Bug 14113

Summary: wireshark new release 1.10.10 fixes security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: patr_and, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/613194/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-ok
Source RPM: wireshark-1.10.9-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-09-17 18:57:11 CEST 
Upstream has released new versions on September 16:
https://www.wireshark.org/news/20140916.html

Freeze push requested for Cauldron for 1.12.1.

Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

RTP dissector crash (CVE-2014-6421, CVE-2014-6422).

MEGACO dissector infinite loop (CVE-2014-6423).

Netflow dissector crash (CVE-2014-6424).

RTSP dissector crash (CVE-2014-6427).

SES dissector crash (CVE-2014-6428).

Sniffer file parser crash (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431,
CVE-2014-6432).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6432
https://www.wireshark.org/security/wnpa-sec-2014-12.html
https://www.wireshark.org/security/wnpa-sec-2014-13.html
https://www.wireshark.org/security/wnpa-sec-2014-14.html
https://www.wireshark.org/security/wnpa-sec-2014-17.html
https://www.wireshark.org/security/wnpa-sec-2014-18.html
https://www.wireshark.org/security/wnpa-sec-2014-19.html
https://www.wireshark.org/docs/relnotes/wireshark-1.10.10.html
https://www.wireshark.org/news/20140916.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.10.10-1.mga3
libwireshark3-1.10.10-1.mga3
libwiretap3-1.10.10-1.mga3
libwsutil3-1.10.10-1.mga3
libwireshark-devel-1.10.10-1.mga3
wireshark-tools-1.10.10-1.mga3
tshark-1.10.10-1.mga3
rawshark-1.10.10-1.mga3
dumpcap-1.10.10-1.mga3
wireshark-1.10.10-1.mga4
libwireshark3-1.10.10-1.mga4
libwiretap3-1.10.10-1.mga4
libwsutil3-1.10.10-1.mga4
libwireshark-devel-1.10.10-1.mga4
wireshark-tools-1.10.10-1.mga4
tshark-1.10.10-1.mga4
rawshark-1.10.10-1.mga4
dumpcap-1.10.10-1.mga4

from SRPMS:
wireshark-1.10.10-1.mga3.src.rpm
wireshark-1.10.10-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-09-17 18:57:36 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Wireshark

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 Patrice ANDREANI 2014-09-21 08:12:10 CEST 
Tested wireshark 1.10.10 1.mga4 on MGA4 i586.

I have this message, only when starting as root, don't know if it's normal :

Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.

But all seems ok.

CC: (none) => patr_and

Patrice ANDREANI 2014-09-21 08:12:51 CEST

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 3 claire robinson 2014-09-21 12:05:31 CEST 
We need to alter the procedure on the wiki. It used to be true that you would start wireshark as root but since mga2 or 3 you now add the wireshark group to your user.
Comment 5 claire robinson 2014-09-22 14:57:50 CEST 
Testing mga4 64

Before
------
$ wget http://www.wireshark.org/download/automated/captures/fuzz-2014-03-22-14025.pcap

$ tshark -nr fuzz-2014-03-22-14025.pcap

<snip>

2412 131.343625000  10.0.131.10 -> 10.0.131.72  IPv4 214 Fragmented IP protocol (proto=UDP 17, off=624, ID=01b7)
2413 131.362951000  10.0.131.72 -> 10.0.131.10  RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xBD27F00E, Seq=432, Time=1208800
2414 131.364119000  10.0.131.10 -> 10.0.131.72  RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xDEAD0019, Seq=4536, Time=268505856
2415 131.380550000  10.0.131.72 -> 10.0.131.10  RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xBD27F00E, Seq=433, Time=1208960
2416 131.383647000  10.0.131.10 -> 10.0.131.72  RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xDEAD0019, Seq=4537, Time=268506016
Segmentation fault


$ wget http://www.wireshark.org/download/automated/captures/fuzz-2014-08-01-15014.pcap
$ tshark -nr fuzz-2014-08-01-15014.pcap
$ wireshark fuzz-2014-08-01-15014.pcap

No ill effects in tshark or wireshark.


$ wget https://www.wireshark.org/download/automated/captures/fuzz-2014-08-11-32641.pcap
$ tshark -nr fuzz-2014-08-11-32641.pcap
$ wireshark fuzz-2014-08-11-32641.pcap

No ill effects in tshark or wireshark.


$ wget https://www.wireshark.org/download/automated/captures/fuzz-2014-08-14-9469.pcap
$ wireshark fuzz-2014-08-14-9469.pcap
$ tshark -nr fuzz-2014-08-14-9469.pcap

No ill effects in tshark or wireshark.


$ wget https://www.wireshark.org/download/automated/captures/fuzz-2014-09-07-19671.pcap
$ tshark -nr fuzz-2014-09-07-19671.pcap
$ wireshark fuzz-2014-09-07-19671.pcap

No ill effects in tshark or wireshark.

$ wget -0 ngsniffer_noklee.c https://bugs.wireshark.org/bugzilla/attachment.cgi?id=13049
$ gcc -g -DRANDOM ngsniffer_noklee.c
$ valgrind ./a.out 
==22446== Memcheck, a memory error detector
==22446== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==22446== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==22446== Command: ./a.out
==22446== 
==22446== Source and destination overlap in memcpy(0x51f7654, 0x51f7633, 71)
==22446==    at 0x4C2A693: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22446==    by 0x400AB8: SnifferDecompress (ngsniffer_noklee.c:187)
==22446==    by 0x400C57: main (ngsniffer_noklee.c:250)
==22446== 
==22446== Source and destination overlap in memcpy(0x51f6e62, 0x51f6e5f, 14)
==22446==    at 0x4C2A693: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22446==    by 0x400B62: SnifferDecompress (ngsniffer_noklee.c:216)
==22446==    by 0x400C57: main (ngsniffer_noklee.c:250)

<ctrl-c>
Comment 6 claire robinson 2014-09-22 15:09:42 CEST 
Testing complete mga4 64

After
-----
Confirmed the segfault is now cleared and no regressions with the other testcases.

$ rm -f a.out 
$ gcc -g -DRANDOM ngsniffer_noklee.c
$ valgrind ./a.out

With the last one valgrind showed similar output before and after, but no sign of the 'invalid write'.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10461

Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK mga4-64-ok

Comment 7 claire robinson 2014-09-22 16:28:03 CEST 
Seems it just needed to be left to run for a while longer. With the updates still installed I do see the Invalid write after a couple of minutes run time..

<snip>

==31050== Invalid write of size 1
==31050==    at 0x400880: SnifferDecompress (ngsniffer_noklee.c:90)
==31050==    by 0x400C57: main (ngsniffer_noklee.c:250)
==31050==  Address 0x5205080 is 0 bytes after a block of size 65,536 alloc'd
==31050==    at 0x4C266ED: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31050==    by 0x400BD0: main (ngsniffer_noklee.c:241)

Same for mga3 64 too. Should this be corrected in this update, perhaps a bad reference?
Comment 8 claire robinson 2014-09-22 16:30:04 CEST 
Testing complete mga3 64 (assuming the Invalid write is OK)

Same output as mga4 64.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure mga3-64-ok MGA4-32-OK mga4-64-ok

Comment 9 claire robinson 2014-09-22 17:14:21 CEST 
Testing complete mga3 32

Confirmed the memory errors still exist here too. All else is Ok though.

$ valgrind ./a.out 
==4427== Memcheck, a memory error detector
==4427== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==4427== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==4427== Command: ./a.out
==4427== 
==4427== Source and destination overlap in memcpy(0x421f363, 0x421f288, 224)
==4427==    at 0x402AE41: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4427==    by 0x80487B5: SnifferDecompress (ngsniffer_noklee.c:187)
==4427==    by 0x8048955: main (ngsniffer_noklee.c:250)
==4427== 
==4427== Source and destination overlap in memcpy(0x421fa80, 0x421fa78, 15)
==4427==    at 0x402AE41: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4427==    by 0x8048843: SnifferDecompress (ngsniffer_noklee.c:216)
==4427==    by 0x8048955: main (ngsniffer_noklee.c:250)
==4427== 
==4427== Invalid write of size 1
==4427==    at 0x80485BE: SnifferDecompress (ngsniffer_noklee.c:90)
==4427==    by 0x8048955: main (ngsniffer_noklee.c:250)
==4427==  Address 0x4223058 is 0 bytes after a block of size 65,536 alloc'd
==4427==    at 0x4029344: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4427==    by 0x80488AF: main (ngsniffer_noklee.c:241)

Whiteboard: MGA3TOO has_procedure mga3-64-ok MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-ok

Comment 10 claire robinson 2014-09-23 18:03:20 CEST 
Confirmed these memory errors are expected as it's not actually using wireshark code from our package so doesn't change with the update installed.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2014-09-24 18:44:56 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0386.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-09-25 21:17:27 CEST

URL: (none) => http://lwn.net/Vulnerabilities/613194/