Upstream has released new versions on September 16: https://www.wireshark.org/news/20140916.html Freeze push requested for Cauldron for 1.12.1. Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated wireshark packages fix security vulnerabilities: RTP dissector crash (CVE-2014-6421, CVE-2014-6422). MEGACO dissector infinite loop (CVE-2014-6423). Netflow dissector crash (CVE-2014-6424). RTSP dissector crash (CVE-2014-6427). SES dissector crash (CVE-2014-6428). Sniffer file parser crash (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6428 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6431 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6432 https://www.wireshark.org/security/wnpa-sec-2014-12.html https://www.wireshark.org/security/wnpa-sec-2014-13.html https://www.wireshark.org/security/wnpa-sec-2014-14.html https://www.wireshark.org/security/wnpa-sec-2014-17.html https://www.wireshark.org/security/wnpa-sec-2014-18.html https://www.wireshark.org/security/wnpa-sec-2014-19.html https://www.wireshark.org/docs/relnotes/wireshark-1.10.10.html https://www.wireshark.org/news/20140916.html ======================== Updated packages in core/updates_testing: ======================== wireshark-1.10.10-1.mga3 libwireshark3-1.10.10-1.mga3 libwiretap3-1.10.10-1.mga3 libwsutil3-1.10.10-1.mga3 libwireshark-devel-1.10.10-1.mga3 wireshark-tools-1.10.10-1.mga3 tshark-1.10.10-1.mga3 rawshark-1.10.10-1.mga3 dumpcap-1.10.10-1.mga3 wireshark-1.10.10-1.mga4 libwireshark3-1.10.10-1.mga4 libwiretap3-1.10.10-1.mga4 libwsutil3-1.10.10-1.mga4 libwireshark-devel-1.10.10-1.mga4 wireshark-tools-1.10.10-1.mga4 tshark-1.10.10-1.mga4 rawshark-1.10.10-1.mga4 dumpcap-1.10.10-1.mga4 from SRPMS: wireshark-1.10.10-1.mga3.src.rpm wireshark-1.10.10-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Wireshark
Whiteboard: (none) => MGA3TOO has_procedure
Tested wireshark 1.10.10 1.mga4 on MGA4 i586. I have this message, only when starting as root, don't know if it's normal : Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. But all seems ok.
CC: (none) => patr_and
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
We need to alter the procedure on the wiki. It used to be true that you would start wireshark as root but since mga2 or 3 you now add the wireshark group to your user.
There are some PoC's for this, normally are for wireshark actually. Check the wireshark links, they link to bug reports with pcap files. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9920 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10333 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10370 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10381 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10454 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10461
Testing mga4 64 Before ------ $ wget http://www.wireshark.org/download/automated/captures/fuzz-2014-03-22-14025.pcap $ tshark -nr fuzz-2014-03-22-14025.pcap <snip> 2412 131.343625000 10.0.131.10 -> 10.0.131.72 IPv4 214 Fragmented IP protocol (proto=UDP 17, off=624, ID=01b7) 2413 131.362951000 10.0.131.72 -> 10.0.131.10 RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xBD27F00E, Seq=432, Time=1208800 2414 131.364119000 10.0.131.10 -> 10.0.131.72 RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xDEAD0019, Seq=4536, Time=268505856 2415 131.380550000 10.0.131.72 -> 10.0.131.10 RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xBD27F00E, Seq=433, Time=1208960 2416 131.383647000 10.0.131.10 -> 10.0.131.72 RTP 214 PT=ITU-T G.711 PCMA, SSRC=0xDEAD0019, Seq=4537, Time=268506016 Segmentation fault $ wget http://www.wireshark.org/download/automated/captures/fuzz-2014-08-01-15014.pcap $ tshark -nr fuzz-2014-08-01-15014.pcap $ wireshark fuzz-2014-08-01-15014.pcap No ill effects in tshark or wireshark. $ wget https://www.wireshark.org/download/automated/captures/fuzz-2014-08-11-32641.pcap $ tshark -nr fuzz-2014-08-11-32641.pcap $ wireshark fuzz-2014-08-11-32641.pcap No ill effects in tshark or wireshark. $ wget https://www.wireshark.org/download/automated/captures/fuzz-2014-08-14-9469.pcap $ wireshark fuzz-2014-08-14-9469.pcap $ tshark -nr fuzz-2014-08-14-9469.pcap No ill effects in tshark or wireshark. $ wget https://www.wireshark.org/download/automated/captures/fuzz-2014-09-07-19671.pcap $ tshark -nr fuzz-2014-09-07-19671.pcap $ wireshark fuzz-2014-09-07-19671.pcap No ill effects in tshark or wireshark. $ wget -0 ngsniffer_noklee.c https://bugs.wireshark.org/bugzilla/attachment.cgi?id=13049 $ gcc -g -DRANDOM ngsniffer_noklee.c $ valgrind ./a.out ==22446== Memcheck, a memory error detector ==22446== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==22446== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==22446== Command: ./a.out ==22446== ==22446== Source and destination overlap in memcpy(0x51f7654, 0x51f7633, 71) ==22446== at 0x4C2A693: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==22446== by 0x400AB8: SnifferDecompress (ngsniffer_noklee.c:187) ==22446== by 0x400C57: main (ngsniffer_noklee.c:250) ==22446== ==22446== Source and destination overlap in memcpy(0x51f6e62, 0x51f6e5f, 14) ==22446== at 0x4C2A693: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==22446== by 0x400B62: SnifferDecompress (ngsniffer_noklee.c:216) ==22446== by 0x400C57: main (ngsniffer_noklee.c:250) <ctrl-c>
Testing complete mga4 64 After ----- Confirmed the segfault is now cleared and no regressions with the other testcases. $ rm -f a.out $ gcc -g -DRANDOM ngsniffer_noklee.c $ valgrind ./a.out With the last one valgrind showed similar output before and after, but no sign of the 'invalid write'. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10461
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK mga4-64-ok
Seems it just needed to be left to run for a while longer. With the updates still installed I do see the Invalid write after a couple of minutes run time.. <snip> ==31050== Invalid write of size 1 ==31050== at 0x400880: SnifferDecompress (ngsniffer_noklee.c:90) ==31050== by 0x400C57: main (ngsniffer_noklee.c:250) ==31050== Address 0x5205080 is 0 bytes after a block of size 65,536 alloc'd ==31050== at 0x4C266ED: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31050== by 0x400BD0: main (ngsniffer_noklee.c:241) Same for mga3 64 too. Should this be corrected in this update, perhaps a bad reference?
Testing complete mga3 64 (assuming the Invalid write is OK) Same output as mga4 64.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure mga3-64-ok MGA4-32-OK mga4-64-ok
Testing complete mga3 32 Confirmed the memory errors still exist here too. All else is Ok though. $ valgrind ./a.out ==4427== Memcheck, a memory error detector ==4427== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==4427== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==4427== Command: ./a.out ==4427== ==4427== Source and destination overlap in memcpy(0x421f363, 0x421f288, 224) ==4427== at 0x402AE41: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==4427== by 0x80487B5: SnifferDecompress (ngsniffer_noklee.c:187) ==4427== by 0x8048955: main (ngsniffer_noklee.c:250) ==4427== ==4427== Source and destination overlap in memcpy(0x421fa80, 0x421fa78, 15) ==4427== at 0x402AE41: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==4427== by 0x8048843: SnifferDecompress (ngsniffer_noklee.c:216) ==4427== by 0x8048955: main (ngsniffer_noklee.c:250) ==4427== ==4427== Invalid write of size 1 ==4427== at 0x80485BE: SnifferDecompress (ngsniffer_noklee.c:90) ==4427== by 0x8048955: main (ngsniffer_noklee.c:250) ==4427== Address 0x4223058 is 0 bytes after a block of size 65,536 alloc'd ==4427== at 0x4029344: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==4427== by 0x80488AF: main (ngsniffer_noklee.c:241)
Whiteboard: MGA3TOO has_procedure mga3-64-ok MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-ok
Confirmed these memory errors are expected as it's not actually using wireshark code from our package so doesn't change with the update installed. Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0386.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/613194/