Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 199958

Summary: net-analyzer/wireshark < 0.99.7 Multiple vulnerabilities (CVE-2007-{6111,6112,6113,6114,6115,6116,6117,6118,6119,6120,6121,6438,6439,6441,6450,6451})
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27777/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 202866    
Bug Blocks:    

Description Lars Hartmann 2007-11-22 09:44:30 UTC
Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerabilities are caused due to various errors (e.g. large loops with extreme memory consumption, endless loops, crashes, and buffer overflows) within the following:
* SSL, ANSI MAP, Firebird/Interbase, NCP, HTTP, MEGACO, DCP ETSI, PPP, and Bluetooth SDP dissectors
* when processing a malformed MP3 or iSeries (OS/400) Communication trace file
* when processing a malformed DNP or RPC Portmap packet

These can be exploited to crash Wireshark or consume large amounts of system resources by e.g. parsing a specially crafted packet that is either captured off the wire or loaded via a capture file.

The vulnerabilities are reported in various versions from 0.8.16 through 0.99.6. Other versions may also be affected.

Solution:
Update to version 0.99.7.

Provided and/or discovered by:
Stefan Esser (SSL dissector)
Beyond Security (DNP packet)
Fabiodds (iSeries (OS/400) Communication trace file)
Peter Leeming (ANSI MAP)
Steve (Firebird/Interbase)
ainsley (RPC Portmap)

Original Advisory:
http://www.wireshark.org/security/wnpa-sec-2007-03.html

Reproducible: Always
Comment 1 Lars Hartmann 2007-11-24 17:17:26 UTC
maintainers - please provide an updated ebuild
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-25 15:08:29 UTC
Upgrading to B2 because it might be possible to execute code according to the CVE entries:

CVE-2007-6111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6111):
  Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow
  remote attackers to cause a denial of service (crash) via (1) a crafted MP3
  file or (2) unspecified vectors to the NCP dissector.

CVE-2007-6112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6112):
  Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6
  allows remote attackers to cause a denial of service (crash) and possibly
  execute arbitrary code via unknown vectors.

CVE-2007-6113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6113):
  Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to
  cause a denial of service (long loop) via a malformed DNP packet.

CVE-2007-6114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6114):
  Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through
  0.99.6 allow remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries
  (OS/400) Communication trace file parser.

CVE-2007-6115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6115):
  Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal)
  0.99.5 to 0.99.6, when running on unspecified platforms, allows remote
  attackers to cause a denial of service and possibly execute arbitrary code
  via unknown vectors.

CVE-2007-6116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6116):
  The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6
  allows remote attackers to cause a denial of service (infinite loop or crash)
  via unknown vectors.

CVE-2007-6117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6117):
  Unspecified vulnerability in the HTTP dissector for Wireshark (formerly
  Ethereal) 0.10.14 to 0.99.6 has unknown impact and remote attack vectors
  related to chunked messages.

CVE-2007-6118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6118):
  The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows
  remote attackers to cause a denial of service (long loop and resource
  consumption) via unknown vectors.

CVE-2007-6119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6119):
  The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote
  attackers to cause a denial of service (long loop and resource consumption)
  via unknown vectors.

CVE-2007-6120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6120):
  The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6
  allows remote attackers to cause a denial of service (infinite loop) via
  unknown vectors.

CVE-2007-6121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6121):
  Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to
  cause a denial of service (crash) via a malformed RPC Portmap packet.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2007-11-25 19:59:45 UTC
Lars, there is no official release yet. I've prepared ebuild for pre-release in my overlay  http://overlays.gentoo.org/dev/pva/browser/net-analyzer/wireshark
so if you wish to test, please, do it. I'm interested in reports.

On the other hand this package is known to have new vulnerabilities every new release is out. After reading this mail http://www.wireshark.org/lists/wireshark-dev/200711/msg00055.html
I've got a feeling that the it will ready very soon and so I think it's not necessary to bump pre-release in our tree. We'll bump new version as soon as upstream considers it ready...
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-27 01:19:53 UTC
Upgrading again since these flaws might allow root compromise.

Peter, please have a look at the new packaging options described in section "3. Privileges" here:
  http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging

It allows to install some components of wireshark (TShark and dumpcap) setuid root, so the dissector part of wireshark is not run with root privileges. Upstream encourages packages to enable this feature, but make the files only executable by a certain unix group.

Would that be an option we could introduce with the new wireshark release's ebuild?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-28 10:18:39 UTC
Release delayed until Dec. 5/6.

http://www.wireshark.org/lists/wireshark-dev/200711/msg00418.html
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2007-12-13 10:44:01 UTC
I've updated ebuild in my overlay to _pre2.
http://overlays.gentoo.org/dev/pva/browser/net-analyzer/wireshark
Everybody are welcome to test it.

Robert, it contains improvements you mentioned.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 23:40:10 UTC
Wireshark 0.99.7 was finally released.

Peter, thanks for taking note of the new setuid feature. However, it is important that do not install that file the way wireshark leaves it (setuid root), because that way every user on the system can execute it and sniff packets, which usually is a huge security leak.

In order to use the setuid feature, the best way to go is to set the setuid files o-x, bug g+x and change the group to "wireshark" -- that group then contains all users trusted to sniff packets. Or use another net analyzer group if available.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2007-12-20 14:19:43 UTC
Robert, thank you again. Of course its better to allow only trusted users sniff the traffic. New version with some cleanups and your suggestions is in portage.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-20 17:48:59 UTC
Seems you missed to add a file. Not ready for stable testing :-)
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2007-12-20 18:06:13 UTC
I was 5 seconds earlier. The bug 202866 is fixed :)
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 21:52:49 UTC
Additional issues already covered by 0.99.7

CVE-2007-6451
    Unspecified vulnerability in the CIP dissector in Wireshark
    (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers
    to cause a denial of service (crash) via unknown vectors
    that trigger allocation of large amounts of memory.

CVE-2007-6450
    The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to
    0.99.6 allows remote attackers to cause a denial of service
    (infinite loop) via unknown vectors.

CVE-2007-6441
    The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6
    allows remote attackers to cause a denial of service (crash)
    via unknown vectors related to "unaligned access on some
    platforms."

CVE-2007-6439
    Wireshark (formerly Ethereal) 0.99.6 allows remote attackers
    to cause a denial of service (infinite or large loop) via
    the (1) IPv6 or (2) USB dissector, which can trigger
    resource consumption or a crash. NOTE: this identifier
    originally included Firebird/Interbase, but it is already
    covered by CVE-2007-6116. The DCP ETSI issue is already
    covered by CVE-2007-6119.

CVE-2007-6438
    Unspecified vulnerability in the SMB dissector in Wireshark
    (formerly Ethereal) 0.99.6 allows remote attackers to cause
    a denial of service via unknown vectors. NOTE: this
    identifier originally included MP3 and NCP, but those issues
    are already covered by CVE-2007-6111.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 22:48:58 UTC
Peter, your new ebuild looks fine. Thanks a lot for the fast reactions.

Arches, please test and mark stable net-analyzer/wireshark-0.99.7.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 13 Brent Baude (RETIRED) gentoo-dev 2007-12-23 04:38:34 UTC
ppc and ppc64 done
Comment 14 Markus Meier gentoo-dev 2007-12-23 14:07:17 UTC
x86 stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-24 01:58:19 UTC
Stable for HPPA.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2007-12-24 12:10:52 UTC
alpha/ia64/sparc stable
Comment 17 Peter Weller (RETIRED) gentoo-dev 2007-12-26 10:58:20 UTC
amd64 done
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2007-12-26 11:44:34 UTC
GLSA request filed.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 17:39:51 UTC
GLSA 200712-23, thank you.