Bug 22374

Summary: wireshark new release 2.2.12 fixes security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: wireshark-2.2.11-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-01-12 03:32:22 CET 
Upstream has released new versions on January 11:
https://www.wireshark.org/news/20180111.html

Updated package uploaded for Mageia 6.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

The MRDISC dissector could crash (CVE-2017-17997).

The IxVeriWave file parser could crash (CVE-2018-5334).

The WCP dissector could crash (CVE-2018-5335).

Multiple dissectors could crash (CVE-2018-5336).

Prior to this release dumpcap enabled the Linux kernel’s BPF JIT compiler
via the net.core.bpf_jit_enable sysctl. This could make systems more
vulnerable to Spectre variant 1 and this feature has been removed
(CVE-2017-5753).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5336
https://www.wireshark.org/security/wnpa-sec-2018-01.html
https://www.wireshark.org/security/wnpa-sec-2018-02.html
https://www.wireshark.org/security/wnpa-sec-2018-03.html
https://www.wireshark.org/security/wnpa-sec-2018-04.html
https://www.wireshark.org/docs/relnotes/wireshark-2.2.12.html
https://www.wireshark.org/news/20180111.html
========================

Updated packages in core/updates_testing:
========================
wireshark-2.2.12-1.mga6
libwireshark8-2.2.12-1.mga6
libwiretap6-2.2.12-1.mga6
libwscodecs1-2.2.12-1.mga6
libwsutil7-2.2.12-1.mga6
libwireshark-devel-2.2.12-1.mga6
wireshark-tools-2.2.12-1.mga6
tshark-2.2.12-1.mga6
rawshark-2.2.12-1.mga6
dumpcap-2.2.12-1.mga6

from wireshark-2.2.12-1.mga6.src.rpm
Comment 1 David Walser 2018-01-12 03:32:32 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Wireshark

Keywords: (none) => has_procedure

Comment 2 Len Lawrence 2018-01-12 13:22:22 CET 
Mageia 6 :: x86_64
Installed several packages then updated cleanly to:
- dumpcap
- lib64wireshark-devel-2.2.12-1.mga6.x86_64
- lib64wireshark8-2.2.12-1.mga6.x86_64
- lib64wiretap6-2.2.12-1.mga6.x86_64
- lib64wscodecs1-2.2.12-1.mga6.x86_64
- lib64wsutil7-2.2.12-1.mga6.x86_64
- rawshark-2.2.12-1.mga6.x86_64
- tshark-2.2.12-1.mga6.x86_64
- wireshark-2.2.12-1.mga6.x86_64
- wireshark-tools

# dumpcap -a duration:60
Capturing on 'enp3s0'
File: /tmp/wireshark_enp3s0_20180112115205_dyBIV1.pcapng
Packets captured: 150
Packets received/dropped on interface 'enp3s0': 150/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)
# exit

$ wireshark -n wireshark_enp3s0_20180112115205_dyBIV1.pcapng
QXcbConnection: XCB error: 146 (Unknown), sequence: 198, resource id: 0, major code: 139 (Unknown), minor code: 20
The interface came up with a listing of the packets captured from the ethernet adapter and a frame dump of the first one.  Scanned through the list and noted packets for NFS, TCP, STP and MDNS.

Renamed the pcap file then
$ tshark -nr wiresharktest
    1 0.000000000 14:dd:a9:99:18:f8 → 01:80:c2:00:00:00 STP 60 Conf. Root = 32768/0/14:dd:a9:99:18:f8  Cost = 0  Port = 0x8001
    2 0.018389954 192.168.1.156 → 255.255.255.255 DB-LSP-DISC 175 Dropbox LAN sync Discovery Protocol
...............................

which is a terminal based description of the various transactions.

$ editcap -r wiresharktest wiresharktest50 1-50
$ ll wireshark*
-rw-rw-r-- 1 lcl lcl 15920 Jun  9  2016 wireshark_1
-rw------- 1 lcl lcl 32752 Jan 12 11:56 wireshark_enp3s0_20180112115205_dyBIV1.pcapng
-rw------- 1 lcl lcl 32752 Jan 12 12:04 wiresharktest
-rw-r--r-- 1 lcl lcl  6668 Jan 12 12:09 wiresharktest50

$  mergecap -v -w wiresharkmerged wiresharktest wiresharktest50
mergecap: wiresharktest is type Wireshark/... - pcapng.
mergecap: wiresharktest50 is type Wireshark/... - pcapng.
mergecap: selected frame_type Ethernet (ether)
mergecap: ready to merge records
Record: 1
....................................
Record: 200
mergecap: merging complete

$ randpkt -b 500 -t dns wireshark_dns.pcap
Running the output file through wireshark revealed dozens of malformed packets.

$ dftest ip
Filter: "ip"
dfilter ptr = 0x031faee0


00000 CHECK_EXISTS      ip
00001 RETURN

$ capinfos wiresharktest
File name:           wiresharktest
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  nanoseconds (9)
Packet size limit:   file hdr: (not set)
Number of packets:   150
File size:           32 kB
Data size:           27 kB
Capture duration:    58.000001411 seconds
First packet time:   2018-01-12 11:52:05.864625863
...........................

At beginner's level this does seem to work.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 3 Lewis Smith 2018-01-12 14:03:13 CET 
Thank you Len for an instant test! Validating, Advisory done.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2018-01-12 20:50:24 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0071.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED