Bug 11214 - wireshark new security issues fixed in 1.8.10 and 1.10.2
: wireshark new security issues fixed in 1.8.10 and 1.10.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566977/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-11 12:38 CEST by Oden Eriksson
Modified: 2013-09-19 21:21 CEST (History)
4 users (show)

See Also:
Source RPM: wireshark
CVE:


Attachments
Upstream patch for CVE-2013-5719 for 1.8.9 that needs rediffed for 1.6.16 (4.58 KB, patch)
2013-09-11 18:45 CEST, David Walser
Details | Diff
Upstream patch for CVE-2013-5722 for 1.8.9 that needs rediffed for 1.6.16 (3.48 KB, patch)
2013-09-11 18:45 CEST, David Walser
Details | Diff

Description Oden Eriksson 2013-09-11 12:38:00 CEST
http://www.openwall.com/lists/oss-security/2013/09/11/1

"https://www.wireshark.org/security/wnpa-sec-2013-54.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8827
http://anonsvn.wireshark.org/viewvc?view=revision&revision=51130
crash; incorrectly maintained free list
CVE-2013-5717


https://www.wireshark.org/security/wnpa-sec-2013-55.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9005 Access Denied
crash
CVE-2013-5718


https://www.wireshark.org/security/wnpa-sec-2013-56.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9020
http://anonsvn.wireshark.org/viewvc?view=revision&revision=51196
loop
CVE-2013-5719


https://www.wireshark.org/security/wnpa-sec-2013-57.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019 Access Denied
buffer overflow
CVE-2013-5720


https://www.wireshark.org/security/wnpa-sec-2013-58.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9079
http://anonsvn.wireshark.org/viewvc?view=revision&revision=51603
crash; erroneous entry into a loop
CVE-2013-5721


https://www.wireshark.org/security/wnpa-sec-2013-59.html
crash
CVE-2013-5722


https://www.wireshark.org/security/wnpa-sec-2013-60.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8742
http://anonsvn.wireshark.org/viewvc?view=revision&revision=49697

We don't understand why
https://www.wireshark.org/security/wnpa-sec-2013-60.html has different
affected versions than
https://www.wireshark.org/security/wnpa-sec-2013-51.html (they are
both about bug 8742). Thus, we don't know whether new CVE IDs are
needed."


Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-09-11 16:58:14 CEST
The new wireshark versions have been released on September 10:
http://www.wireshark.org/news/20130910.html

The 1.8.10 update for Mageia 3 fixes 6 security issues:
http://www.wireshark.org/docs/relnotes/wireshark-1.8.10.html

Oden has uploaded updated packages for Mageia 3 and Cauldron.

We haven't backported any fixes to Mageia 2 yet.

Packages currently in updates_testing:
wireshark-1.8.10-1.mga3
libwireshark2-1.8.10-1.mga3
libwireshark-devel-1.8.10-1.mga3
wireshark-tools-1.8.10-1.mga3
tshark-1.8.10-1.mga3
rawshark-1.8.10-1.mga3
dumpcap-1.8.10-1.mga3

from wireshark-1.8.10-1.mga3.src.rpm
Comment 2 David Walser 2013-09-11 18:39:47 CEST
The Mageia 2 version does not look vulnerable to wpna-sec-2013-55 (affected code not present).

It does look vulnerable to wpna-sec-2013-56, and there is a PoC on the upstream bug which can confirm that.  Backporting the fix is non-obvious because of some subtle changes in the code.  Maybe Oden can take a stab at it?
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9020

The fix for wpna-sec-2013-57 applies without modification, so I've committed that as wireshark-1.8.9-CVE-2013-5720.patch.

The fix for wpna-sec-2013-58 needed re-diffed because of whitespace changes, but otherwise is the same, so I've committed it as wireshark-1.8.9-CVE-2013-5721.patch.

The fix for wpna-sec-2013-59 still needs re-diffed because of changes in the code.

The fix for wpna-sec-2013-60 needed re-diffed because of a named constant name change in netmon.c and whitespaces changes in filesystem.c, but otherwise was the same, so I've committed it as wireshark-1.8.9-wpna-sec-2013-60.patch.  I don't understand why this didn't get a CVE.

I've left placeholders in the spec for the two missing fixes.
Comment 3 David Walser 2013-09-11 18:44:08 CEST
Hmm, I should have called the patches for wpna-sec-2013-58 and wpna-sec-2013-60 1.6.16 instead of 1.8.9 since I rediffed them.  Oh well, that can be fixed later.
Comment 4 David Walser 2013-09-11 18:45:03 CEST
Created attachment 4346 [details]
Upstream patch for CVE-2013-5719 for 1.8.9 that needs rediffed for 1.6.16
Comment 5 David Walser 2013-09-11 18:45:44 CEST
Created attachment 4347 [details]
Upstream patch for CVE-2013-5722 for 1.8.9 that needs rediffed for 1.6.16
Comment 6 Oden Eriksson 2013-09-12 07:41:58 CEST
Bumping to 1.8.10 for mga2 isn't an option? Would probably be quite painless...
Comment 7 David Walser 2013-09-12 12:40:33 CEST
As long as all the dependencies are there, I suppose we could do that.
Comment 8 Oden Eriksson 2013-09-13 11:35:38 CEST
wireshark-1.8.10-1.mga2 has been submitted.
Comment 9 David Walser 2013-09-13 14:05:07 CEST
Advisory (Mageia 2):
========================

Updated wireshark packages fix security vulnerabilities:

The ASSA R3 dissector could go into an infinite loop (CVE-2013-5719).

The RTPS dissector could overflow a buffer (CVE-2013-5720).

The MQ dissector could crash (CVE-2013-5721).

The LDAP dissector could crash (CVE-2013-5722).

The Netmon file parser could crash (wpna-sec-2013-60).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722
http://www.wireshark.org/security/wnpa-sec-2013-55.html
http://www.wireshark.org/security/wnpa-sec-2013-56.html
http://www.wireshark.org/security/wnpa-sec-2013-57.html
http://www.wireshark.org/security/wnpa-sec-2013-58.html
http://www.wireshark.org/security/wnpa-sec-2013-59.html
http://www.wireshark.org/security/wnpa-sec-2013-60.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.10.html
http://www.wireshark.org/news/20130910.html
http://www.openwall.com/lists/oss-security/2013/09/11/1
========================

Updated packages in core/updates_testing:
========================
wireshark-1.8.10-1.mga2
libwireshark2-1.8.10-1.mga2
libwireshark-devel-1.8.10-1.mga2
wireshark-tools-1.8.10-1.mga2
tshark-1.8.10-1.mga2
rawshark-1.8.10-1.mga2
dumpcap-1.8.10-1.mga2

from wireshark-1.8.10-1.mga2.src.rpm

Advisory (Mageia 3):
========================

Updated wireshark packages fix security vulnerabilities:

The NBAP dissector could crash (CVE-2013-5718).

The ASSA R3 dissector could go into an infinite loop (CVE-2013-5719).

The RTPS dissector could overflow a buffer (CVE-2013-5720).

The MQ dissector could crash (CVE-2013-5721).

The LDAP dissector could crash (CVE-2013-5722).

The Netmon file parser could crash (wpna-sec-2013-60).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722
http://www.wireshark.org/security/wnpa-sec-2013-55.html
http://www.wireshark.org/security/wnpa-sec-2013-56.html
http://www.wireshark.org/security/wnpa-sec-2013-57.html
http://www.wireshark.org/security/wnpa-sec-2013-58.html
http://www.wireshark.org/security/wnpa-sec-2013-59.html
http://www.wireshark.org/security/wnpa-sec-2013-60.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.10.html
http://www.wireshark.org/news/20130910.html
http://www.openwall.com/lists/oss-security/2013/09/11/1
========================

Updated packages in core/updates_testing:
========================
wireshark-1.8.10-1.mga3
libwireshark2-1.8.10-1.mga3
libwireshark-devel-1.8.10-1.mga3
wireshark-tools-1.8.10-1.mga3
tshark-1.8.10-1.mga3
rawshark-1.8.10-1.mga3
dumpcap-1.8.10-1.mga3

from wireshark-1.8.10-1.mga3.src.rpm
Comment 10 Dave Hodgins 2013-09-13 22:56:15 CEST
Advisories 11214.mga2.adv and 11214.mga3.adv committed to svn.
Comment 11 Dave Hodgins 2013-09-13 23:27:40 CEST
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019 is closed to the
public, so the poc for wnpa-sec-2013-57 is not available.
wnpa-sec-2013-59 does not have a link to a wireshark bug report, so no poc
available.

For the other four, poc files are available.

I'll be testing shortly.
Comment 12 Dave Hodgins 2013-09-14 00:20:28 CEST
Testing complete.

Before updating
Wireshark bug  i2       x2       i3       x3
9005 wireshark ok       ok       segfault segfault
9020 wireshark loop     loop     loop     loop
9079 tshark    ok       ok       ok       ok
8742 tshark    pcap file cut short in the middle of a packet or other data

After updating
Wireshark bug  i2       x2       i3       x3
9005 wireshark ok       ok       ok       ok
9020 wireshark ok       ok       ok       ok
9079 tshark    ok       ok       ok       ok
8742 tshark    pcap file cut short in the middle of a packet or other data

So out of the 4 bugs with a poc, only two could be replicated, and both are
fixed.

Someone from the sysadmin team please push 11214.mga2.adv and 11214.mga3.adv to updates.
Comment 13 Oden Eriksson 2013-09-16 08:44:56 CEST
======================================================
Name: CVE-2013-5717
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5717
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51130
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8827
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-54.html

The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does
not properly maintain a certain free list, which allows remote
attackers to cause a denial of service (application crash) via a
crafted packet that is not properly handled by the wmem_block_alloc
function in epan/wmem/wmem_allocator_block.c.



======================================================
Name: CVE-2013-5718
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5718
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51195
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9005
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-55.html

The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in
the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before
1.10.2 does not restrict the dch_id value, which allows remote
attackers to cause a denial of service (application crash) via a
crafted packet.



======================================================
Name: CVE-2013-5719
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51196
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9020
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-56.html

epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark
1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers
to cause a denial of service (infinite loop) via a crafted packet.



======================================================
Name: CVE-2013-5720
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-57.html

Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10
and 1.10.x before 1.10.2 allows remote attackers to cause a denial of
service (application crash) via a crafted packet.



======================================================
Name: CVE-2013-5721
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51603
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9079
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-58.html

The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ
dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2
does not properly determine when to enter a certain loop, which allows
remote attackers to cause a denial of service (application crash) via
a crafted packet.



======================================================
Name: CVE-2013-5722
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-59.html

Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x
before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to
cause a denial of service (application crash) via a crafted packet.
Comment 14 Thomas Backlund 2013-09-19 11:52:40 CEST
Mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0281.html

Mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0282.html
Comment 15 David Walser 2013-09-19 21:21:27 CEST
LWN reference for two vulnerabilities in our advisory, not in Debian's:
http://lwn.net/Vulnerabilities/567512/

Note You need to log in before you can comment on or make changes to this bug.