Description of problem: CVE-2011-4100 The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.3 does not initialize a certain variable, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2011-4101 The dissect_infiniband_common function in epan/dissectors/packet-infiniband.c in the Infiniband dissector in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. CVE-2011-4102 Heap-based buffer overflow in the erf_read_header function in wiretap/erf.c in the ERF file parser in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (application crash) via a malformed file.
The mga1 version of wireshark is susceptible to CVE-2011-4102, already patched and waiting for review, for Cauldron we should be safe as we already have wireshark 1.6.3.
Status: NEW => ASSIGNED
There is now wireshark-1.4.6-2.3.mga1 in core/updates_testing to validate ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the following CVEs: - CVE-2011-4102 Heap-based buffer overflow in the erf_read_header function in wiretap/erf.c in the ERF file parser in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (application crash) via a malformed capture file. http://www.wireshark.org/security/wnpa-sec-2011-19.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6479 ------------------------------------------------------- Steps to reproduce: - install/update to update candidate - there is a POC capture file available from: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6479#c0 The unpatched wireshark version crashes with a segfault, the patched version should not segfault, but output an error message like: "erf: File has 0 byte packet"
Assignee: doktor5000 => qa-bugs
(In reply to comment #2) > There is now wireshark-1.4.6-2.3.mga1 in core/updates_testing to validate > ------------------------------------------------------- [...] > The unpatched wireshark version crashes with a segfault, the patched version > should not segfault, but output an error message like: "erf: File has 0 byte > packet" Or not. Patch seems not fully effective, already contacted upstream and author of the fix.
Assignee: qa-bugs => doktor5000
To fix CVE-2011-4102, which needs backporting of patches all over wireshark, and due to other outstanding security issues, we have switched directly to wireshark-1.4.10, the latest release in the 1.4 branch, being a bugfix/security fix-only branch. New advisory as follows: There is now wireshark-1.4.10-1.mga1 in core/updates_testing to validate ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the following CVEs: CVE-2011-4101 The dissect_infiniband_common function in epan/dissectors/packet-infiniband.c in the Infiniband dissector in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6476 CVE-2011-4102 Heap-based buffer overflow in the erf_read_header function in wiretap/erf.c in the ERF file parser in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (application crash) via a malformed file. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6479 CVE-2011-1957 The dissect_dcm_main function in epan/dissectors/packet-dcm.c in the DICOM dissector in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (infinite loop) via an invalid PDU length. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5876 CVE-2011-1958 Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Diameter dictionary file. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5837 CVE-2011-1959 The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers, which allows remote attackers to cause a denial of service (application crash) via a large length value in a snoop file that triggers a stack-based buffer over-read. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5912 CVE-2011-2174 Double free vulnerability in the tvb_uncompress function in epan/tvbuff.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a packet with malformed data that uses zlib compression. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5908 CVE-2011-2175 Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5934 CVE-2011-2597 The Lucent/Ascend file parser in Wireshark 1.2.x before 1.2.18, 1.4.x through 1.4.7, and 1.6.0 allows remote attackers to cause a denial of service (infinite loop) via malformed packets. CVE-2011-2698 Off-by-one error in the elem_cell_id_aux function in epan/dissectors/packet-ansi_a.c in the ANSI MAP dissector in Wireshark 1.4.x before 1.4.8 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (infinite loop) via an invalid packet. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6044 Other fixes in this release: 71 various other bugs (not security-related) which can be seen here: http://www.wireshark.org/docs/relnotes/wireshark-1.4.7.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.8.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.9.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.10.html ------------------------------------------------------- Steps to reproduce: - install/update to update candidate - visit the linked bugreports for POC and check that they are no effective any more
Testing complete on i586 for the srpm wireshark-1.4.10-1.mga1.src.rpm The fuzz files require wireshark to be killed. The others except wiresharkcrash.pcap all crash the current version of wireshark. With the updates testing version installed, none of them crash wireshark.
CC: (none) => davidwhodgins
Created attachment 1101 [details] poc 1 Contains the following files for testing -rw-r--r-- 1 dave dave 1539603 Apr 30 2011 fuzz-2011-04-30-7272.pcap -rw-r--r-- 1 dave dave 1030 Jun 20 13:27 fuzz-2011-06-20-22762.pcap -rw-rw-r-- 1 dave dave 74912 Nov 22 15:22 sun.crash.snoop -rw-rw-r-- 1 dave dave 8800 Nov 22 15:22 testme_fortinet.pcap -rw-rw-r-- 1 dave dave 74883 Nov 22 15:23 visual-networks-crash.vis -rw-rw-r-- 1 dave dave 5974 Nov 22 15:20 wiresharkcrash.pcap
Created attachment 1102 [details] poc 2 - crash.erf
Created attachment 1103 [details] poc 3 - example-linkpackets.erf
Could somebody please test this for x86_64 so we can validate this?
Testing complete on x86_64 Thanks for supplying the test files Dave Could someone from sysadmin please push wireshark-1.4.10-1.mga1.src.rpm from Updates_Testing to Updates As per comment 4 Advisory -------- This update addresses the following CVEs: CVE-2011-4101 The dissect_infiniband_common function in epan/dissectors/packet-infiniband.c in the Infiniband dissector in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6476 CVE-2011-4102 Heap-based buffer overflow in the erf_read_header function in wiretap/erf.c in the ERF file parser in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (application crash) via a malformed file. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6479 CVE-2011-1957 The dissect_dcm_main function in epan/dissectors/packet-dcm.c in the DICOM dissector in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (infinite loop) via an invalid PDU length. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5876 CVE-2011-1958 Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Diameter dictionary file. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5837 CVE-2011-1959 The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers, which allows remote attackers to cause a denial of service (application crash) via a large length value in a snoop file that triggers a stack-based buffer over-read. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5912 CVE-2011-2174 Double free vulnerability in the tvb_uncompress function in epan/tvbuff.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a packet with malformed data that uses zlib compression. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5908 CVE-2011-2175 Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5934 CVE-2011-2597 The Lucent/Ascend file parser in Wireshark 1.2.x before 1.2.18, 1.4.x through 1.4.7, and 1.6.0 allows remote attackers to cause a denial of service (infinite loop) via malformed packets. CVE-2011-2698 Off-by-one error in the elem_cell_id_aux function in epan/dissectors/packet-ansi_a.c in the ANSI MAP dissector in Wireshark 1.4.x before 1.4.8 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (infinite loop) via an invalid packet. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6044 Other fixes in this release: 71 various other bugs (not security-related) which can be seen here: http://www.wireshark.org/docs/relnotes/wireshark-1.4.7.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.8.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.9.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.10.html
Keywords: (none) => validated_updateCC: (none) => derekjenn, sysadmin-bugs
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED