Bug 6033 - new wireshark release 1.4.14 fixes security issues
: new wireshark release 1.4.14 fixes security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1-32-OK MGA1-64-OK
: validated_update
: 6543 6861
:
  Show dependency treegraph
 
Reported: 2012-05-23 04:44 CEST by David Walser
Modified: 2012-09-12 23:02 CEST (History)
8 users (show)

See Also:
Source RPM: wireshark-1.4.12-1.mga1.src.rpm
CVE:
Status comment:


Attachments
pcap test files (4.66 KB, application/octet-stream)
2012-06-23 01:34 CEST, Dave Hodgins
Details

Description David Walser 2012-05-23 04:44:08 CEST
Mageia 1, Mageia 2, and Cauldron are all affected.

See:
http://www.wireshark.org/docs/relnotes/wireshark-1.6.8.html
http://www.wireshark.org/docs/relnotes/wireshark-1.4.13.html
Comment 1 Sander Lepik 2012-05-23 08:28:56 CEST
There should be one bug for mga1 and one for mga2 too, this way it's easier to track.
Comment 2 David Walser 2012-05-23 14:14:55 CEST
Here is a Mandriva advisory for this wireshark update:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:080
Comment 3 Florian Hubold 2012-06-05 17:18:08 CEST
*** Bug 5904 has been marked as a duplicate of this bug. ***
Comment 4 David Walser 2012-06-16 19:53:39 CEST
Update for Mageia 1 built by Florian.  Cauldron and Mageia 2 pending.

wireshark-1.4.13-1.mga1
libwireshark0-1.4.13-1.mga1
libwireshark-devel-1.4.13-1.mga1
wireshark-tools-1.4.13-1.mga1
tshark-1.4.13-1.mga1
rawshark-1.4.13-1.mga1
dumpcap-1.4.13-1.mga1

from wireshark-1.4.13-1.mga1.src.rpm
Comment 5 David Walser 2012-06-21 22:48:44 CEST
Update for Mageia 2 built by Florian.  Cauldron pending.

wireshark-1.6.8-1.mga2
libwireshark1-1.6.8-1.mga2
libwireshark-devel-1.6.8-1.mga2
wireshark-tools-1.6.8-1.mga2
tshark-1.6.8-1.mga2
rawshark-1.6.8-1.mga2
dumpcap-1.6.8-1.mga2

from wireshark-1.6.8-1.mga2.src.rpm
Comment 6 David Walser 2012-06-22 02:46:07 CEST
(In reply to comment #5)
> Cauldron pending.

Looks like it choked on the updated lua in Cauldron.

We might as well move to 1.8.0 for Cauldron:
http://www.wireshark.org/news/20120621.html
http://www.wireshark.org/docs/relnotes/wireshark-1.8.0.html
Comment 7 Florian Hubold 2012-06-22 19:34:46 CEST
So i think we can start the validation, i'll update cauldron later today to 1.8.0 as this seems the only one which support lua >= 5.1 and we already have 5.2 in mga2.


There is now wireshark-1.4.13-1.mga1 in core/updates_testing to validate (packages as listed above in by Luigi)
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following CVEs:

o Infinite and large loops in ANSI MAP, BACapp, Bluetooth HCI, IEEE 802.3,
    LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti
    (http://www.wireshark.org/security/wnpa-sec-2012-08.html [CVE-2012-2392])
  o The DIAMETER dissector could try to allocate memory improperly and crash
    (http://www.wireshark.org/security/wnpa-sec-2012-09.html [CVE-2012-2393])
  o Wireshark could crash on SPARC processors due to misaligned memory.
    Discovered by Klaus Heckelmann
    (http://www.wireshark.org/security/wnpa-sec-2012-10.html [CVE-2012-2394])


Other fixes in this release:
  o fixes 4 various other bugs (not security-related)

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate
- POC should be available via the wnpa-sec links listed in advisory, which usually link to relevant bug reports which have POCs
Comment 8 Dave Hodgins 2012-06-23 01:13:48 CEST
Testing Mageia 1 i586.
Comment 9 Dave Hodgins 2012-06-23 01:32:41 CEST
Testing Core Updates version

Testing wnpa-sec-2012-09
wireshark fuzz-2012-04-18-27798.pcap
Segmentation fault

Testing wnpa-sec-2012-08
wireshark 80211-loop.pcap
No problems noticed.

wireshark 802.3.pcap
No problems noticed.

wireshark ansimap.pcap
No problems noticed.  Does display message about malformed packet.

wireshark asf.pcap
No problems noticed.

wireshark bacapp.pcap
No problems noticed.

wireshark hcievt.pcap
No problems noticed.

wireshark ltp.pcap
No problems noticed.  Does display message about malformed packet.

wireshark r3.pcap
No problems noticed.

After installing the updates testing version, all test results
are identical, including the segfault.

I'll attach a compressed file with all of the test pcap files.
Comment 10 Dave Hodgins 2012-06-23 01:34:05 CEST
Created attachment 2488 [details]
pcap test files
Comment 11 Dave Hodgins 2012-06-23 01:39:39 CEST
Note that wnpa-sec-2012-10 requires a SPARC or Itanium processor,
so not testing that one.

Just to be clear, wireshark-1.4.13-1.mga1.src.rpm does not pass
testing, as the segfault still happens with
fuzz-2012-04-18-27798.pcap.
Comment 12 Dave Hodgins 2012-06-23 02:40:18 CEST
Testing complete on i586 Mageia 2 for
wireshark-1.6.8-1.mga2.src.rpm

wireshark works with fuzz-2012-04-18-27798.pcap before and
after the update.

With all of the other pcap files, it goes into a loop requiring
wireshark to be killed before the update, and works ok after the
update.
Comment 13 David Walser 2012-06-23 02:44:19 CEST
(In reply to comment #12)
> Testing complete on i586 Mageia 2 for
> wireshark-1.6.8-1.mga2.src.rpm

Mageia 2 got moved to Bug 6543.
Comment 14 Dave Hodgins 2012-06-23 04:45:46 CEST
(In reply to comment #13)
> (In reply to comment #12)
> > Testing complete on i586 Mageia 2 for
> > wireshark-1.6.8-1.mga2.src.rpm
> 
> Mageia 2 got moved to Bug 6543.

Ah. Thanks.  I've now updated that bug, and removed the mga2-32-OK
whiteboard entry from this one.
Comment 15 Florian Hubold 2012-06-24 18:54:23 CEST
(In reply to comment #11)
> 
> Just to be clear, wireshark-1.4.13-1.mga1.src.rpm does not pass
> testing, as the segfault still happens with
> fuzz-2012-04-18-27798.pcap.

Reproduced, created a backtrace and reported upstream: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399

So we should suspend validation until next wireshark version is out or a patch is availabe for 1.4 version branch.
Comment 16 claire robinson 2012-06-26 18:26:08 CEST
Assigning Florian until the patch is available.

Please reassign to QA when ready.

Thanks!
Comment 17 Florian Hubold 2012-06-26 18:47:17 CEST
Sorry, forgot to take it back :/
Comment 18 David Walser 2012-08-01 21:32:39 CEST
OpenSuSE has a Wireshark 1.4.14, and released an advisory for it today:
http://lists.opensuse.org/opensuse-updates/2012-08/msg00000.html

It fixes CVE-2012-4048 and CVE-2012-4049.
Comment 19 Florian Hubold 2012-08-01 22:52:41 CEST
Above mentioned bug is still in 1.4 branch: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399
But will take a look at 1.4.14 (if i find some time :/ )
Comment 20 David Walser 2012-08-01 23:26:49 CEST
(In reply to comment #19)
> Above mentioned bug is still in 1.4 branch:
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399
> But will take a look at 1.4.14 (if i find some time :/ )

Bummer.  Well if you get it packaged, we shouldn't let that bug hold up the update next time, since it does fix other issues.
Comment 21 David Walser 2012-08-06 16:14:01 CEST
Mandriva has issued an advisory for this today (August 6):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:125
Comment 22 David Walser 2012-08-09 20:29:15 CEST
Updated package uploaded for Mageia 1.

Note to QA: if any of the reproducers still work, we'll just remove it from the advisory.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allows remote
attackers to cause a denial of service (infinite loop) via vectors
related to the (1) ANSI MAP, (2) ASF, (3) IEEE 802.11, (4) IEEE 802.3,
and (5) LTP dissectors (CVE-2012-2392).

epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wireshark
1.4.x before 1.4.13 and 1.6.x before 1.6.8 does not properly construct
certain array data structures, which allows remote attackers to cause a
denial of service (application crash) via a crafted packet that triggers
incorrect memory allocation (CVE-2012-2393).

Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 on the SPARC and
Itanium platforms does not properly perform data alignment for a certain
structure member, which allows remote attackers to cause a denial of
service (application crash) via a (1) ICMP or (2) ICMPv6 Echo Request
packet (CVE-2012-2394).

The PPP dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9,
and 1.8.x before 1.8.1 allows remote attackers to cause a denial of
service (invalid pointer dereference and application crash) via a
crafted packet, as demonstrated by a usbmon dump (CVE-2012-4048).

epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.4.x
before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote
attackers to cause a denial of service (loop and CPU consumption) via a
crafted packet (CVE-2012-4049).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4049
http://www.wireshark.org/security/wnpa-sec-2012-08.html
http://www.wireshark.org/security/wnpa-sec-2012-09.html
http://www.wireshark.org/security/wnpa-sec-2012-10.html
http://www.wireshark.org/security/wnpa-sec-2012-11.html
http://www.wireshark.org/security/wnpa-sec-2012-12.html
http://www.wireshark.org/docs/relnotes/wireshark-1.4.13.html
http://www.wireshark.org/news/20120522.html
http://www.wireshark.org/news/20120722.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.4.14-1.mga1
libwireshark0-1.4.14-1.mga1
libwireshark-devel-1.4.14-1.mga1
wireshark-tools-1.4.14-1.mga1
tshark-1.4.14-1.mga1
rawshark-1.4.14-1.mga1
dumpcap-1.4.14-1.mga1

from wireshark-1.4.14-1.mga1.src.rpm
Comment 23 Dave Hodgins 2012-08-10 05:51:55 CEST
fuzz-2012-04-18-27798.pcap from wnpa-sec-2012-09 still segfaults.

For CVE-2012-4048, testing using
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=new.dump;att=1;bug=680056
from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680056

For CVE-2012-4049, testing using
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8362
from https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7221

Can't recreate either problem using wireshark 1.4.12 on Mageia 1 i586.

For the new.dump, wireshark doesn't recognize the format.

For the pcap file, it displays the echo requests. Cpu usage is normal.
Looks like it only affects Sun SPARC Solaris10.

No change after installing the update.

As expected, the other pcap files show the fixes.

So should be excluded from the adivsory.  Should CVE-2012-4048/9 be
included if I can't reproduce the problem prior to the update?

I'll test Mageia 1 x86-64 shortly.
Comment 24 Dave Hodgins 2012-08-10 06:07:06 CEST
Same results on x86-64.  Meant to write above

So wnpa-sec-2012-09 should be excluded from the advisory.

Before I validate, should CVE-2012-4048/9 be included?
Comment 25 David Walser 2012-08-10 14:34:12 CEST
Yes, they're included in Mandriva's advisory after all.

I'll update the advisory.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allows remote
attackers to cause a denial of service (infinite loop) via vectors
related to the (1) ANSI MAP, (2) ASF, (3) IEEE 802.11, (4) IEEE 802.3,
and (5) LTP dissectors (CVE-2012-2392).

Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 on the SPARC and
Itanium platforms does not properly perform data alignment for a certain
structure member, which allows remote attackers to cause a denial of
service (application crash) via a (1) ICMP or (2) ICMPv6 Echo Request
packet (CVE-2012-2394).

The PPP dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9,
and 1.8.x before 1.8.1 allows remote attackers to cause a denial of
service (invalid pointer dereference and application crash) via a
crafted packet, as demonstrated by a usbmon dump (CVE-2012-4048).

epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.4.x
before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote
attackers to cause a denial of service (loop and CPU consumption) via a
crafted packet (CVE-2012-4049).

Note: CVE-2012-2393 (denial of service flaw in the DIAMETER dissector)
is *NOT* fixed by this update, despite being listed as fixed in the
Wireshark 1.4.13 release notes.  See Wireshark bug 7399 for more.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4049
http://www.wireshark.org/security/wnpa-sec-2012-08.html
http://www.wireshark.org/security/wnpa-sec-2012-10.html
http://www.wireshark.org/security/wnpa-sec-2012-11.html
http://www.wireshark.org/security/wnpa-sec-2012-12.html
http://www.wireshark.org/docs/relnotes/wireshark-1.4.13.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399
http://www.wireshark.org/news/20120522.html
http://www.wireshark.org/news/20120722.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.4.14-1.mga1
libwireshark0-1.4.14-1.mga1
libwireshark-devel-1.4.14-1.mga1
wireshark-tools-1.4.14-1.mga1
tshark-1.4.14-1.mga1
rawshark-1.4.14-1.mga1
dumpcap-1.4.14-1.mga1

from wireshark-1.4.14-1.mga1.src.rpm
Comment 26 Dave Hodgins 2012-08-11 21:56:55 CEST
Validating the update.

Could someone from the sysadmin team push the srpm
wireshark-1.4.14-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

See comment 25 for the Advisory.
Comment 27 Dave Hodgins 2012-08-11 21:58:21 CEST
Oops. Sorry, forgot to add the email address and keyword.

Could someone from the sysadmin team push the srpm
wireshark-1.4.14-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

See comment 25 for the Advisory.
Comment 28 Thomas Backlund 2012-08-12 19:46:28 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0206
Comment 29 Florian Hubold 2012-09-12 22:56:15 CEST
How do we proceed regarding https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399#c4 ?
Comment 30 David Walser 2012-09-12 23:01:24 CEST
(In reply to comment #29)
> How do we proceed regarding
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399#c4 ?

Hopefully upstream will fix it.  In the meantime, please don't reopen this bug.  You can file a new bug for it if you wish.
Comment 31 David Walser 2012-09-12 23:02:55 CEST
(In reply to comment #30)
> (In reply to comment #29)
> > How do we proceed regarding
> > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7399#c4 ?
> 
> Hopefully upstream will fix it.  In the meantime, please don't reopen this bug.
>  You can file a new bug for it if you wish.

Oh, I see it's WONTFIX.  Then either:

1) there's nothing we can do about it
2) we can update Mageia 1 to 1.6.x (which would actually be a good idea if 1.4.x is EOL and Mageia 1 is not)

Note You need to log in before you can comment on or make changes to this bug.