Bug 6543 - new wireshark release 1.6.8 fixes security issues
: new wireshark release 1.6.8 fixes security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: mga2-32-OK mga2-64-OK
: validated_update
:
: 6033
  Show dependency treegraph
 
Reported: 2012-06-22 19:38 CEST by Florian Hubold
Modified: 2012-06-27 18:42 CEST (History)
9 users (show)

See Also:
Source RPM: wireshark-1.6.8-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description Florian Hubold 2012-06-22 19:38:53 CEST
+++ This bug was initially created as a clone of Bug #6033 +++

Mageia 2, and Cauldron are all affected.

See:
http://www.wireshark.org/docs/relnotes/wireshark-1.6.8.html

Update for Mageia 2 built,  Cauldron pending.

wireshark-1.6.8-1.mga2
libwireshark1-1.6.8-1.mga2
libwireshark-devel-1.6.8-1.mga2
wireshark-tools-1.6.8-1.mga2
tshark-1.6.8-1.mga2
rawshark-1.6.8-1.mga2
dumpcap-1.6.8-1.mga2

from wireshark-1.6.8-1.mga2.src.rpm
Comment 1 Florian Hubold 2012-06-22 19:39:05 CEST
There is now wireshark-1.6.8-1.mga2 in core/updates_testing to validate
(packages as listed above in by Luigi)
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following CVEs:

  o Infinite and large loops in ANSI MAP, BACapp, Bluetooth HCI, IEEE 802.3,
    LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti
    (http://www.wireshark.org/security/wnpa-sec-2012-08.html [CVE-2012-2392])
  o The DIAMETER dissector could try to allocate memory improperly and crash
    (http://www.wireshark.org/security/wnpa-sec-2012-09.html [CVE-2012-2393])
  o Wireshark could crash on SPARC processors due to misaligned memory.
    Discovered by Klaus Heckelmann
    (http://www.wireshark.org/security/wnpa-sec-2012-10.html [CVE-2012-2394])

Other fixes in this release:
  o fixes 12 various other bugs (not security-related)

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate
- POC should be available via the wnpa-sec links listed in advisory, which
usually link to relevant bug reports which have POCs
Comment 2 Dave Hodgins 2012-06-23 04:44:34 CEST
Using the pcap files from attachment 2488 [details]

Testing complete on i586 Mageia 2 for
wireshark-1.6.8-1.mga2.src.rpm

wireshark works with fuzz-2012-04-18-27798.pcap before and
after the update.

With all of the other pcap files, it goes into a loop requiring
wireshark to be killed before the update, and works ok after the
update.
Comment 3 Derek Jennings 2012-06-23 23:38:31 CEST
Tested wireshark-1.6.8-1.mga2 on x86_64

Before the upgrade only fuzz-2012-04-18-27798.pcap worked. All the other pcap files lock up wireshark.

After the upgrade there is no difference. All the pcap files except fuzz cause wireshark to lock up.

When started from the command line I see this message when trying to open a pcap test file.

22:30:22          Warn Dissector bug, protocol LTP, in packet 1: More than 1000000 items in the tree -- possible infinite loop

$ wireshark -v
wireshark 1.6.8 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.10, with GLib 2.32.1, with libpcap (version
unknown), with libz 1.2.6, with POSIX capabilities (Linux), with libpcre
(version unknown), with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1,
without Python, without GnuTLS, with Gcrypt 1.5.0, with MIT Kerberos, with
GeoIP, with PortAudio V19-devel (built Jan  3 2012), with AirPcap.

Running on Linux 3.3.6-desktop-2.mga2, with libpcap version 1.2.1, with libz
1.2.6, Gcrypt 1.5.0, without AirPcap.

Built using gcc 4.6.3.

Any ideas why x86_64 should be behaving differently to i586?
Comment 4 Florian Hubold 2012-06-24 09:30:45 CEST
(In reply to comment #3)
> Tested wireshark-1.6.8-1.mga2 on x86_64
> 
> Before the upgrade only fuzz-2012-04-18-27798.pcap worked. All the other pcap
> files lock up wireshark.
> 
> After the upgrade there is no difference. All the pcap files except fuzz cause
> wireshark to lock up.
> 
> 
> Any ideas why x86_64 should be behaving differently to i586?

Tested on x86_64, all capture dumps can be loaded just fine without wireshark locking up, as Dave already mentioned. How did you do the upgrade to newer wireshark?
Comment 5 Derek Jennings 2012-06-24 19:09:45 CEST
Upgrading  wireshark does not pull in the latest version of lib64wireshark1

Once I upgraded lib64wireshark1  it would open the .pcap files OK

Validated for x86_64
Comment 6 Florian Hubold 2012-06-24 20:42:57 CEST
(In reply to comment #5)
> Upgrading  wireshark does not pull in the latest version of lib64wireshark1
> 
> Once I upgraded lib64wireshark1  it would open the .pcap files OK


Once again, how exactly did you perform the upgrade to newer wireshark?
Comment 7 Derek Jennings 2012-06-25 00:46:51 CEST
(In reply to comment #6)
> (In reply to comment #5)
> > Upgrading  wireshark does not pull in the latest version of lib64wireshark1
> > 
> > Once I upgraded lib64wireshark1  it would open the .pcap files OK
> 
> 
> Once again, how exactly did you perform the upgrade to newer wireshark?

urpmi wireshark
Comment 8 Dave Hodgins 2012-06-26 00:24:38 CEST
(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Upgrading  wireshark does not pull in the latest version of lib64wireshark1
> > > 
> > > Once I upgraded lib64wireshark1  it would open the .pcap files OK
> > 
> > 
> > Once again, how exactly did you perform the upgrade to newer wireshark?
> 
> urpmi wireshark

The wireshark requires on the lib do not include the version, so the
existing installed version was enough to satisfy the requires.

If the update had been installed using mgaapplet, urpmi --auto-select,
or by using urpmi when wireshark had not previously been installed,
the updates testing version of the library would have been selected.

It would be better if wireshark required the same version of the library.
However, as this is not the standard way of installing updates, I don't
think it should block this update.

Florian, should the requires be changed, or go ahead and validate?  I'm
ok with either choice.
Comment 9 Florian Hubold 2012-06-26 18:48:04 CEST
(In reply to comment #8)

> Florian, should the requires be changed, or go ahead and validate?  I'm
> ok with either choice.

Well, yes and yes :D

As this update already took too long, it should be validated as-is, and i'll look into putting stricter requires for next update. FWIW, because of convenience reasons and to check dependencies, this is the same way i'm installing update candidates from local repos, so it should definitely be fixed ;)
Comment 10 claire robinson 2012-06-26 18:58:58 CEST
Thanks Florian.

Validating then.

advisory:
-------------------
This update addresses the following CVEs:

  o Infinite and large loops in ANSI MAP, BACapp, Bluetooth HCI, IEEE 802.3,
    LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti
    (http://www.wireshark.org/security/wnpa-sec-2012-08.html [CVE-2012-2392])
  o The DIAMETER dissector could try to allocate memory improperly and crash
    (http://www.wireshark.org/security/wnpa-sec-2012-09.html [CVE-2012-2393])
  o Wireshark could crash on SPARC processors due to misaligned memory.
    Discovered by Klaus Heckelmann
    (http://www.wireshark.org/security/wnpa-sec-2012-10.html [CVE-2012-2394])

Other fixes in this release:
  o fixes 12 various other bugs (not security-related)

-------------------------------------------------------

SRPM: wireshark-1.6.8-1.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 11 Thomas Backlund 2012-06-27 18:42:50 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0134

Note You need to log in before you can comment on or make changes to this bug.