Upstream has issued new versions on March 7: http://www.wireshark.org/news/20140307.html Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory (Mageia 3): ======================== Updated wireshark packages fix security vulnerabilities: The NFS dissector could crash (CVE-2014-2281). The RLC dissector could crash (CVE-2014-2283). The MPEG file parser could overflow a buffer (CVE-2014-2299). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299 https://www.wireshark.org/security/wnpa-sec-2014-01.html https://www.wireshark.org/security/wnpa-sec-2014-03.html https://www.wireshark.org/security/wnpa-sec-2014-04.html http://www.wireshark.org/docs/relnotes/wireshark-1.8.13.html http://www.wireshark.org/news/20140307.html ======================== Updated packages in core/updates_testing: ======================== wireshark-1.8.13-1.mga3 libwireshark2-1.8.13-1.mga3 libwireshark-devel-1.8.13-1.mga3 wireshark-tools-1.8.13-1.mga3 tshark-1.8.13-1.mga3 rawshark-1.8.13-1.mga3 dumpcap-1.8.13-1.mga3 from wireshark-1.8.13-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated wireshark packages fix security vulnerabilities: The NFS dissector could crash (CVE-2014-2281). The M3UA dissector could crash (CVE-2014-2282). The RLC dissector could crash (CVE-2014-2283). The MPEG file parser could overflow a buffer (CVE-2014-2299). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299 https://www.wireshark.org/security/wnpa-sec-2014-01.html https://www.wireshark.org/security/wnpa-sec-2014-02.html https://www.wireshark.org/security/wnpa-sec-2014-03.html https://www.wireshark.org/security/wnpa-sec-2014-04.html http://www.wireshark.org/docs/relnotes/wireshark-1.10.6.html http://www.wireshark.org/news/20140307.html ======================== Updated packages in core/updates_testing: ======================== wireshark-1.10.6-1.mga4 libwireshark3-1.10.6-1.mga4 libwiretap3-1.10.6-1.mga4 libwsutil3-1.10.6-1.mga4 libwireshark-devel-1.10.6-1.mga4 wireshark-tools-1.10.6-1.mga4 tshark-1.10.6-1.mga4 rawshark-1.10.6-1.mga4 dumpcap-1.10.6-1.mga4 from wireshark-1.10.6-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
poc for CVE-2014-2281: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672 poc for CVE-2014-2283: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9730 poc for CVE-2014-2299: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843
CC: (none) => marc.lattemann
testing on MGA4 64bit: after activating of update_testing repos and run urpmi wireshark, the dependencies dumpcap, lib64wireshark3, ib64wiretap3 and lib64wsutil3 will not be updated... e.g. [root@localhost marc]# rpm -qa | grep wireshark wireshark-1.10.6-1.mga4 lib64wireshark3-1.10.5-1.mga4 [root@localhost marc]# sample file for CVE-2014-2281 and CVE-2014-2299 are causing segmentation fault until dependencies are updated manually as well... After new installation of wireshark (with all dependencies) from update_testing repos) fixed both bugs. Did I made a mistake here? Furthermore I don't know how to get CVE-2014-2283 to work. Never got same messages like in the linked bugreport... (same result prior and after update). But I think that I'm doing something wrong, since I don't get tshark/dumpcap running without being root
Whiteboard: MGA3TOO => MGA3TOO has_procedure feedback
(In reply to Marc Lattemann from comment #2) > testing on MGA4 64bit: > > after activating of update_testing repos and run urpmi wireshark, > the dependencies dumpcap, lib64wireshark3, ib64wiretap3 and lib64wsutil3 > will not be updated... > > e.g. > [root@localhost marc]# rpm -qa | grep wireshark > wireshark-1.10.6-1.mga4 > lib64wireshark3-1.10.5-1.mga4 > [root@localhost marc]# > > sample file for CVE-2014-2281 and CVE-2014-2299 are causing segmentation > fault until dependencies are updated manually as well... After new > installation of wireshark (with all dependencies) from update_testing repos) > fixed both bugs. > > Did I made a mistake here? > Nope, when using the updates_testing packages you usually need to manually select the deps as you dont have it as an "update" repo. when it ends up in updates, urpmi and update applet will update all the packages ... This is actually something I think we should improve in packaging, as it will be needed to be able to do cherrypicking of backports
CC: (none) => tmbWhiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure
(In reply to Thomas Backlund from comment #3) > Nope, when using the updates_testing packages you usually need to manually > select the deps as you dont have it as an "update" repo. Thanks for the info, Thomas (In reply to Marc Lattemann from comment #2) > Furthermore I don't know how to get CVE-2014-2283 to work. Never got same > messages like in the linked bugreport... (same result prior and after > update). But I think that I'm doing something wrong, since I don't get > tshark/dumpcap running without being root Ok- got it working as usual user, however, can't reproduce bug. Since no regression after updating packages and update will fix other bugs, I put tested tag for mga4 64bit to whiteboard. Please feel free to remove since someone will test-procedure for CVE-2014-2283.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-OK
same result in mga3 32bit: CVE-2014-2281 and CVE-2014-2299 could be reproduced in old version and are solved after upgrade. CVE-2014-2283 could not be reproduced, but basic wireshark functions are tested and no regression detected.
Whiteboard: MGA3TOO has_procedure mga4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK
tested successfully on MGA3 64bit
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK
tested successfully on MGA4 32bit after Advisory from Comment #0 is uploaded, update can be validated and pushed to core_udpates
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK
Thanks Marc Separate advisories uploaded for 3 & 4. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK
Mga3 update pushed: http://advisories.mageia.org/MGASA-2014-0125.html Mga4 update pushed: http://advisories.mageia.org/MGASA-2014-0126.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/590188/
LWN reference for CVE-2014-2282: http://lwn.net/Vulnerabilities/590192/