procedure mga4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK

Comment 6 Marc Lattemann 2014-03-08 18:41:02 CET 
tested successfully on MGA3 64bit

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 7 Marc Lattemann 2014-03-08 19:00:29 CET 
tested successfully on MGA4 32bit

after Advisory from Comment #0 is uploaded, update can be validated and pushed to core_udpates

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 8 claire robinson 2014-03-08 21:24:09 CET 
Thanks Marc

Separate advisories uploaded for 3 & 4. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2014-03-08 21:24:19 CET

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 9 Thomas Backlund 2014-03-08 22:47:34 CET 
Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0125.html

Mga4 update pushed:
http://advisories.mageia.org/MGASA-2014-0126.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-03-10 18:02:17 CET

URL: (none) => http://lwn.net/Vulnerabilities/590188/

Comment 10 David Walser 2014-03-10 18:04:32 CET 
LWN reference for CVE-2014-2282:
http://lwn.net/Vulnerabilities/590192/