74443 – net-analyzer/ethereal: New release fix security issues

Bug 74443 - net-analyzer/ethereal: New release fix security issues

Summary: net-analyzer/ethereal: New release fix security issues

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.ethereal.com/appnotes/enpa...
Whiteboard:	A3 [glsa] jaervosz
Keywords:

Duplicates (1):	74466 (view as bug list)
Depends on:
Blocks:

Reported:	2004-12-14 21:37 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2004-12-21 03:18 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-14 21:37:15 UTC

Ethereal 0.10.8 is scheduled to be released tomorrow (December 15).  It
will address the following issues:

  Matthew Bing discovered a bug in DICOM dissection that could make
  Ethereal crash.
  Versions affected: 0.10.4 - 0.10.7
  Revision fixed: 12504

  An invalid RTP timestamp could make Ethereal hang and create a large
  temporary file, possibly filling available disk space.
  Versions affected: 0.9.16 - 0.10.7
  Revision fixed: 12656

  The HTTP dissector could access previously-freed memory, causing
  a crash.
  Versions affected: 0.10.1 - 0.10.7
  Revision fixed: 12640 & 12668

  Brian Caswell discovered that an improperly formatted SMB packet
  could make Ethereal hang, maximizing CPU utilization.
  Versions affected: 0.9.0 - 0.10.7
  Revision fixed: 12706


Ethereal's SVN repository can be browsed online at

    http://anonsvn.ethereal.com/viewcvs/viewcvs.py/

Information on checking out the source code directly can be found at

    http://www.ethereal.com/development.html#source

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-14 21:41:48 UTC

eldad please be ready to bump when the update is released later today.

Comment 2 Eldad Zack (RETIRED) gentoo-dev

2004-12-14 23:44:14 UTC

I'm available, ping me at IRC as soon as 0.10.8 gets out.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-15 00:56:44 UTC

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-15 00:56:44 UTC

>  Matthew Bing discovered a bug in DICOM dissection that could make
>  Ethereal crash.
>  Versions affected: 0.10.4 - 0.10.7
>  Revision fixed: 12504

CAN-2004-1139

>  An invalid RTP timestamp could make Ethereal hang and create a large
>  temporary file, possibly filling available disk space.
>  Versions affected: 0.9.16 - 0.10.7
>  Revision fixed: 12656

CAN-2004-1140

>  The HTTP dissector could access previously-freed memory, causing
>  a crash.
>  Versions affected: 0.10.1 - 0.10.7
>  Revision fixed: 12640 & 12668

CAN-2004-1141

>  Brian Caswell discovered that an improperly formatted SMB packet
>  could make Ethereal hang, maximizing CPU utilization.<br>
>  Versions affected: 0.9.0 - 0.10.7
>  Revision fixed: 12706

CAN-2004-1142

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-15 04:01:05 UTC

Opening this is public now.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-15 04:01:56 UTC

*** Bug 74466 has been marked as a duplicate of this bug. ***

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2004-12-15 05:04:37 UTC

Really opening it

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2004-12-15 07:40:18 UTC

Waiting for upstream release...

Comment 9 Eldad Zack (RETIRED) gentoo-dev

2004-12-15 14:57:47 UTC

released upstream.

testing now.

Comment 10 Eldad Zack (RETIRED) gentoo-dev

2004-12-15 15:14:25 UTC

x86 stable

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-15 15:19:15 UTC

Thx Eldad.

Arches please mark stable.

Comment 12 Jason Wever (RETIRED) gentoo-dev

2004-12-15 18:18:39 UTC

Keep on sparc'in

Comment 13 Jochen Maes (RETIRED) gentoo-dev

2004-12-16 00:23:53 UTC

stable on ppc

Comment 14 Bryan Østergaard (RETIRED) gentoo-dev

2004-12-16 10:33:18 UTC

Alpha stable.

Comment 15 Eldad Zack (RETIRED) gentoo-dev

2004-12-17 14:58:10 UTC

we need pcc64 as well.

Comment 16 Eldad Zack (RETIRED) gentoo-dev

2004-12-17 15:07:45 UTC

mobile herd: kismet depends on various ethereal version. Since we are going to purge every version beside 0.10.8, please update your ebuilds...

Comment 17 Simon Stelling (RETIRED) gentoo-dev

2004-12-18 02:12:51 UTC

amd64 done

Comment 18 Henrik Brix Andersen 2004-12-18 03:03:46 UTC

ppc: please mark net-wireless/kismet-2004.10.1-r1 as 'ppc'.

sparc: please mark net-wireless/kismet-2004.10.1-r1 as '~sparc'.

Comment 19 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2004-12-18 03:30:43 UTC

ppc done.

Comment 20 Markus Rothe (RETIRED) gentoo-dev

2004-12-18 05:07:23 UTC

stable on ppc64

Comment 21 Jason Wever (RETIRED) gentoo-dev

2004-12-18 05:31:14 UTC

Masked on sparc because it is unknown if this application even works on SPARC and we do not have an effective way to test it.

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-18 05:45:33 UTC

Thx Brix for noting the Kismet problem. This one is ready for GLSA.

Comment 23 Eldad Zack (RETIRED) gentoo-dev

2004-12-18 05:52:29 UTC

what about ia64?

Comment 24 Thierry Carrez (RETIRED) gentoo-dev

2004-12-18 06:02:24 UTC

ia64 is not a security-supported arch (see security policy at http://www.gentoo.org/security/en/vulnerability-policy.xml), so we cc them but they don't block GLSA release. GLSA goes out when all security-supported arches are ready.

Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-19 06:42:30 UTC

GLSA 200412-15

Comment 26 Akinori Hattori gentoo-dev

2004-12-21 03:18:25 UTC

stable on ia64