http://www.openwall.com/lists/oss-security/2013/09/11/1 "https://www.wireshark.org/security/wnpa-sec-2013-54.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8827 http://anonsvn.wireshark.org/viewvc?view=revision&revision=51130 crash; incorrectly maintained free list CVE-2013-5717 https://www.wireshark.org/security/wnpa-sec-2013-55.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9005 Access Denied crash CVE-2013-5718 https://www.wireshark.org/security/wnpa-sec-2013-56.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9020 http://anonsvn.wireshark.org/viewvc?view=revision&revision=51196 loop CVE-2013-5719 https://www.wireshark.org/security/wnpa-sec-2013-57.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019 Access Denied buffer overflow CVE-2013-5720 https://www.wireshark.org/security/wnpa-sec-2013-58.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9079 http://anonsvn.wireshark.org/viewvc?view=revision&revision=51603 crash; erroneous entry into a loop CVE-2013-5721 https://www.wireshark.org/security/wnpa-sec-2013-59.html crash CVE-2013-5722 https://www.wireshark.org/security/wnpa-sec-2013-60.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8742 http://anonsvn.wireshark.org/viewvc?view=revision&revision=49697 We don't understand why https://www.wireshark.org/security/wnpa-sec-2013-60.html has different affected versions than https://www.wireshark.org/security/wnpa-sec-2013-51.html (they are both about bug 8742). Thus, we don't know whether new CVE IDs are needed." Reproducible: Steps to Reproduce:
The new wireshark versions have been released on September 10: http://www.wireshark.org/news/20130910.html The 1.8.10 update for Mageia 3 fixes 6 security issues: http://www.wireshark.org/docs/relnotes/wireshark-1.8.10.html Oden has uploaded updated packages for Mageia 3 and Cauldron. We haven't backported any fixes to Mageia 2 yet. Packages currently in updates_testing: wireshark-1.8.10-1.mga3 libwireshark2-1.8.10-1.mga3 libwireshark-devel-1.8.10-1.mga3 wireshark-tools-1.8.10-1.mga3 tshark-1.8.10-1.mga3 rawshark-1.8.10-1.mga3 dumpcap-1.8.10-1.mga3 from wireshark-1.8.10-1.mga3.src.rpm
Version: 2 => 3Summary: multiple vulnerabilities in wireshark => wireshark new security issues fixed in 1.8.10 and 1.10.2
The Mageia 2 version does not look vulnerable to wpna-sec-2013-55 (affected code not present). It does look vulnerable to wpna-sec-2013-56, and there is a PoC on the upstream bug which can confirm that. Backporting the fix is non-obvious because of some subtle changes in the code. Maybe Oden can take a stab at it? https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9020 The fix for wpna-sec-2013-57 applies without modification, so I've committed that as wireshark-1.8.9-CVE-2013-5720.patch. The fix for wpna-sec-2013-58 needed re-diffed because of whitespace changes, but otherwise is the same, so I've committed it as wireshark-1.8.9-CVE-2013-5721.patch. The fix for wpna-sec-2013-59 still needs re-diffed because of changes in the code. The fix for wpna-sec-2013-60 needed re-diffed because of a named constant name change in netmon.c and whitespaces changes in filesystem.c, but otherwise was the same, so I've committed it as wireshark-1.8.9-wpna-sec-2013-60.patch. I don't understand why this didn't get a CVE. I've left placeholders in the spec for the two missing fixes.
CC: (none) => luigiwalser
Hmm, I should have called the patches for wpna-sec-2013-58 and wpna-sec-2013-60 1.6.16 instead of 1.8.9 since I rediffed them. Oh well, that can be fixed later.
Created attachment 4346 [details] Upstream patch for CVE-2013-5719 for 1.8.9 that needs rediffed for 1.6.16
Created attachment 4347 [details] Upstream patch for CVE-2013-5722 for 1.8.9 that needs rediffed for 1.6.16
Bumping to 1.8.10 for mga2 isn't an option? Would probably be quite painless...
As long as all the dependencies are there, I suppose we could do that.
wireshark-1.8.10-1.mga2 has been submitted.
Advisory (Mageia 2): ======================== Updated wireshark packages fix security vulnerabilities: The ASSA R3 dissector could go into an infinite loop (CVE-2013-5719). The RTPS dissector could overflow a buffer (CVE-2013-5720). The MQ dissector could crash (CVE-2013-5721). The LDAP dissector could crash (CVE-2013-5722). The Netmon file parser could crash (wpna-sec-2013-60). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722 http://www.wireshark.org/security/wnpa-sec-2013-55.html http://www.wireshark.org/security/wnpa-sec-2013-56.html http://www.wireshark.org/security/wnpa-sec-2013-57.html http://www.wireshark.org/security/wnpa-sec-2013-58.html http://www.wireshark.org/security/wnpa-sec-2013-59.html http://www.wireshark.org/security/wnpa-sec-2013-60.html http://www.wireshark.org/docs/relnotes/wireshark-1.8.10.html http://www.wireshark.org/news/20130910.html http://www.openwall.com/lists/oss-security/2013/09/11/1 ======================== Updated packages in core/updates_testing: ======================== wireshark-1.8.10-1.mga2 libwireshark2-1.8.10-1.mga2 libwireshark-devel-1.8.10-1.mga2 wireshark-tools-1.8.10-1.mga2 tshark-1.8.10-1.mga2 rawshark-1.8.10-1.mga2 dumpcap-1.8.10-1.mga2 from wireshark-1.8.10-1.mga2.src.rpm Advisory (Mageia 3): ======================== Updated wireshark packages fix security vulnerabilities: The NBAP dissector could crash (CVE-2013-5718). The ASSA R3 dissector could go into an infinite loop (CVE-2013-5719). The RTPS dissector could overflow a buffer (CVE-2013-5720). The MQ dissector could crash (CVE-2013-5721). The LDAP dissector could crash (CVE-2013-5722). The Netmon file parser could crash (wpna-sec-2013-60). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722 http://www.wireshark.org/security/wnpa-sec-2013-55.html http://www.wireshark.org/security/wnpa-sec-2013-56.html http://www.wireshark.org/security/wnpa-sec-2013-57.html http://www.wireshark.org/security/wnpa-sec-2013-58.html http://www.wireshark.org/security/wnpa-sec-2013-59.html http://www.wireshark.org/security/wnpa-sec-2013-60.html http://www.wireshark.org/docs/relnotes/wireshark-1.8.10.html http://www.wireshark.org/news/20130910.html http://www.openwall.com/lists/oss-security/2013/09/11/1 ======================== Updated packages in core/updates_testing: ======================== wireshark-1.8.10-1.mga3 libwireshark2-1.8.10-1.mga3 libwireshark-devel-1.8.10-1.mga3 wireshark-tools-1.8.10-1.mga3 tshark-1.8.10-1.mga3 rawshark-1.8.10-1.mga3 dumpcap-1.8.10-1.mga3 from wireshark-1.8.10-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA2TOO
Advisories 11214.mga2.adv and 11214.mga3.adv committed to svn.
CC: (none) => davidwhodgins
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019 is closed to the public, so the poc for wnpa-sec-2013-57 is not available. wnpa-sec-2013-59 does not have a link to a wireshark bug report, so no poc available. For the other four, poc files are available. I'll be testing shortly.
Testing complete. Before updating Wireshark bug i2 x2 i3 x3 9005 wireshark ok ok segfault segfault 9020 wireshark loop loop loop loop 9079 tshark ok ok ok ok 8742 tshark pcap file cut short in the middle of a packet or other data After updating Wireshark bug i2 x2 i3 x3 9005 wireshark ok ok ok ok 9020 wireshark ok ok ok ok 9079 tshark ok ok ok ok 8742 tshark pcap file cut short in the middle of a packet or other data So out of the 4 bugs with a poc, only two could be replicated, and both are fixed. Someone from the sysadmin team please push 11214.mga2.adv and 11214.mga3.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
====================================================== Name: CVE-2013-5717 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5717 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51130 Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8827 Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-54.html The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does not properly maintain a certain free list, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that is not properly handled by the wmem_block_alloc function in epan/wmem/wmem_allocator_block.c. ====================================================== Name: CVE-2013-5718 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5718 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51195 Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9005 Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-55.html The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not restrict the dch_id value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. ====================================================== Name: CVE-2013-5719 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51196 Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9020 Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-56.html epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. ====================================================== Name: CVE-2013-5720 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019 Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-57.html Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. ====================================================== Name: CVE-2013-5721 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://anonsvn.wireshark.org/viewvc?view=revision&revision=51603 Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9079 Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-58.html The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not properly determine when to enter a certain loop, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. ====================================================== Name: CVE-2013-5722 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:https://www.wireshark.org/security/wnpa-sec-2013-59.html Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.
URL: http://www.openwall.com/lists/oss-security/2013/09/11/1 => http://lwn.net/Vulnerabilities/566977/
Mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0281.html Mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0282.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN reference for two vulnerabilities in our advisory, not in Debian's: http://lwn.net/Vulnerabilities/567512/