Bug 33121

Suggested advisory:
========================

The updated packages fix a security vulnerability:

T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file. (CVE-2024-2955)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZD2MNS6EW2K2SSMN4YBGPZCC47KBDNEE/
========================

Updated packages in core/updates_testing:
========================
dumpcap-4.0.14-1.mga9
lib(64)wireshark16-4.0.14-1.mga9
lib(64)wireshark-devel-4.0.14-1.mga9
lib(64)wiretap13-4.0.14-1.mga9
lib(64)wsutil14-4.0.14-1.mga9
rawshark-4.0.14-1.mga9
tshark-4.0.14-1.mga9
wireshark-4.0.14-1.mga9
wireshark-tools-4.0.14-1.mga9

from SRPM:
wireshark-4.0.14-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 4.0.14 => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Status: NEW => ASSIGNED

Mageia9, x64

Followed the CVE trail to
https://gitlab.com/wireshark/wireshark/-/issues/19695
https://www.wireshark.org/download/automated/captures/fuzz-2024-03-07-7208.pcap.gz
Tried this command but left out the logging parameter because tshark did not recognise it - probably something introduced for the fuzzing/asan framework.
$ tshark -2  -nVxr fuzz-2024-03-07-7208.pcap.gz
That generated a lot of output including "malformed packet exception" messages.
This was before updating.

No problem installing with with qarepo, drakrpm-update.

Tried the PoC but was unable to draw any conclusions from the output - at least one malformed packet exception.

Referred to earlier bugs for testing, all based on https://wiki.mageia.org/en/QA_procedure:Wireshark.

$ wireshark -n lcl1.cap
generated the wireshark frame/capture analysis interface.

$ wireshark -i enp0s20f0u1 -w qa.cap --autostop duration:60 
 ** (wireshark:521126) 11:23:30.531431 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:521126) 11:23:30.556875 [Capture MESSAGE] -- Capture started
 ** (wireshark:521126) 11:23:30.556918 [Capture MESSAGE] -- File: "qa.cap"
 ** (wireshark:521126) 11:24:30.689064 [Capture MESSAGE] -- Capture stopped.
$ ll
-rw------- 1 lcl lcl   19144 Apr 25 11:24  qa.cap
$ wireshark qa.cap
102 packets displayed, protocols STP, ARP and TCP.  Several keep-alive packets and NOTIFY from the router and ARP conversations along the lines of "Who has <yildun>?" "Tell <canopus>" and "<yildun> is at <MAC address>".

$ tshark -nr qa.cap
dumps the same information to the terminal.

$ editcap -r qa.cap wiresharktest40 1-40
No terminal output.
$ ll wiresharktest40
-rw-r--r-- 1 lcl lcl 4088 Apr 25 11:46 wiresharktest40
$ mergecap -V -w merged qa.cap wiresharktest40
mergecap: qa.cap is type Wireshark/... - pcapng.
mergecap: wiresharktest40 is type Wireshark/... - pcapng.
mergecap: selected frame_type Ethernet (ether)
mergecap: ready to merge records
Record: 1
[...]
Record: 142
mergecap: merging complete
$ ll merged
-rw-r--r-- 1 lcl lcl 22816 Apr 25 12:23 merged

$ randpkt -b 500 -t dns wireshark_dns.pcap
This accumulated 1000 packets.  Wireshark showed that theye were all exchanges between two addresses whuch I did not recognise but which I guess are the DNS servers.

$ dftest ip
failed for lack of the dftest command.
Otherwise all looks good.

CC: (none) => tarazed25

Tried the asan/fuzzing PoC file with tshark.  Copious output but I had not recorded the previous test output so cannot compare them.  Malformed packet exceptions were raised again.

Giving this an OK for 64 bits.

Whiteboard: (none) => MGA9-64-OK

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0149.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED