Upstream has released new versions on June 7: https://www.wireshark.org/news/20160607.html CVE request: http://openwall.com/lists/oss-security/2016/06/08/1 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated wireshark packages fix security vulnerabilities: The wireshark package has been updated to version 2.0.4, which fixes several security issues where a malformed packet trace could cause it to crash or go into an infinite loop, and fixes several other bugs as well. See the release notes for details. References: https://www.wireshark.org/security/wnpa-sec-2016-29.html https://www.wireshark.org/security/wnpa-sec-2016-30.html https://www.wireshark.org/security/wnpa-sec-2016-31.html https://www.wireshark.org/security/wnpa-sec-2016-32.html https://www.wireshark.org/security/wnpa-sec-2016-33.html https://www.wireshark.org/security/wnpa-sec-2016-34.html https://www.wireshark.org/security/wnpa-sec-2016-35.html https://www.wireshark.org/security/wnpa-sec-2016-36.html https://www.wireshark.org/security/wnpa-sec-2016-37.html https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html https://www.wireshark.org/news/20160607.html ======================== Updated packages in core/updates_testing: ======================== wireshark-2.0.4-1.mga5 libwireshark6-2.0.4-1.mga5 libwiretap5-2.0.4-1.mga5 libwsutil6-2.0.4-1.mga5 libwireshark-devel-2.0.4-1.mga5 wireshark-tools-2.0.4-1.mga5 tshark-2.0.4-1.mga5 rawshark-2.0.4-1.mga5 dumpcap-2.0.4-1.mga5 from wireshark-2.0.4-1.mga5.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Wireshark
Whiteboard: (none) => has_procedure
Testing this on x86_64 using the documented procedure.
CC: (none) => tarazed25
Installed the wireshark suite before updating. $ sudo usermod -a -G wireshark lcl $ cat /etc/group | grep lcl lcl:x:1000: vboxusers:x:416:lcl wireshark:x:407:lcl Ran wiresharktest to verify that it was installed and working. Updated the packages. $ wireshark -n wiresharktest wiresharktest does not exist "Welcome to Wireshark" window opens and Open Capture File window. $ tshark -nr wiresharktest tshark: The file "wiresharktest" doesn't exist. So where are the test files? Thinking that they might come with the development package I ran updatedb and "locate wiresharktest" but came up empty.
Missed the initial root mode instruction but running as root does not help. The capture interface expects the user to open an existing file. Have no clue about using the interfaces. Looks like the procedure is not much use without a lot of prior knowledge.
Virtually everything was greyed out under root so reverted to user mode and tried start capture. No packets captured. Need to apply filters I suspect. back to the fine manual. This is going to take months.
urpmf shows no results for wiresharktest Len, not sure where that file is from? There are usually some pcap files etc attached to the upstream bug reports which are useful for testing this with.
/usr/share/doc/wireshark/README.urpmi explains what is needed for wireshark to capture packets. I guess I should stop posting links to that Wiki procedure as it doesn't make sense. A basic packet capture and analysis is a good test, as is following the procedures on the upstream bugs to test the PoCs for the security fixes (when they are available), which usually involve using the tshark command.
@ Claire. The implication is that the test file needs to be generated, which as I said, requires some familiarity with the field. Shall follow your advice and look upstream. @ David. Shall follow your guidelines - later (probably much later).
CVEs: http://openwall.com/lists/oss-security/2016/06/09/4 Advisory: ======================== Updated wireshark packages fix security vulnerabilities: The SPOOLS dissector could go into an infinite loop (CVE-2016-5350). The IEEE 802.11 dissector could crash (CVE-2016-5351). The IEEE 802.11 dissector could crash (CVE-2016-5352). The UMTS FP dissector could crash (CVE-2016-5353). Some USB dissectors could crash (CVE-2016-5354). The Toshiba file parser could crash (CVE-2016-5355). The CoSine file parser could crash (CVE-2016-5356). The NetScreen file parser could crash (CVE-2016-5357). The Ethernet dissector could crash (CVE-2016-5358). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5351 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5352 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5353 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5354 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5355 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5356 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5357 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5358 https://www.wireshark.org/security/wnpa-sec-2016-29.html https://www.wireshark.org/security/wnpa-sec-2016-30.html https://www.wireshark.org/security/wnpa-sec-2016-31.html https://www.wireshark.org/security/wnpa-sec-2016-32.html https://www.wireshark.org/security/wnpa-sec-2016-33.html https://www.wireshark.org/security/wnpa-sec-2016-34.html https://www.wireshark.org/security/wnpa-sec-2016-35.html https://www.wireshark.org/security/wnpa-sec-2016-36.html https://www.wireshark.org/security/wnpa-sec-2016-37.html https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html https://www.wireshark.org/news/20160607.html http://openwall.com/lists/oss-security/2016/06/09/4
Acquired the PoC files after the update so this is not a full test. Shall test in i586 vm later to demonstrate crashes. There are PoC test files for some of the CVEs; none of them crash. tshark handles them cleanly, attempting to analyze them where possible. This is lengthy; apologies for that. More later after exercizing the wireshark interface. Using: $ tshark -r pocfile Toshiba: tshark -> summary, wireshark reads it OK tshark displays the contents as a whole load of A's (0x41) CoSine: tshark thinks the file damaged or corrupt The file "S_85i4546lx3_Wireshark_cosine_PoC.pcap" appears to be damaged or corrupt. wireshark agrees $ tshark -r signal_sigsegv_7fffee584e50_1949_e9b9a0aed9b5628c7827dcdd6fc6e98c10dc86e636c46096.pcap 1 0.000000 host -> 1.8.0 USB 57 GET DESCRIPTOR Request CONFIGURATION 2 -1170749184.022102 1.8.0 -> host USB 87 GET DESCRIPTOR Response CONFIGURATION 3 -1153971929.935896 host -> 1.8.2 USB 79 URB_BULK out 4 -3578.933001 1.8.1 -> host USB 61 URB_BULK in 5 -1153023976.931754 host -> 1.8.2 USBMS 79 SCSI: Mode Sense(6) LUN: 0x00 tshark: The file "signal_sigsegv_7fffee584e50_1949_e9b9a0aed9b5628c7827dcdd6fc6e98c10dc86e636c46096.pcap" appears to be damaged or corrupt. (pcap: File has 2097151-byte packet, bigger than maximum of 262144) $ tshark -r signal_sigsegv_7fffee584e50_7225_fe76f498b697a96413052bb16aa15270765478876532870b.pcap 1 0.000000 host -> 1.8.0 USB 2483027768 GET DESCRIPTOR Request CONFIGURATION 2 -0.010767 1.8.0 -> host USB 87 GET DESCRIPTOR Response CONFIGURATION 3 -13121241.935896 host -> 1.66.2 USBMS 79 SCSI: Inquiry LUN: 0x00 4 5.066999 1.8.1 -> host USB 61 URB_BULK in 5 5.067156 host -> 1.8.2 USBMS 79 SCSI Command: 0x43 LUN:0x00 tshark: The file "signal_sigsegv_7fffee584e50_7225_fe76f498b697a96413052bb16aa15270765478876532870b.pcap" appears to have been cut short in the middle of a packet. CVE ...5357 : netscreen test $ tshark -r S_xtci0ba8xi_Wireshark_netscreen_PoC.pcap tshark: The file "S_xtci0ba8xi_Wireshark_netscreen_PoC.pcap" appears to be damaged or corrupt. (netscreen: File has 262176-byte packet, bigger than maximum of 262144) CVE ...5352 : dissector crash tests $ tshark -nVxr asan_heap-oob_4557e4_1285_21aa34231f73e6640365f97a56edb8a3.cap Frame 1: 69 bytes on wire (552 bits), 69 bytes captured (552 bits) Encapsulation type: IEEE 802.11 Wireless LAN (20) Arrival Time: Nov 15, 2007 16:33:31.754819000 GMT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1195144411.754819000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 69 bytes (552 bits) Capture Length: 69 bytes (552 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: wlan:llc:eapol] IEEE 802.11 Data, Flags: .......T Type/Subtype: Data (0x0020) Frame Control Field: 0x0801 .... ..00 = Version: 0 .... 10.. = Type: Data frame (2) 0000 .... = Subtype: 0 Flags: 0x01 .... ..01 = DS status: Frame from STA to DS via an AP (To DS: 1 From DS: 0) (0x01) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .0.. .... = Protected flag: Data is not protected 0... .... = Order flag: Not strictly ordered .000 0000 0010 1100 = Duration: 44 microseconds Receiver address: 00:1b:11:60:82:f9 Destination address: 00:1b:11:60:82:f9 Transmitter address: 00:1a:4f:9f:7e:a4 Source address: 00:1a:4f:9f:7e:a4 BSS Id: 00:1b:11:60:82:f9 STA address: 00:1a:4f:9f:7e:a4 .... .... .... 0000 = Fragment number: 0 0100 0100 1100 .... = Sequence number: 1100 Logical-Link Control DSAP: SNAP (0xaa) 1010 101. = SAP: SNAP .... ...0 = IG Bit: Individual SSAP: SNAP (0xaa) 1010 101. = SAP: SNAP .... ...0 = CR Bit: Command Control field: U, func=UI (0x03) 000. 00.. = Command: Unnumbered Information (0x00) .... ..11 = Frame type: Unnumbered frame (0x03) Organization Code: Encapsulated Ethernet (0x000000) Type: 802.1X Authentication (0x888e) 802.1X Authentication Version: Unknown (142) Type: Key (3) Length: 0 [Malformed Packet: EAPOL] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed] 0000 08 01 2c 00 00 1b 11 60 82 f9 00 1a 4f 9f 7e a4 ..,....`....O.~. 0010 00 1b 11 60 82 f9 c0 44 aa aa 03 00 00 00 88 8e ...`...D........ 0020 8e 03 00 00 02 0f fe ff ff 1f 0b 00 84 db 00 00 ................ 0030 ff 47 83 74 00 3c 69 ff 00 00 46 00 00 00 46 00 .G.t.<i...F...F. 0040 65 10 4c 4e 00 e.LN. $ tshark -r asan_heap-oob_4557e4_4089_48b71f6d4c1deccaae1d67a233556e69931a551c78d36c34.cap 1 0.000000 00:1a:4f:9f:7e:a4 -> 00:1b:11:60:82:f9 EAPOL 70 Key[Malformed Packet] $ tshark -r asan_heap-oob_4557e4_8959_8ea8c4ad7befadb0a4b0e38e06c5695535f5e0d265888e41.cap 1 0.000000 00:1a:4f:9f:7e:a4 -> 00:1b:11:60:82:f9 EAPOL 69 Key[Malformed Packet]
The two signal_segv* files are associated with CVE-2016-5354.
Invoked the wireshark interface and followed the wiki link. Skimmed through the tutorial then started an ethernet (default) capture and stopped that at 392 packets. Captured the data to a local file. $ ls -l ethernettestonvega.pcapng -rw-r--r-- 1 lcl wireshark 273744 Jun 10 10:07 ethernettestonvega.pcapng The Go menu item allowed selection of first, last next and previous frames. For each packet there is a timestamp, source, destination, protocol, number of bytes, and some technical information. In this case the sources and destinations appeared to be mostly LAN addresses or MAC addresses. Some of the network addresses appeared to be external. e.g. 328:timestamp:104.25.11.6:192.168.1.3:TLSv1.2:1377 bytes:Application data $ dig 104.25.11.6 ; <<>> DiG 9.10.3-P4 <<>> 104.25.11.6 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23923 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;104.25.11.6. IN A ;; ANSWER SECTION: 104.25.11.6. 0 IN A 104.25.11.6 ;; Query time: 3 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Jun 10 10:11:38 BST 2016 ;; MSG SIZE rcvd: 56 $ nslookup 104.25.11.6 Server: 192.168.1.1 Address: 192.168.1.1#53 ** server can't find 6.11.25.104.in-addr.arpa: NXDOMAIN Protocols covered NFS, TCP and STP among others. Under View there is a name resolution option -> network resolution For the capture file there are no host name entries but 6015 services are listed along with port numbers, such as: limnerpressure 8191/tcp spytechphone 8192/tcp spytechphone 8192/udp tcpmux 1/tcp tcpmux 1/udp compressnet 3/tcp compressnet 3/udp This is a complex and powerful tool but this is as far as I can take it with my very limited understanding of networking but the overall impression is that wireshark is OK.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: wireshark libwireshark6 libwiretap5 libwsutil6 wireshark-tools tshark Assign wilcal to the wireshark group, restart wilcal. default install of wireshark libwireshark6 libwiretap5 libwsutil6 wireshark-tools tshark: [root@localhost wilcal]# urpmi wireshark Package wireshark-2.0.3-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libwireshark6 Package libwireshark6-2.0.3-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libwiretap5 Package libwiretap5-2.0.3-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libwsutil6 Package libwsutil6-2.0.3-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.0.3-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.0.3-1.mga5.i586 is already installed Running wireshark I can capture and save to a file (ws1.pcapng) traffic on enp0s3. Close wireshark. Reopen ws1.pcapng with wireshark and review the data. wireshark tools like tshark work: [wilcal@localhost Documents]$ tshark >> test01.txt Capturing on 'enp0s3' 1758 ^Z [2]+ Stopped tshark >> test01.txt Filter: ip.src == 192.168.1.143 works ( this system ) Filter: not ip.addr == 192.168.1.15 works ( Yamaha receiver ) install wireshark libwireshark6 libwiretap5 libwsutil6 wireshark-tools & tshark from updates_testing [root@localhost wilcal]# urpmi wireshark Package wireshark-2.0.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libwireshark6 Package libwireshark6-2.0.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libwiretap5 Package libwiretap5-2.0.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libwsutil6 Package libwsutil6-2.0.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.0.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.0.4-1.mga5.i586 is already installed Running wireshark I can capture and save to a file (ws2.pcapng) traffic on enp0s3. Close wireshark. Reopen ws1.pcapng & ws2.pcapng with wireshark and review the data. wireshark tools like tshark work: [wilcal@localhost Documents]$ tshark >> test02.txt Capturing on 'enp0s3' 1758 ^Z [2]+ Stopped tshark >> test02.txt Filter: ip.src == 192.168.1.143 works ( this system ) Filter: not ip.addr == 192.168.1.15 works ( Yamaha receiver )
CC: (none) => wilcal.intWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: wireshark lib64wireshark6 lib64wiretap5 lib64wsutil6 wireshark-tools tshark Assign wilcal to the wireshark group, restart wilcal. default install of wireshark lib64wireshark6 lib64wiretap5 lib64wsutil6 wireshark-tools tshark: [root@localhost wilcal]# urpmi wireshark Package wireshark-2.0.3-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wireshark6 Package lib64wireshark6-2.0.3-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wiretap5 Package lib64wiretap5-2.0.3-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wsutil6 Package lib64wsutil6-2.0.3-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.0.3-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.0.3-1.mga5.x86_64 is already installed Running wireshark I can capture and save to a file (ws1.pcapng) traffic on enp0s3. Close wireshark. Reopen ws1.pcapng with wireshark and review the data. wireshark tools like tshark work: [wilcal@localhost Documents]$ tshark >> test01.txt Capturing on 'enp0s3' 1758 ^Z [2]+ Stopped tshark >> test01.txt Filter: ip.src == 192.168.1.141 works ( this system ) Filter: not ip.addr == 192.168.1.15 works ( Yamaha receiver ) install wireshark lib64wireshark6 lib64wiretap5 lib64wsutil6 wireshark-tools & tshark from updates_testing [root@localhost wilcal]# urpmi wireshark Package wireshark-2.0.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wireshark6 Package lib64wireshark6-2.0.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wiretap5 Package lib64wiretap5-2.0.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wsutil6 Package lib64wsutil6-2.0.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.0.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.0.4-1.mga5.x86_64 is already installed Running wireshark I can capture and save to a file (ws2.pcapng) traffic on enp0s3. Close wireshark. Reopen ws1.pcapng & ws2.pcapng with wireshark and review the data. wireshark tools like tshark work: [wilcal@localhost Documents]$ tshark >> test02.txt Capturing on 'enp0s3' 1758 ^Z [2]+ Stopped tshark >> test02.txt Filter: ip.src == 192.168.1.141 works ( this system ) Filter: not ip.addr == 192.168.1.15 works ( Yamaha receiver )
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0223.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/691100/