Bug 12962 - wireshark new releases 1.8.13 and 1.10.6 fix security issues
: wireshark new releases 1.8.13 and 1.10.6 fix security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590188/
: MGA3TOO has_procedure advisory MGA4-6...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-08 06:58 CET by David Walser
Modified: 2014-03-10 18:04 CET (History)
3 users (show)

See Also:
Source RPM: wireshark-1.10.5-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-03-08 06:58:25 CET
Upstream has issued new versions on March 7:
http://www.wireshark.org/news/20140307.html

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory (Mageia 3):
========================

Updated wireshark packages fix security vulnerabilities:

The NFS dissector could crash (CVE-2014-2281).

The RLC dissector could crash (CVE-2014-2283).

The MPEG file parser could overflow a buffer (CVE-2014-2299).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299
https://www.wireshark.org/security/wnpa-sec-2014-01.html
https://www.wireshark.org/security/wnpa-sec-2014-03.html
https://www.wireshark.org/security/wnpa-sec-2014-04.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.13.html
http://www.wireshark.org/news/20140307.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.8.13-1.mga3
libwireshark2-1.8.13-1.mga3
libwireshark-devel-1.8.13-1.mga3
wireshark-tools-1.8.13-1.mga3
tshark-1.8.13-1.mga3
rawshark-1.8.13-1.mga3
dumpcap-1.8.13-1.mga3

from wireshark-1.8.13-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated wireshark packages fix security vulnerabilities:

The NFS dissector could crash (CVE-2014-2281).

The M3UA dissector could crash (CVE-2014-2282).

The RLC dissector could crash (CVE-2014-2283).

The MPEG file parser could overflow a buffer (CVE-2014-2299).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299
https://www.wireshark.org/security/wnpa-sec-2014-01.html
https://www.wireshark.org/security/wnpa-sec-2014-02.html
https://www.wireshark.org/security/wnpa-sec-2014-03.html
https://www.wireshark.org/security/wnpa-sec-2014-04.html
http://www.wireshark.org/docs/relnotes/wireshark-1.10.6.html
http://www.wireshark.org/news/20140307.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.10.6-1.mga4
libwireshark3-1.10.6-1.mga4
libwiretap3-1.10.6-1.mga4
libwsutil3-1.10.6-1.mga4
libwireshark-devel-1.10.6-1.mga4
wireshark-tools-1.10.6-1.mga4
tshark-1.10.6-1.mga4
rawshark-1.10.6-1.mga4
dumpcap-1.10.6-1.mga4

from wireshark-1.10.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 2 Marc Lattemann 2014-03-08 13:57:29 CET
testing on MGA4 64bit:

after activating of update_testing repos and run urpmi wireshark, 
the dependencies  dumpcap, lib64wireshark3, ib64wiretap3 and lib64wsutil3 will not be updated...

e.g.
[root@localhost marc]# rpm -qa | grep wireshark
wireshark-1.10.6-1.mga4
lib64wireshark3-1.10.5-1.mga4
[root@localhost marc]#

sample file for CVE-2014-2281 and CVE-2014-2299 are causing segmentation fault until dependencies are updated manually as well... After new installation of wireshark (with all dependencies) from update_testing repos) fixed both bugs.

Did I made a mistake here?


Furthermore I don't know how to get CVE-2014-2283 to work. Never got same messages like in the linked bugreport... (same result prior and after update). But I think that I'm doing something wrong, since I don't get tshark/dumpcap running without being root
Comment 3 Thomas Backlund 2014-03-08 14:05:58 CET
(In reply to Marc Lattemann from comment #2)
> testing on MGA4 64bit:
> 
> after activating of update_testing repos and run urpmi wireshark, 
> the dependencies  dumpcap, lib64wireshark3, ib64wiretap3 and lib64wsutil3
> will not be updated...
> 
> e.g.
> [root@localhost marc]# rpm -qa | grep wireshark
> wireshark-1.10.6-1.mga4
> lib64wireshark3-1.10.5-1.mga4
> [root@localhost marc]#
> 
> sample file for CVE-2014-2281 and CVE-2014-2299 are causing segmentation
> fault until dependencies are updated manually as well... After new
> installation of wireshark (with all dependencies) from update_testing repos)
> fixed both bugs.
> 
> Did I made a mistake here?
>

Nope, when using the updates_testing packages you usually need to manually select the deps as you dont have it as an "update" repo.

when it ends up in updates, urpmi and  update applet will update all the packages ...

This is actually something I think we should improve in packaging, as it will be needed to be able to do cherrypicking of backports
Comment 4 Marc Lattemann 2014-03-08 15:00:12 CET
(In reply to Thomas Backlund from comment #3)

> Nope, when using the updates_testing packages you usually need to manually
> select the deps as you dont have it as an "update" repo.

Thanks for the info, Thomas


(In reply to Marc Lattemann from comment #2)

> Furthermore I don't know how to get CVE-2014-2283 to work. Never got same
> messages like in the linked bugreport... (same result prior and after
> update). But I think that I'm doing something wrong, since I don't get
> tshark/dumpcap running without being root

Ok- got it working as usual user, however, can't reproduce bug. Since no regression after updating packages and update will fix other bugs, I put tested tag for mga4 64bit to whiteboard. Please feel free to remove since someone will test-procedure for CVE-2014-2283.
Comment 5 Marc Lattemann 2014-03-08 18:23:56 CET
same result in mga3 32bit:

CVE-2014-2281 and CVE-2014-2299 could be reproduced in old version and are solved after upgrade.
CVE-2014-2283 could not be reproduced, but basic wireshark functions are tested and no regression detected.
Comment 6 Marc Lattemann 2014-03-08 18:41:02 CET
tested successfully on MGA3 64bit
Comment 7 Marc Lattemann 2014-03-08 19:00:29 CET
tested successfully on MGA4 32bit

after Advisory from Comment #0 is uploaded, update can be validated and pushed to core_udpates
Comment 8 claire robinson 2014-03-08 21:24:09 CET
Thanks Marc

Separate advisories uploaded for 3 & 4. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 9 Thomas Backlund 2014-03-08 22:47:34 CET
Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0125.html

Mga4 update pushed:
http://advisories.mageia.org/MGASA-2014-0126.html
Comment 10 David Walser 2014-03-10 18:04:32 CET
LWN reference for CVE-2014-2282:
http://lwn.net/Vulnerabilities/590192/

Note You need to log in before you can comment on or make changes to this bug.