Bugzilla Bug 144946

Summary
Name: Multiple problems in Wireshark (Ethereal

Summary
Name: Multiple problems in Wireshark (Ethereal®) versions 0.7.9 to 0.99.2
Docid: wnpa-sec-2006-02
Date: July 17, 2006
Versions affected: 0.7.9 up to and including 0.99.2 
Details
Description
 Wireshark 0.99.3 fixes the following vulnerabilities: 
 The SCSI dissector could crash.   Versions affected: 0.99.2. 
 If Wireshark was compiled with ESP decryption support, the IPsec ESP
preference parser was susceptible to off-by-one errors.   Versions affected:
0.99.2. 
 The DHCP dissector (and possibly others) in the Windows version of Wireshark
could trigger a bug in Glib and crash.    Versions affected: 0.10.13 - 0.99.2. 
 If the SSCOP dissector has a port range configured and the SSCOP payload
protocol is Q.2931, a malformed packet could make the Q.2931 dissector use up
available memory. No port range is configured by default.   Versions affected:
0.7.9 - 0.99.2. 
Impact
 It may be possible to make Wireshark or Ethereal crash, use up available
memory, or run arbitrary code by injecting a purposefully malformed packet onto
the wire or by convincing someone to read a malformed packet trace file. 
Resolution
 Upgrade to Wireshark 0.99.3.
 If are running Wireshark 0.99.2 or Ethereal 0.99.0 or earlier and cannot
upgrade, you can work around each of the problems listed above by doing the
following: 
Disable the SCSI and Q.2931 dissectors. If you're running Wireshark under
Windows, disable the DHCP dissector. 
Select Analyze→Enabled Protocols... from the menu. 
Make sure "SCSI", "Q.2931", and "BOOTP/DHCP" (if needed) are un-checked. 
Click "Save", then click "OK". 
If your copy of Wireshark has ESP decryption compiled in, make sure it's
disabled. 
Select Edit→Preferences, then Protocols→ESP from the menu. 
Make sure "Attempt to detect/decode encrypted ESP payloads" is un-checked.

netmon please advise and patch as necessary.

wireshark-0.99.3 added for security happiness.

ppc64 stable

    1) please give version number in summary (at least you have category :)
    2) emerges fine
    3) passes collision test
    4) works

    Portage 2.1-r2 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.17-gentoo-r4 i686)
    =================================================================
    System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 2500+
    Gentoo Base System version 1.12.4
    app-admin/eselect-compiler: [Not Present]
    dev-lang/python:     2.4.3-r1
    dev-python/pycrypto: 2.0.1-r5
    dev-util/ccache:     [Not Present]
    dev-util/confcache:  [Not Present]
    sys-apps/sandbox:    1.2.17
    sys-devel/autoconf:  2.13, 2.59-r7
    sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
    sys-devel/binutils:  2.16.1-r3
    sys-devel/gcc-config: 1.3.13-r3
    sys-devel/libtool:   1.5.22
    virtual/os-headers:  2.6.11-r2
    ACCEPT_KEYWORDS="x86"
    AUTOCLEAN="yes"
    CBUILD="i686-pc-linux-gnu"
    CFLAGS="-O2"
    CHOST="i686-pc-linux-gnu"
    CONFIG_PROTECT="/etc /usr/share/X11/xkb"
    CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash
/etc/terminfo"
    CXXFLAGS="-O2"
    DISTDIR="/usr/portage/distfiles"
    FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
    GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
    LANG="de_DE@euro"
    LC_ALL="de_DE@euro"
    LINGUAS="de"
    MAKEOPTS="-j2"
    PKGDIR="/usr/portage/packages"
    PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
--compress --force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
    PORTAGE_TMPDIR="/var/tmp"
    PORTDIR="/usr/portage"
    PORTDIR_OVERLAY="/usr/local/portage"
    SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
    USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile
avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2
cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags
dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs
emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox foomaticdb
fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn
imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim
libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng
mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl
nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu
png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection
reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd
tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd
videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib
elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de
userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
    Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

ppc stable

SCSI dissector - CVE-2006-4330

ESP decryption - CVE-2006-4331

DHCP dissector - CVE-2006-4332

SSCOP dissector - CVE-2006-4333

*** Bug 145005 has been marked as a duplicate of this bug. ***

compiles on x86 with USE="gtk ipv6 ssl"
passes collision-test
seems to work fine

emerge --info
Portage 2.1-r2 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17.6
i686)
=================================================================
System uname: 2.6.17.6 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.4
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.3.5-r2, 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages
metadata-transfer parallel-fetch sandbox sfperms strict test userpriv
usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 apm avi bash-completion
berkdb bitmap-fonts bzip2 cdr cli crypt css cups dbus divx4linux dlloader dri
dts dvd dvdr dvdread emboss exif ffmpeg firefox font-server foomaticdb fortran
gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal imlib ipv6 isdnlog
java jpeg kde kdeenablefinal libclamav libg++ libwww logitech-mouse mad mikmod
mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl
nvidia oav ogg opengl oss pam pcre pdflib perl png pppd python qt qt3 qt4
quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk
tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb vcd
vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib
elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_en
linguas_de linguas_en_GB userland_GNU video_cards_nv video_cards_none"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS,
PORTAGE_RSYNC_EXTRA_OPTS

SPARC stable

x86 done

amd64 stable

Alpha stable.

sorry hppa folk - seem to have accidently dropped you.

http://www.wireshark.org/security/wnpa-sec-2006-02.html

wrt to B2 - if this is due is arbitrary code execution (due to ESP
vulnerabilty) it is more likely a B0 as the injection of data over a network
doesn't require social engineering for the exploit, it just requires the user
to be running wireshark in capture mode (typically as root).

Hopefully the warnings in pkg_postinst have made some people take precautions.

FYI 0.99.3 is the same as 0.99.3a in content on wireshark's website. I just
happened to fix their release before they did.

Sune are you sure about your CVE ids? 
("ERROR: Couldn't find 'CVE-2006-4330'")

btw the DHCP crash is for windows versions only.

(In reply to comment #6)
> SCSI dissector - CVE-2006-4330
> 
> ESP decryption - CVE-2006-4331
> 
> DHCP dissector - CVE-2006-4332
> 
> SSCOP dissector - CVE-2006-4333
> 

HPPA done (by killerfox).

Really done

ia64 stable.

GLSA 200608-26 sent but does not appear on some gentoo-announce recipients...

Falco, same as the other one. I think we should close or resend.

i'll send them separately this time.

GLSA-200608-26 resent to gentoo-announce@gentoo.org

and closing