Bug 17848

Summary: wireshark new release 2.0.2 fixes security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, pf, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/678634/
Whiteboard: has_procedure advisory mga5-32-ok mga5-64-ok
Source RPM: wireshark-2.0.1-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-01 01:12:36 CET 
Upstream has released new versions on February 26:
https://www.wireshark.org/news/20160226.html

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

ASN.1 BER dissector crash (CVE-2016-2522).

DNP dissector infinite loop (CVE-2016-2523).

X.509AF dissector crash (CVE-2016-2524).

HTTP/2 dissector crash (CVE-2016-2525).

HiQnet dissector crash (CVE-2016-2526).

3GPP TS 32.423 Trace file parser crash (CVE-2016-2527).

LBMC dissector crash (CVE-2016-2528).

iSeries file parser crash (CVE-2016-2529).

RSL dissector crash (CVE-2016-2530, CVE-2016-2531).

LLRP dissector crash (CVE-2016-2532).

The wireshark package has been updated to version 2.0.2, fixing these issues as
well as other dissector crashes, a dissector loop issue, another file parser
crash, and several other bugs.  See the upstream release notes for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2532
https://www.wireshark.org/security/wnpa-sec-2016-02.html
https://www.wireshark.org/security/wnpa-sec-2016-03.html
https://www.wireshark.org/security/wnpa-sec-2016-04.html
https://www.wireshark.org/security/wnpa-sec-2016-05.html
https://www.wireshark.org/security/wnpa-sec-2016-06.html
https://www.wireshark.org/security/wnpa-sec-2016-07.html
https://www.wireshark.org/security/wnpa-sec-2016-08.html
https://www.wireshark.org/security/wnpa-sec-2016-09.html
https://www.wireshark.org/security/wnpa-sec-2016-10.html
https://www.wireshark.org/security/wnpa-sec-2016-11.html
https://www.wireshark.org/security/wnpa-sec-2016-12.html
https://www.wireshark.org/security/wnpa-sec-2016-13.html
https://www.wireshark.org/security/wnpa-sec-2016-14.html
https://www.wireshark.org/security/wnpa-sec-2016-15.html
https://www.wireshark.org/security/wnpa-sec-2016-16.html
https://www.wireshark.org/security/wnpa-sec-2016-17.html
https://www.wireshark.org/security/wnpa-sec-2016-18.html
https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html
https://www.wireshark.org/news/20160226.html
========================

Updated packages in core/updates_testing:
========================
wireshark-2.0.2-1.mga5
libwireshark6-2.0.2-1.mga5
libwiretap5-2.0.2-1.mga5
libwsutil6-2.0.2-1.mga5
libwireshark-devel-2.0.2-1.mga5
wireshark-tools-2.0.2-1.mga5
tshark-2.0.2-1.mga5
rawshark-2.0.2-1.mga5
dumpcap-2.0.2-1.mga5

from wireshark-2.0.2-1.mga5.src.rpm
David Walser 2016-03-01 01:12:50 CET

CC: (none) => pf

Comment 1 William Kenney 2016-03-01 18:22:00 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
wireshark libwireshark6 libwiretap5 libwsutil6 wireshark-tools

default install of wireshark libwireshark6 libwiretap5 libwsutil6 
wireshark-tools

[root@localhost wilcal]# urpmi wireshark
Package wireshark-2.0.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libwireshark6
Package libwireshark6-2.0.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libwiretap5
Package libwiretap5-2.0.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libwsutil6
Package libwsutil6-2.0.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi wireshark-tools
Package wireshark-tools-2.0.1-1.mga5.i586 is already installed

Running wireshark as root I can capture and save to a file
(test01.pcapng) traffic on enp0s3. Close wireshark.
Reopen est01.pcapng with wireshark and review the data.

install wireshark libwireshark6 libwiretap5 libwsutil6
wireshark-tools from updates_testing

[root@localhost wilcal]# urpmi wireshark
Package wireshark-2.0.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libwireshark6
Package libwireshark6-2.0.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libwiretap5
Package libwiretap5-2.0.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libwsutil6
Package libwsutil6-2.0.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi wireshark-tools
Package wireshark-tools-2.0.2-1.mga5.i586 is already installed

Running wireshark as root I can capture and save to a new file
(test02.pcapng) traffic on enp0s3. And then reopen the previously
created test01.pcapng and review the data.

CC: (none) => wilcal.int

Comment 2 William Kenney 2016-03-01 18:43:19 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
wireshark lib64wireshark6 lib64wiretap5 lib64wsutil6 wireshark-tools

default install of wireshark lib64wireshark6 lib64wiretap5 lib64wsutil6 
wireshark-tools

[root@localhost wilcal]# urpmi wireshark
Package wireshark-2.0.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64wireshark6
Package lib64wireshark6-2.0.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64wiretap5
Package lib64wiretap5-2.0.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64wsutil6
Package lib64wsutil6-2.0.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi wireshark-tools
Package wireshark-tools-2.0.1-1.mga5.x86_64 is already installed

Running wireshark as root I can capture and save to a file
(test01.pcapng) traffic on enp0s3. Close wireshark.
Reopen est01.pcapng with wireshark and review the data.

install wireshark lib64wireshark6 lib64wiretap5 lib64wsutil6
wireshark-tools from updates_testing

[root@localhost wilcal]# urpmi wireshark
Package wireshark-2.0.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64wireshark6
Package lib64wireshark6-2.0.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64wiretap5
Package lib64wiretap5-2.0.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64wsutil6
Package lib64wsutil6-2.0.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi wireshark-tools
Package wireshark-tools-2.0.2-1.mga5.x86_64 is already installed

Running wireshark as root I can capture and save to a new file
(test02.pcapng) traffic on enp0s3. And then reopen the previously
created test01.pcapng and review the data.
Comment 3 William Kenney 2016-03-01 18:45:03 CET 
Looks ok for me. Still cannot see enp0s3 unless your running
as root. Even if adding user to wireshark group. Otherwise
works for me. Good enough David?
Comment 4 claire robinson 2016-03-01 18:52:11 CET 
After adding to wireshark group you need to log out and back in again.
Comment 5 David Walser 2016-03-01 18:55:37 CET 
See Claire's comment.  Also, we generally try to test the PoC's for wireshark.  It's not difficult.
Comment 6 claire robinson 2016-03-01 19:34:05 CET 
Advisory uploaded.

Whiteboard: (none) => has_procedure advisory

Comment 7 William Kenney 2016-03-02 17:56:19 CET 
After assigning wilcal to the wireshark group and a reboot both
the 32 & 64 bit work just fine. wireshark launches from
the desktop icon. Good enough?
Comment 8 claire robinson 2016-03-02 17:59:14 CET 
Good job Bill. Well done for sticking with it. We do usually test PoC's as they usually give them, but this shows no basic regressions and it's a new version rather than patch so it's fine.
Comment 9 claire robinson 2016-03-02 18:17:07 CET 
Adding the OKs and validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory mga5-32-ok mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2016-03-02 19:30:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0091.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 Lewis Smith 2016-03-02 21:16:03 CET 
Tested x64

Hmmm. Just a few hours' absence after first trying this, & all is done!
BTAIM...

(In reply to David Walser from comment #5)
> See Claire's comment.  Also, we generally try to test the PoC's for
> wireshark.  It's not difficult.
Hmmm again. The best starting point is the Release Note. This has *many* bugFix references, which point to the bugs, which contain one or several example packets to illustrate the fault. Tens of possible tests. It is nicely organised. I tried about a dozen, and before the update most did *not* crash (which is ususally the case). A few seemed to loop. Generic command cited to use:
 $ tshark -nVxr <path-to-[p]cap-file>

After the update, all the test results were the same, for better or worse. Wireshark GUI worked on an ethernet interface. So all I can say in support of the OK is 'no regression'.

CC: (none) => lewyssmith

David Walser 2016-03-03 19:23:15 CET

URL: (none) => http://lwn.net/Vulnerabilities/678634/

Comment 12 David Walser 2016-05-02 11:37:38 CEST 
CVEs have been assigned for upstream advisories 2016-12 through 2016-18, which had no CVEs before:
http://openwall.com/lists/oss-security/2016/05/01/1

CVE-2016-4415
CVE-2016-4416
CVE-2016-4417
CVE-2016-4418
CVE-2016-4419
CVE-2016-4420
CVE-2016-4421