199958 2007-11-22 09:44 0000 net-analyzer/wireshark < 0.99.7 Multiple vulnerabilities (CVE-2007-{6111,6112,6113,6114,6115,6116,6117,6118,6119,6120,6121,6438,6439,6441,6450,6451}) 2007-12-30 17:39:51 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27777/ B1 [glsa] P2 major --- 202866 1 lars@chaotika.org security@gentoo.org netmon@gentoo.org lars@chaotika.org 2007-11-22 09:44:30 0000 Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to various errors (e.g. large loops with extreme memory consumption, endless loops, crashes, and buffer overflows) within the following: * SSL, ANSI MAP, Firebird/Interbase, NCP, HTTP, MEGACO, DCP ETSI, PPP, and Bluetooth SDP dissectors * when processing a malformed MP3 or iSeries (OS/400) Communication trace file * when processing a malformed DNP or RPC Portmap packet These can be exploited to crash Wireshark or consume large amounts of system resources by e.g. parsing a specially crafted packet that is either captured off the wire or loaded via a capture file. The vulnerabilities are reported in various versions from 0.8.16 through 0.99.6. Other versions may also be affected. Solution: Update to version 0.99.7. Provided and/or discovered by: Stefan Esser (SSL dissector) Beyond Security (DNP packet) Fabiodds (iSeries (OS/400) Communication trace file) Peter Leeming (ANSI MAP) Steve (Firebird/Interbase) ainsley (RPC Portmap) Original Advisory: http://www.wireshark.org/security/wnpa-sec-2007-03.html Reproducible: Always lars@chaotika.org 2007-11-24 17:17:26 0000 maintainers - please provide an updated ebuild rbu@gentoo.org 2007-11-25 15:08:29 0000 Upgrading to B2 because it might be possible to execute code according to the CVE entries: CVE-2007-6111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6111): Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow remote attackers to cause a denial of service (crash) via (1) a crafted MP3 file or (2) unspecified vectors to the NCP dissector. CVE-2007-6112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6112): Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. CVE-2007-6113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6113): Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP packet. CVE-2007-6114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6114): Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser. CVE-2007-6115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6115): Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. CVE-2007-6116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6116): The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors. CVE-2007-6117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6117): Unspecified vulnerability in the HTTP dissector for Wireshark (formerly Ethereal) 0.10.14 to 0.99.6 has unknown impact and remote attack vectors related to chunked messages. CVE-2007-6118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6118): The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. CVE-2007-6119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6119): The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. CVE-2007-6120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6120): The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVE-2007-6121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6121): Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to cause a denial of service (crash) via a malformed RPC Portmap packet. pva@gentoo.org 2007-11-25 19:59:45 0000 Lars, there is no official release yet. I've prepared ebuild for pre-release in my overlay http://overlays.gentoo.org/dev/pva/browser/net-analyzer/wireshark so if you wish to test, please, do it. I'm interested in reports. On the other hand this package is known to have new vulnerabilities every new release is out. After reading this mail http://www.wireshark.org/lists/wireshark-dev/200711/msg00055.html I've got a feeling that the it will ready very soon and so I think it's not necessary to bump pre-release in our tree. We'll bump new version as soon as upstream considers it ready... rbu@gentoo.org 2007-11-27 01:19:53 0000 Upgrading again since these flaws might allow root compromise. Peter, please have a look at the new packaging options described in section "3. Privileges" here: http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging It allows to install some components of wireshark (TShark and dumpcap) setuid root, so the dissector part of wireshark is not run with root privileges. Upstream encourages packages to enable this feature, but make the files only executable by a certain unix group. Would that be an option we could introduce with the new wireshark release's ebuild? rbu@gentoo.org 2007-11-28 10:18:39 0000 Release delayed until Dec. 5/6. http://www.wireshark.org/lists/wireshark-dev/200711/msg00418.html pva@gentoo.org 2007-12-13 10:44:01 0000 I've updated ebuild in my overlay to _pre2. http://overlays.gentoo.org/dev/pva/browser/net-analyzer/wireshark Everybody are welcome to test it. Robert, it contains improvements you mentioned. rbu@gentoo.org 2007-12-18 23:40:10 0000 Wireshark 0.99.7 was finally released. Peter, thanks for taking note of the new setuid feature. However, it is important that do not install that file the way wireshark leaves it (setuid root), because that way every user on the system can execute it and sniff packets, which usually is a huge security leak. In order to use the setuid feature, the best way to go is to set the setuid files o-x, bug g+x and change the group to "wireshark" -- that group then contains all users trusted to sniff packets. Or use another net analyzer group if available. pva@gentoo.org 2007-12-20 14:19:43 0000 Robert, thank you again. Of course its better to allow only trusted users sniff the traffic. New version with some cleanups and your suggestions is in portage. rbu@gentoo.org 2007-12-20 17:48:59 0000 Seems you missed to add a file. Not ready for stable testing :-) pva@gentoo.org 2007-12-20 18:06:13 0000 I was 5 seconds earlier. The bug 202866 is fixed :) rbu@gentoo.org 2007-12-22 21:52:49 0000 Additional issues already covered by 0.99.7 CVE-2007-6451 Unspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory. CVE-2007-6450 The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVE-2007-6441 The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to "unaligned access on some platforms." CVE-2007-6439 Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite or large loop) via the (1) IPv6 or (2) USB dissector, which can trigger resource consumption or a crash. NOTE: this identifier originally included Firebird/Interbase, but it is already covered by CVE-2007-6116. The DCP ETSI issue is already covered by CVE-2007-6119. CVE-2007-6438 Unspecified vulnerability in the SMB dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service via unknown vectors. NOTE: this identifier originally included MP3 and NCP, but those issues are already covered by CVE-2007-6111. rbu@gentoo.org 2007-12-22 22:48:58 0000 Peter, your new ebuild looks fine. Thanks a lot for the fast reactions. Arches, please test and mark stable net-analyzer/wireshark-0.99.7. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" ranger@gentoo.org 2007-12-23 04:38:34 0000 ppc and ppc64 done maekke@gentoo.org 2007-12-23 14:07:17 0000 x86 stable jer@gentoo.org 2007-12-24 01:58:19 0000 Stable for HPPA. armin76@gentoo.org 2007-12-24 12:10:52 0000 alpha/ia64/sparc stable welp@gentoo.org 2007-12-26 10:58:20 0000 amd64 done keytoaster@gentoo.org 2007-12-26 11:44:34 0000 GLSA request filed. rbu@gentoo.org 2007-12-30 17:39:51 0000 GLSA 200712-23, thank you.