Bug 10858 - wireshark new releases 1.8.9 and 1.10.1 fix security issues
: wireshark new releases 1.8.9 and 1.10.1 fix security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/561318/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
: 10857
:
  Show dependency treegraph
 
Reported: 2013-07-27 17:28 CEST by David Walser
Modified: 2013-07-30 08:14 CEST (History)
5 users (show)

See Also:
Source RPM: wireshark-1.8.8-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-27 17:28:53 CEST
Wireshark has released versions 1.8.9 and 1.10.1 on July 26:
http://www.wireshark.org/news/20130726.html

Updated packages uploaded for Mageia 3 and Cauldron.
Thanks to Jani for fixing the build on Cauldron.

Patched package uploaded for Mageia 2.

I had to backport the security patches from 1.8.9 myself, as 1.6.x is no longer supported upstream.  Please do check the PoCs in the upstream bugs, especially for CVE-2013-4932 as I had to rewrite the last part of it, as the code changed.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

The Bluetooth SDP dissector could go into a large loop (CVE-2013-4927).

The DIS dissector could go into a large loop (CVE-2013-4929).

The DVB-CI dissector could crash (CVE-2013-4930).

The GSM RR dissector (and possibly others) could go into a large loop (CVE-2013-4931).

The GSM A Common dissector could crash (CVE-2013-4932).

The Netmon file parser could crash (CVE-2013-4933, CVE-2013-4934).

The ASN.1 PER dissector could crash (CVE-2013-4935).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4930
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4931
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4932
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4933
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4935
http://www.wireshark.org/security/wnpa-sec-2013-45.html
http://www.wireshark.org/security/wnpa-sec-2013-47.html
http://www.wireshark.org/security/wnpa-sec-2013-48.html
http://www.wireshark.org/security/wnpa-sec-2013-49.html
http://www.wireshark.org/security/wnpa-sec-2013-50.html
http://www.wireshark.org/security/wnpa-sec-2013-51.html
http://www.wireshark.org/security/wnpa-sec-2013-52.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
http://www.wireshark.org/news/20130726.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.6.16-1.1.mga2
libwireshark1-1.6.16-1.1.mga2
libwireshark-devel-1.6.16-1.1.mga2
wireshark-tools-1.6.16-1.1.mga2
tshark-1.6.16-1.1.mga2
rawshark-1.6.16-1.1.mga2
dumpcap-1.6.16-1.1.mga2
wireshark-1.8.9-1.mga3
libwireshark2-1.8.9-1.mga3
libwireshark-devel-1.8.9-1.mga3
wireshark-tools-1.8.9-1.mga3
tshark-1.8.9-1.mga3
rawshark-1.8.9-1.mga3
dumpcap-1.8.9-1.mga3

from SRPMS:
wireshark-1.6.16-1.1.mga2.src.rpm
wireshark-1.8.9-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-27 17:29:53 CEST
Because of a licensing issue, wireshark on Mageia 3 needs to be built against gnutls >= 3.1.10, so this update needs to be pushed after or with the gnutls update in Bug 10857.
Comment 2 Dave Hodgins 2013-07-28 00:08:17 CEST
Advisory 10858.adv uploaded to svn
Comment 3 William Kenney 2013-07-28 17:33:41 CEST
MGA3-32-OK for me

in VirtualBox

default install wireshark-1.8.8-1.mga3.i586 from core release
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.8.8-1.mga3.i586 is already installed

Tested using eth0 accessing both WAN and LAN sites.
All successful and generate report

install wireshark-1.8.9-1.mga3.i586 from core updates_testing
Rerun testing with the same above tests. All successful
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.8.9-1.mga3.i586 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox version: virtualbox-4.2.16-1.mga3.x86_64
Comment 4 William Kenney 2013-07-28 17:34:01 CEST
MGA3-64-OK for me

in VirtualBox

default install wireshark-1.8.8-1.mga3.x86_64 from core release
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.8.8-1.mga3.x86_64 is already installed

Tested using eth0 accessing both WAN and LAN sites.
All successful and generate report

install wireshark-1.8.9-1.mga3.x86_64 from core updates_testing
Rerun testing with the same above tests. All successful
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.8.9-1.mga3.x86_64 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox version: virtualbox-4.2.16-1.mga3.x86_64
Comment 5 William Kenney 2013-07-28 17:34:20 CEST
MGA2-32-OK for me

in VirtualBox

default install wireshark-1.6.16-1.mga2.i586 from core release
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.6.16-1.mga2.i586 is already installed

Tested using eth0 accessing both WAN and LAN sites.
All successful and generate report

install wireshark-1.6.16-1.1.mga2.i586 from core updates_testing
Rerun testing with the same above tests. All successful
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.6.16-1.1.mga2.i586 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox version: virtualbox-4.2.16-1.mga3.x86_64
Comment 6 William Kenney 2013-07-28 17:34:38 CEST
MGA2-64-OK for me

in VirtualBox

default install wireshark-1.6.16-1.mga2.x86_64 from core release
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.6.16-1.mga2.x86_64 is already installed

Tested using eth0 accessing both WAN and LAN sites.
All successful and generate report

install wireshark-1.6.16-1.1.mga2.x86_64 from core updates_testing
Rerun testing with the same above tests. All successful
[root@localhost wilcal]# urpmi wireshark
Package wireshark-1.6.16-1.1.mga2.x86_64 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox version: virtualbox-4.2.16-1.mga3.x86_64
Comment 7 David Walser 2013-07-28 17:38:31 CEST
Thanks for testing.

Please do check out the PoCs for the security issues.  If you look at the wireshark 1.8.9 release notes page linked in the advisory reference, there are links to bug reports for all of the security issues, and they should all have a .pcap file attached to them that you can use to reproduce the issues (generally just by opening them).  They generally cause wireshark to crash or hang, but should not cause that to happen in the update candidates.
Comment 8 Dave Hodgins 2013-07-29 01:50:37 CEST
The qa wiki currently only describes how to test a new version
of wireshark, rather then a security update. For security updates,
we have to go to each of the wnpa-sec links, then the wireshark
bug link, download the capture file, and make note of whether it's
a tshark bug, or a wireshark bug, and if any special parameters or
actions are needed. If it's tshark, and doesn't say otherwise, test
with "tshark -nr $filename". If it's wireshark, and doesn't say
otherwise, test with "wireshark $filename". This testing has to
be done before installing the updated version, with notes taken as
to the results of each test.  Typically the result will either be
a crash, or high cpu usage, requiring the command to be killed
(use "killall tshark" or "killall wireshark", if needed).  Not all
tests will result in obvious problems.

After installing the updated version, confirm that there are no
more obvious problems, when repeating the tests.  In addition, the
update has to be tested for basic normal usage, as currently in
the wiki.

I'll update the wiki in the next day or two, and will start testing
the existing version, and the updates testing version shortly.

The below lists the cve, wireshark bug, link to the capture file
to be used for the test, the file name resulting from clicking on
the download of the capture, and the command to be used for the
test.

CVE-2013-4927 - Wireshark bug 8831
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=11032
/home/dave/ws/packet-btsdp.pcap
tshark -nr packet-btsdp.pcap

CVE-2013-4929 - Wireshark bug 8911
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=11164
/home/dave/ws/fuzz-2013-07-08-10651.pcap
tshark -nr fuzz-2013-07-08-10651.pcap

CVE-2013-4930 - Wireshark bug 8916
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=11172
/home/dave/ws/test.pcap
tshark -nr test.pcap

CVE-2013-4931 - Wireshark bug 8923
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=11188
/home/dave/ws/fuzz-2013-07-10-1226.pcap
tshark -nr fuzz-2013-07-10-1226.pcap

CVE-2013-4932 - Wireshark bug 8940
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=11212
/home/dave/ws/fuzz-2013-07-15-22842.pcap
tshark -nVxr fuzz-2013-07-15-22842.pcap

CVE-2013-4933 and
CVE-2013-4934 - Wireshark bug 8742X
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=10883
/home/dave/ws/7c51012f016f3e7d168fbf194fa1e932.cap
tshark -nr /home/dave/ws/7c51012f016f3e7d168fbf194fa1e932.cap

CVE-2013-4935 - Wireshark bug 8722
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=10853
/home/dave/ws/crash1.pcap
To reproduce the crash, open the file in Wireshark, select a
packet and decode as ULP.
Comment 9 Dave Hodgins 2013-07-29 02:28:29 CEST
Results before installing the updates testing version.

CVE-2013-4927 - Wireshark bug 8831
tshark -nr packet-btsdp.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4929 - Wireshark bug 8911
tshark -nr fuzz-2013-07-08-10651.pcap
Before updating
i2 100%cpu usage, requires killing or ctrl+c
x2 100%cpu usage, requires killing or ctrl+c
i3 100%cpu usage, requires killing or ctrl+c
x3 100%cpu usage, requires killing or ctrl+c

CVE-2013-4930 - Wireshark bug 8916
tshark -nr test.pcap
i2 no obvious problems
x2 no obvious problems
i3 GLib-ERROR **: gmem.c:165: failed to allocate 4294967295 bytes
x3 GLib-ERROR **: gmem.c:165: failed to allocate 4294967295 bytes

CVE-2013-4931 - Wireshark bug 8923
tshark -nr fuzz-2013-07-10-1226.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4932 - Wireshark bug 8940
tshark -nVxr fuzz-2013-07-15-22842.pcap
i2 no obvious problems
x2 segfault
i3 no obvious problems
x3 segfault

CVE-2013-4933 and
CVE-2013-4934 - Wireshark bug 8742X
tshark -nr 7c51012f016f3e7d168fbf194fa1e932.cap
i2 segfault
x2 Aborted
i3 Aborted
x3 Aborted

CVE-2013-4935 - Wireshark bug 8722
To reproduce the crash, open crash1.pcap in Wireshark, select a
packet and decode as ULP.
(Found decode under the analyze menu, and ULP under the transport
dropdown).
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

I'll install the updates testing version and test those shortly.
Comment 10 Dave Hodgins 2013-07-29 03:04:41 CEST
Results after installing the updates testing version.

CVE-2013-4927 - Wireshark bug 8831
tshark -nr packet-btsdp.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4929 - Wireshark bug 8911
tshark -nr fuzz-2013-07-08-10651.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4930 - Wireshark bug 8916
tshark -nr test.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4931 - Wireshark bug 8923
tshark -nr fuzz-2013-07-10-1226.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4932 - Wireshark bug 8940
tshark -nVxr fuzz-2013-07-15-22842.pcap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4933 and
CVE-2013-4934 - Wireshark bug 8742X
tshark -nr 7c51012f016f3e7d168fbf194fa1e932.cap
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

CVE-2013-4935 - Wireshark bug 8722
To reproduce the crash, open crash1.pcap in Wireshark, select a
packet and decode as ULP.
(Found decode under the analyze menu, and ULP under the transport
dropdown).
i2 no obvious problems
x2 no obvious problems
i3 no obvious problems
x3 no obvious problems

As William has already tested normal usage, I'll skip those tests.

Validating the update will be held till bug 10857 has been validated.

It would be easier to install the updates testing versions, if both
wireshark and tshark had versioned requires on the libs they need.
Comment 11 Dave Hodgins 2013-07-29 03:19:12 CEST
bug 10857 has now been validated.

Could someone from the sysadmin team push 10858.adv to updates.
Comment 12 David Walser 2013-07-29 04:51:58 CEST
Have you tested the PoCs on the Mageia 2 update?
Comment 13 claire robinson 2013-07-29 08:11:38 CEST
Seems like it David. I think Dave's version shorthand is i2 = Mga2 i586, x2 = Mga2 x86_64, etc.

Feel free to confirm the tests yourself.
Comment 14 Thomas Backlund 2013-07-29 16:01:00 CEST
Update pushed;
http://advisories.mageia.org/MGASA-2013-0236.html
Comment 15 Oden Eriksson 2013-07-30 08:14:34 CEST
======================================================
Name: CVE-2013-4920
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4920
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50083
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8826
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-42.html

The P1 dissector in Wireshark 1.10.x before 1.10.1 does not properly
initialize a global variable, which allows remote attackers to cause a
denial of service (application crash) via a crafted packet.



======================================================
Name: CVE-2013-4921
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4921
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ieee80211-radiotap.c?r1=50090&r2=50089&pathrev=50090
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50090
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8830
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-43.html

Off-by-one error in the dissect_radiotap function in
epan/dissectors/packet-ieee80211-radiotap.c in the Radiotap dissector
in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a
denial of service (application crash) via a crafted packet.



======================================================
Name: CVE-2013-4922
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4922
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcom-sysact.c?r1=50094&r2=50093&pathrev=50094
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50094
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8828
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-44.html

Double free vulnerability in the dissect_dcom_ActivationProperties
function in epan/dissectors/packet-dcom-sysact.c in the DCOM
ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows
remote attackers to cause a denial of service (application crash) via
a crafted packet.



======================================================
Name: CVE-2013-4923
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4923
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcom-sysact.c?r1=50094&r2=50093&pathrev=50094
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50094
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8828
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-44.html

Memory leak in the dissect_dcom_ActivationProperties function in
epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator
dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to
cause a denial of service (memory consumption) via crafted packets.



======================================================
Name: CVE-2013-4924
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4924
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcom-sysact.c?r1=50432&r2=50431&pathrev=50432
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50432
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8828
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-44.html

epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator
dissector in Wireshark 1.10.x before 1.10.1 does not properly validate
certain index values, which allows remote attackers to cause a denial
of service (assertion failure and application exit) via a crafted
packet.



======================================================
Name: CVE-2013-4925
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4925
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcom-sysact.c?r1=50478&r2=50477&pathrev=50478
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50478
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8828
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-44.html

Integer signedness error in epan/dissectors/packet-dcom-sysact.c in
the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1
allows remote attackers to cause a denial of service (assertion
failure and daemon exit) via a crafted packet.



======================================================
Name: CVE-2013-4926
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4926
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcom-sysact.c?r1=50478&r2=50477&pathrev=50478
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50478
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8828
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-44.html

epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator
dissector in Wireshark 1.10.x before 1.10.1 does not properly
determine whether there is remaining packet data to process, which
allows remote attackers to cause a denial of service (application
crash) via a crafted packet.



======================================================
Name: CVE-2013-4927
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4927
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-btsdp.c?r1=50134&r2=50133&pathrev=50134
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50134
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8831
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-45.html

Integer signedness error in the get_type_length function in
epan/dissectors/packet-btsdp.c in the Bluetooth SDP dissector in
Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote
attackers to cause a denial of service (loop and CPU consumption) via
a crafted packet.



======================================================
Name: CVE-2013-4928
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4928
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-btobex.c?r1=50258&r2=50257&pathrev=50258
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50258
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8875
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-46.html

Integer signedness error in the dissect_headers function in
epan/dissectors/packet-btobex.c in the Bluetooth OBEX dissector in
Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a
denial of service (infinite loop) via a crafted packet.



======================================================
Name: CVE-2013-4929
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4929
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dis-pdus.c?r1=50450&r2=50449&pathrev=50450
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50450
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8911
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-47.html

The parseFields function in epan/dissectors/packet-dis-pdus.c in the
DIS dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1
does not terminate packet-data processing after finding zero remaining
bytes, which allows remote attackers to cause a denial of service
(loop) via a crafted packet.



======================================================
Name: CVE-2013-4930
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4930
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dvbci.c?r1=50474&r2=50473&pathrev=50474
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50474
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8916
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-48.html

The dissect_dvbci_tpdu_hdr function in epan/dissectors/packet-dvbci.c
in the DVB-CI dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x
before 1.10.1 does not validate a certain length value before
decrementing it, which allows remote attackers to cause a denial of
service (assertion failure and application exit) via a crafted packet.



======================================================
Name: CVE-2013-4931
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4931
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/proto.c?r1=50504&r2=50503&pathrev=50504
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50504
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8923
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-49.html

epan/proto.c in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1
allows remote attackers to cause a denial of service (loop) via a
crafted packet that is not properly handled by the GSM RR dissector.



======================================================
Name: CVE-2013-4932
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4932
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-gsm_a_common.c?r1=50672&r2=50671&pathrev=50672
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50672
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8940
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-50.html

Multiple array index errors in epan/dissectors/packet-gsm_a_common.c
in the GSM A Common dissector in Wireshark 1.8.x before 1.8.9 and
1.10.x before 1.10.1 allow remote attackers to cause a denial of
service (application crash) via a crafted packet.



======================================================
Name: CVE-2013-4933
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4933
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/wiretap/netmon.c?r1=49673&r2=49672&pathrev=49673
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49673
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8742
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-51.html

The netmon_open function in wiretap/netmon.c in the Netmon file parser
in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not
properly allocate memory, which allows remote attackers to cause a
denial of service (application crash) via a crafted packet-trace file.



======================================================
Name: CVE-2013-4934
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4934
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/wiretap/netmon.c?r1=49697&r2=49696&pathrev=49697
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49697
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8742
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-51.html

The netmon_open function in wiretap/netmon.c in the Netmon file parser
in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not
initialize certain structure members, which allows remote attackers to
cause a denial of service (application crash) via a crafted
packet-trace file.



======================================================
Name: CVE-2013-4935
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4935
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-per.c?r1=49985&r2=49984&pathrev=49985
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=49985
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8722
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-52.html

The dissect_per_length_determinant function in
epan/dissectors/packet-per.c in the ASN.1 PER dissector in Wireshark
1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize a
length field in certain abnormal situations, which allows remote
attackers to cause a denial of service (application crash) via a
crafted packet.



======================================================
Name: CVE-2013-4936
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4936
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130726
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=50472&r2=50471&pathrev=50472
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=50472
Reference: CONFIRM:http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8904
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-.html

The dissect_smtp function in epan/dissectors/packet-smtp.c in the
PROFINET Real-Time dissector in Wireshark 1.10.x before 1.10.1 does
not initialize certain structure members, which allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted packet.

Note You need to log in before you can comment on or make changes to this bug.