Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 575780 (CVE-2016-2522, CVE-2016-2523, CVE-2016-2524, CVE-2016-2525, CVE-2016-2526, CVE-2016-2527, CVE-2016-2528, CVE-2016-2529, CVE-2016-2530, CVE-2016-2531, CVE-2016-2532)

Summary: <net-analyzer/wireshark-2.0.2: Multiple Vulnerabilities (CVE-2016-{2521,2522,2523,2524,2525,2526,2527,2528,2529,2530,2531,2532})
Product: Gentoo Security Reporter: Frank Krömmelbein <kroemmelbein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 570564    

Description Frank Krömmelbein 2016-02-26 23:00:15 UTC
https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html

The following vulnerabilities have been fixed:

wnpa-sec-2016-01
DLL hijacking vulnerability. CVE-2016-2521

wnpa-sec-2016-02
ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522

wnpa-sec-2016-03
DNP dissector infinite loop. (Bug 11938) CVE-2016-2523

wnpa-sec-2016-04
X.509AF dissector crash. (Bug 12002) CVE-2016-2524

wnpa-sec-2016-05
HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525

wnpa-sec-2016-06
HiQnet dissector crash. (Bug 11983) CVE-2016-2526

wnpa-sec-2016-07
3GPP TS 32.423 Trace file parser crash. (Bug 11982) CVE-2016-2527

wnpa-sec-2016-08
LBMC dissector crash. (Bug 11984) CVE-2016-2528

wnpa-sec-2016-09
iSeries file parser crash. (Bug 11985) CVE-2016-2529

wnpa-sec-2016-10
RSL dissector crash. (Bug 11829) CVE-2016-2530 CVE-2016-2531

wnpa-sec-2016-11
LLRP dissector crash. (Bug 12048) CVE-2016-2532

wnpa-sec-2016-12
Ixia IxVeriWave file parser crash. (Bug 11795)

wnpa-sec-2016-13
IEEE 802.11 dissector crash. (Bug 11818)

wnpa-sec-2016-14
GSM A-bis OML dissector crash. (Bug 11825)

wnpa-sec-2016-15
ASN.1 BER dissector crash. (Bug 12106)

wnpa-sec-2016-16
SPICE dissector large loop. (Bug 12151)

wnpa-sec-2016-17
NFS dissector crash.

wnpa-sec-2016-18
ASN.1 BER dissector crash. (Bug 11822)
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 07:28:53 UTC
Arch teams, please test and mark stable:
=net-analyzer/wireshark-2.0.2
Targeted stable KEYWORDS : alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 12:07:23 UTC
Stable for PPC64.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 13:35:47 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-02 14:00:36 UTC
amd64 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-03-15 10:23:24 UTC
CVE-2016-2532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2532):
  The dissect_llrp_parameters function in epan/dissectors/packet-llrp.c in the
  LLRP dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2
  does not limit the recursion depth, which allows remote attackers to cause a
  denial of service (memory consumption or application crash) via a crafted
  packet.

CVE-2016-2531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2531):
  Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector in
  Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 allows remote
  attackers to cause a denial of service (out-of-bounds read and application
  crash) via a crafted packet that triggers a 0xff tag value, a different
  vulnerability than CVE-2016-2530.

CVE-2016-2530 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2530):
  The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the
  RSL dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2
  mishandles the case of an unrecognized TLV type, which allows remote
  attackers to cause a denial of service (out-of-bounds read and application
  crash) via a crafted packet, a different vulnerability than CVE-2016-2531.

CVE-2016-2529 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2529):
  The iseries_check_file_type function in wiretap/iseries.c in the iSeries
  file parser in Wireshark 2.0.x before 2.0.2 does not consider that a line
  may lack the "OBJECT PROTOCOL" substring, which allows remote attackers to
  cause a denial of service (out-of-bounds read and application crash) via a
  crafted file.

CVE-2016-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2528):
  The dissect_nhdr_extopt function in epan/dissectors/packet-lbmc.c in the
  LBMC dissector in Wireshark 2.0.x before 2.0.2 does not validate length
  values, which allows remote attackers to cause a denial of service
  (stack-based buffer overflow and application crash) via a crafted packet.

CVE-2016-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2527):
  wiretap/nettrace_3gpp_32_423.c in the 3GPP TS 32.423 Trace file parser in
  Wireshark 2.0.x before 2.0.2 does not ensure that a '\0' character is
  present at the end of certain strings, which allows remote attackers to
  cause a denial of service (stack-based buffer overflow and application
  crash) via a crafted file.

CVE-2016-2526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2526):
  epan/dissectors/packet-hiqnet.c in the HiQnet dissector in Wireshark 2.0.x
  before 2.0.2 does not validate the data type, which allows remote attackers
  to cause a denial of service (out-of-bounds read and application crash) via
  a crafted packet.

CVE-2016-2525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2525):
  epan/dissectors/packet-http2.c in the HTTP/2 dissector in Wireshark 2.0.x
  before 2.0.2 does not limit the amount of header data, which allows remote
  attackers to cause a denial of service (memory consumption or application
  crash) via a crafted packet.

CVE-2016-2524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2524):
  epan/dissectors/packet-x509af.c in the X.509AF dissector in Wireshark 2.0.x
  before 2.0.2 mishandles the algorithm ID, which allows remote attackers to
  cause a denial of service (application crash) via a crafted packet.

CVE-2016-2523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2523):
  The dnp3_al_process_object function in epan/dissectors/packet-dnp.c in the
  DNP3 dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2
  allows remote attackers to cause a denial of service (infinite loop) via a
  crafted packet.

CVE-2016-2522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2522):
  The dissect_ber_constrained_bitstring function in
  epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 2.0.x
  before 2.0.2 does not verify that a certain length is nonzero, which allows
  remote attackers to cause a denial of service (out-of-bounds read and
  application crash) via a crafted packet.

CVE-2016-2521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2521):
  Untrusted search path vulnerability in the WiresharkApplication class in
  ui/qt/wireshark_application.cpp in Wireshark 1.12.x before 1.12.10 and 2.0.x
  before 2.0.2 on Windows allows local users to gain privileges via a Trojan
  horse riched20.dll.dll file in the current working directory, related to use
  of QLibrary.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-15 10:25:30 UTC
GLSA request filed.
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-15 16:43:40 UTC
x86 stable
Comment 8 Tobias Klausmann gentoo-dev 2016-03-16 09:25:26 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2016-03-16 12:08:07 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-19 11:40:09 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-03-20 12:03:49 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-24 07:06:53 UTC
Added to existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-04-26 21:27:48 UTC
This issue was resolved and addressed in
 GLSA 201604-05 at https://security.gentoo.org/glsa/201604-05
by GLSA coordinator Kristian Fiskerstrand (K_F).