Bug 10471 - wireshark new releases 1.6.16 and 1.8.8 fix security issues
: wireshark new releases 1.6.16 and 1.8.8 fix security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554059/
: MGA2TOO mga2-32-ok mga2-64-ok mga3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-10 09:43 CEST by Oden Eriksson
Modified: 2014-05-08 18:05 CEST (History)
4 users (show)

See Also:
Source RPM: wireshark
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-06-10 09:43:27 CEST
======================================================
Name: CVE-2013-4074
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-capwap.c?r1=43716&r2=43715&pathrev=43716
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=43716
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-32.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8725

The dissect_capwap_data function in epan/dissectors/packet-capwap.c in
the CAPWAP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before
1.8.8 incorrectly uses a -1 data value to represent an error
condition, which allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



======================================================
Name: CVE-2013-4075
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-gmr1_bcch.c?r1=44674&r2=44673&pathrev=44674
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=44674
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-33.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8726

epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in
Wireshark 1.8.x before 1.8.8 does not properly initialize memory,
which allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



======================================================
Name: CVE-2013-4076
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4076
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ppp.c?r1=46128&r2=46127&pathrev=46128
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=46128
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-34.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7880
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8727

Buffer overflow in the dissect_iphc_crtp_fh function in
epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x
before 1.8.8 allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



======================================================
Name: CVE-2013-4077
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4077
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49418
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-35.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8697

Array index error in the NBAP dissector in Wireshark 1.8.x before
1.8.8 allows remote attackers to cause a denial of service
(application crash) via a crafted packet, related to nbap.cnf and
packet-nbap.c.



======================================================
Name: CVE-2013-4078
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4078
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=45566
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=46158
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-36.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7862
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8729

epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x
before 1.8.8 does not validate return values during checks for data
availability, which allows remote attackers to cause a denial of
service (application crash) via a crafted packet.



======================================================
Name: CVE-2013-4079
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4079
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-gsm_cbch.c?r1=49686&r2=49685&pathrev=49686
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49686
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-37.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730

The dissect_schedule_message function in
epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in
Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial
of service (infinite loop and application hang) via a crafted packet.



======================================================
Name: CVE-2013-4080
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4080
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-assa_r3.c?r1=49744&r2=49743&pathrev=49744
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49744
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-38.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8764

The dissect_r3_upstreamcommand_queryconfig function in
epan/dissectors/packet-assa_r3.c in the Assa Abloy R3 dissector in
Wireshark 1.8.x before 1.8.8 does not properly handle a zero-length
item, which allows remote attackers to cause a denial of service
(infinite loop, and CPU and memory consumption) via a crafted packet.



======================================================
Name: CVE-2013-4081
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-http.c?r1=49623&r2=49622&pathrev=49623
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49623
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-39.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733

The http_payload_subdissector function in
epan/dissectors/packet-http.c in the HTTP dissector in Wireshark 1.6.x
before 1.6.16 and 1.8.x before 1.8.8 does not properly determine when
to use a recursive approach, which allows remote attackers to cause a
denial of service (stack consumption) via a crafted packet.



======================================================
Name: CVE-2013-4082
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4082
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/wiretap/vwr.c?r1=49739&r2=49738&pathrev=49739
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49739
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-40.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760

The vwr_read function in wiretap/vwr.c in Ixia IxVeriWave file parser
in Wireshark 1.8.x before 1.8.8 does not validate the relationship
between a record length and a trailer length, which allows remote
attackers to cause a denial of service (heap-based buffer overflow and
application crash) via a crafted packet.



======================================================
Name: CVE-2013-4083
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130609
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcp-etsi.c?r1=49802&r2=49801&pathrev=49802
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49802
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2013-41.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717

The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the
DCP ETSI dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before
1.8.8, and 1.10.0 does not validate a certain fragment length value,
which allows remote attackers to cause a denial of service
(application crash) via a crafted packet.



Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-10 14:46:08 CEST
New versions has been uploaded for all.
Comment 2 David Walser 2013-06-11 18:41:50 CEST
Packages built:
wireshark-1.6.16-1.mga2
libwireshark1-1.6.16-1.mga2
libwireshark-devel-1.6.16-1.mga2
wireshark-tools-1.6.16-1.mga2
tshark-1.6.16-1.mga2
rawshark-1.6.16-1.mga2
dumpcap-1.6.16-1.mga2
wireshark-1.8.8-1.mga3
libwireshark2-1.8.8-1.mga3
libwireshark-devel-1.8.8-1.mga3
wireshark-tools-1.8.8-1.mga3
tshark-1.8.8-1.mga3
rawshark-1.8.8-1.mga3
dumpcap-1.8.8-1.mga3

from SRPMS:
wireshark-1.6.16-1.mga2.src.rpm
wireshark-1.8.8-1.mga3.src.rpm
Comment 3 David Walser 2013-06-11 18:44:03 CEST
Upstream announcement from June 7:
http://www.wireshark.org/news/20130607.html

This hasn't yet been fixed in Cauldron, so waiting on that before pushing to QA.
Comment 4 David Walser 2013-06-12 14:21:29 CEST
Mandriva has issued an advisory for this today (June 12):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:172/
Comment 5 David Walser 2013-06-16 17:58:57 CEST
Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Assigning to QA.

Advisory (Mageia 2):
========================

Updated wireshark packages fix security vulnerabilities:

The CAPWAP dissector could crash (CVE-2013-4074).

The HTTP dissector could overrun the stack (CVE-2013-4081).

The DCP ETSI dissector could crash (CVE-2013-4083).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
http://www.wireshark.org/security/wnpa-sec-2013-32.html
http://www.wireshark.org/security/wnpa-sec-2013-39.html
http://www.wireshark.org/security/wnpa-sec-2013-41.html
http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
http://www.wireshark.org/news/20130607.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:172/
========================

Updated packages in core/updates_testing:
========================
wireshark-1.6.16-1.mga2
libwireshark1-1.6.16-1.mga2
libwireshark-devel-1.6.16-1.mga2
wireshark-tools-1.6.16-1.mga2
tshark-1.6.16-1.mga2
rawshark-1.6.16-1.mga2
dumpcap-1.6.16-1.mga2

from wireshark-1.6.16-1.mga2.src.rpm


Advisory (Mageia 3):
========================

Updated wireshark packages fix security vulnerability:

The CAPWAP dissector could crash (CVE-2013-4074).

The GMR-1 BCCH dissector could crash (CVE-2013-4075).

The PPP dissector could crash (CVE-2013-4076).

The NBAP dissector could crash (CVE-2013-4077).

The RDP dissector could crash (CVE-2013-4078).

The GSM CBCH dissector could crash (CVE-2013-4079).

The Assa Abloy R3 dissector could consume excessive memory and CPU
(CVE-2013-4080).

The HTTP dissector could overrun the stack (CVE-2013-4081).

The Ixia IxVeriWave file parser could overflow the heap (CVE-2013-4082).

The DCP ETSI dissector could crash (CVE-2013-4083).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
http://www.wireshark.org/security/wnpa-sec-2013-32.html
http://www.wireshark.org/security/wnpa-sec-2013-33.html
http://www.wireshark.org/security/wnpa-sec-2013-34.html
http://www.wireshark.org/security/wnpa-sec-2013-35.html
http://www.wireshark.org/security/wnpa-sec-2013-36.html
http://www.wireshark.org/security/wnpa-sec-2013-37.html
http://www.wireshark.org/security/wnpa-sec-2013-38.html
http://www.wireshark.org/security/wnpa-sec-2013-39.html
http://www.wireshark.org/security/wnpa-sec-2013-40.html
http://www.wireshark.org/security/wnpa-sec-2013-41.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html
http://www.wireshark.org/news/20130607.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.8.8-1.mga3
libwireshark2-1.8.8-1.mga3
libwireshark-devel-1.8.8-1.mga3
wireshark-tools-1.8.8-1.mga3
tshark-1.8.8-1.mga3
rawshark-1.8.8-1.mga3
dumpcap-1.8.8-1.mga3

from wireshark-1.8.8-1.mga3.src.rpm
Comment 6 David Walser 2013-06-18 18:48:29 CEST
Debian has issued an advisory for this on June 17:
http://www.debian.org/security/2013/dsa-2709

from http://lwn.net/Vulnerabilities/555217/
Comment 7 Manuel Hiebel 2013-06-20 22:27:45 CEST
update is ok here
Comment 8 Rémi Verschelde 2013-06-23 14:26:45 CEST
Testing complete on mga3 i586, following https://wiki.mageia.org/en/QA_procedure:Wireshark
Comment 9 Rémi Verschelde 2013-06-23 14:47:41 CEST
Testing complete on mga2 i586 (VM).
Comment 10 martyn vidler 2013-06-23 19:49:05 CEST
Tested MGA3 64

Completed test as https://wiki.mageia.org/en/QA_procedure:Wireshark
Comment 11 Rémi Verschelde 2013-06-23 19:57:17 CEST
Validating the update candidate then.

--

Please push this update from Mageia 2 and Mageia 3. The advisory and list of RPMs/SRPM is in comment 5.
Comment 12 Manuel Hiebel 2013-06-23 22:20:46 CEST
(btw we keep bugs assigned to the qa)
Comment 13 claire robinson 2013-06-26 09:34:54 CEST
Advisories uploaded

Note You need to log in before you can comment on or make changes to this bug.