Comment 1 Stefan Behte (RETIRED) 2011-01-04 15:55:44 UTC

Usually people run wireshark as root, though it is not recommended - thus rating as A0.

Comment 2 Jeroen Roovers (RETIRED) 2011-01-04 16:14:09 UTC

(In reply to comment #1)
> Usually people run wireshark as root, though it is not recommended - thus
> rating as A0.

All of our ebuilds set up the wireshark group, which allows "unprivileged" sniffing to normal users, and write ewarn messages to inform users about that. We could extend the ewarn messages to inform users that running wireshark as root is neither recommended nor needed, and when a user does run it as root, it opens a "Confirm" dialog strongly warning against that use of the software.

Comment 3 Stefan Behte (RETIRED) 2011-01-04 17:11:49 UTC

I wasn't sure about this issue, thus the ? in the whiteboard.
Wireshark itself already opens such a dialog, fixing whiteboard and severity.

Comment 4 Tim Sammut (RETIRED) 2011-01-04 17:14:52 UTC

Per http://www.openwall.com/lists/oss-security/2011/01/03/8 this has been assigned CVE-2010-4538.

Comment 5 Paweł Hajdan, Jr. (RETIRED) 2011-01-13 06:37:22 UTC

There's another vulnerability being fixed in 1.4.3, a DoS, see http://www.wireshark.org/security/wnpa-sec-2011-02.html. It has been assigned CVE-2011-0445.

Comment 6 Tim Sammut (RETIRED) 2011-01-14 08:16:53 UTC

CVE-2011-0444 is also applicable, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0444

Buffer overflow in the MAC-LTE dissector (epan/dissectors/packet-mac-lte.c) in Wireshark 1.2.0 through 1.2.13 and 1.4.0 through 1.4.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of RARs. 

MAC-LTE (CVE-2011-0444) and ENTTEC (CVE-2010-4538) appear to affect 1.2.x also.

Comment 7 Peter Volkov (RETIRED) 2011-01-21 17:44:33 UTC

(In reply to comment #2)
> We could extend the ewarn messages to inform users that running wireshark as
> root is neither recommended nor needed, and when a user does run it as root,
> it opens a "Confirm" dialog strongly warning against that use of the software.

I don't think we need to extend anything - all information is in place.

Also, please, don't forget to CC maintainers (me).

Comment 8 Jeroen Roovers (RETIRED) 2011-01-21 18:06:56 UTC

(In reply to comment #7)
> I don't think we need to extend anything - all information is in place.

Agreed.

> Also, please, don't forget to CC maintainers (me).

I guess this was not done because netmon includes you already, and I hesitated whether I should CC you myself at the time. :)

Comment 9 Peter Volkov (RETIRED) 2011-01-22 10:22:13 UTC

(In reply to comment #8)
> > Also, please, don't forget to CC maintainers (me).
> 
> I guess this was not done because netmon includes you already, and I hesitated
> whether I should CC you myself at the time. :)

Please, don't hesitate next time :) This was already discussed on -dev mailing list and we have resolution to include everybody mentioned in metadata.xml (if there are no restrict attributes). I know that I'm part of netmon but there are packages I have more interest in and thus I've added myself into metadata.xml to make it explicit that I want to be CC'ed to bug reports. This makes my mail filters highlight this bug report.


New version is in the tree. Arch teams, please stabilize:
net-analyzer/wireshark-1.4.3

Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) 2011-01-22 17:26:23 UTC

ppc/ppc64 stable

@pva: could you fix that:
BadInsIntoDir: version 1.4.3: ebuild uses insinto /usr/share/applications on line 203

Comment 11 Markos Chandras (RETIRED) 2011-01-22 17:50:38 UTC

amd64 done

Comment 12 Christian Faulhammer (RETIRED) 2011-01-22 18:29:58 UTC

x86 stable

Comment 13 Peter Volkov (RETIRED) 2011-01-23 13:49:17 UTC

(In reply to comment #10)
> @pva: could you fix that:
> BadInsIntoDir: version 1.4.3: ebuild uses insinto /usr/share/applications on
> line 203

Fixed.

Comment 14 Jeroen Roovers (RETIRED) 2011-01-24 03:24:47 UTC

Stable for HPPA.

Comment 15 Raúl Porcel (RETIRED) 2011-01-29 13:04:29 UTC

alpha/ia64/sparc stable

Comment 16 Tim Sammut (RETIRED) 2011-01-29 16:58:10 UTC

Thanks, folks. Added to existing GLSA request.

Comment 17 GLSAMaker/CVETool Bot 2011-06-14 09:11:42 UTC

CVE-2011-0445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0445):
  The ASN.1 BER dissector in Wireshark 1.4.0 through 1.4.2 allows remote
  attackers to cause a denial of service (assertion failure) via crafted
  packets, as demonstrated by fuzz-2010-12-30-28473.pcap.

CVE-2011-0444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0444):
  Buffer overflow in the MAC-LTE dissector (epan/dissectors/packet-mac-lte.c)
  in Wireshark 1.2.0 through 1.2.13 and 1.4.0 through 1.4.2 allows remote
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a large number of RARs.

Comment 18 GLSAMaker/CVETool Bot 2011-06-25 12:22:04 UTC

CVE-2010-4301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4301):
  epan/dissectors/packet-zbee-zcl.c in the ZigBee ZCL dissector in Wireshark
  1.4.0 through 1.4.1 allows remote attackers to cause a denial of service
  (infinite loop) via a crafted ZCL packet, related to Discover Attributes.

Comment 19 GLSAMaker/CVETool Bot 2011-10-09 20:00:53 UTC

This issue was resolved and addressed in
 GLSA 201110-02 at http://security.gentoo.org/glsa/glsa-201110-02.xml
by GLSA coordinator Alex Legler (a3li).

Comment 20 GLSAMaker/CVETool Bot 2011-10-09 20:01:53 UTC

This issue was resolved and addressed in
 GLSA 201110-02 at http://security.gentoo.org/glsa/glsa-201110-02.xml
by GLSA coordinator Alex Legler (a3li).