Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629370 (CVE-2017-13765, CVE-2017-13766, CVE-2017-13767)

Summary: <net-analyzer/wireshark-2.4.2: multiple vulnerabilities
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=635686
Whiteboard: B3 [noglsa cve]
Package list:
=net-analyzer/wireshark-2.4.3-r1 =media-libs/spandsp-0.0.6_pre12-r1
Runtime testing required: ---
Bug Depends on: 635686    
Bug Blocks: 625474, 634872, 635546    

Description Aleksandr Wagner (Kivak) 2017-08-30 12:03:00 UTC
CVE-2017-13765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13765):

In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM dissector has a buffer over-read and application crash. This was addressed in plugins/irda/packet-ircomm.c by adding length validation. 

References:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13929
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94666d4357096fc45e3bcad3d9414a14f0831bc8
https://www.wireshark.org/security/wnpa-sec-2017-41.html

CVE-2017-13766 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13766):

In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector could crash with an out-of-bounds write. This was addressed in plugins/profinet/packet-dcerpc-pn-io.c by adding string validation. 

References:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2096bc1e5078732543e0a3ee115a2ce520a72bbc
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=af7b093ca528516c14247acb545046199d30843e
https://www.wireshark.org/security/wnpa-sec-2017-39.html

CVE-2017-13767 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13767):

In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation. 

References:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13933
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f18ace2a2683418a9368a8dfd92da6bd8213e15
https://www.wireshark.org/security/wnpa-sec-2017-38.html
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-12 00:30:28 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

net-analyzer/wireshark-2.4.1-r3 - In tree.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-26 01:31:45 UTC
2.2.x is still vulnerable.  Latest upstream is 2.2.10.  Please bump that branch or let us know if you intend to drop 2.2.x in favor of the latest stable versions in the 2.4.x branch.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-27 01:33:49 UTC
(In reply to Aaron Bauman from comment #2)
> 2.2.x is still vulnerable.  Latest upstream is 2.2.10.  Please bump that
> branch or let us know if you intend to drop 2.2.x in favor of the latest
> stable versions in the 2.4.x branch.

Help yourselves.

Keywords for net-analyzer/wireshark:
         | a a a h i p p x a m m n r s s s | e u s          | r
         | l m r p a p p 8 r i 6 i i 3 h p | a n l          | e
         | p d m p 6 c c 6 m p 8 o s 9   a | p u o          | p
         | h 6   a 4   6   6 s k s c 0   r | i s t          | o
         | a 4         4   4     2 v     c |   e            |
         |                                 |   d            |
---------+---------------------------------+----------------+-------
2.2.7    | + + + + + + + + o o o o o o o + | 6 o 0/2.2.7    | gentoo
---------+---------------------------------+----------------+-------
[I]2.4.2 | o + ~ + o ~ ~ + ~ o o o o o o o | 6 o 0/2.4.2    | gentoo
---------+---------------------------------+----------------+-------
99999999 | o o o o o o o o o o o o o o o o | 6 o 0/99999999 | gentoo
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 16:10:13 UTC
(In reply to Jeroen Roovers from comment #1 from bug 635546)
> Bug #625474	net-analyzer/wireshark: Multiple Vulnerabilities
> Bug #629370	net-analyzer/wireshark: multiple vulnerabilities
> Bug #629454	net-analyzer/wireshark: Modbus dissector crash (wnpa-sec-2017-40)
> Bug #634872	net-analyzer/wireshark: Multiple vulnerabilities
> (Bug #635546	net-analyzer/wireshark: Multiple vulnerabilities)
> 
> It's so confusing without versions, isn't it? Now of which of these is this
> bug report a duplicate?

Now the only version needed is wireshark 2.2.10, with that you'll be able to close all other reports, if you don't want to bump that version you can stabilize 2.4.x.

Thank you
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-28 13:17:09 UTC
(In reply to Christopher Díaz from comment #4)
> Now the only version needed is wireshark 2.2.10, with that you'll be able to
> close all other reports, if you don't want to bump that version you can
> stabilize 2.4.x.

We don't "need" 2.2.x at all. The 2.4 branch was promoted to stable in July.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-28 13:23:11 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Christopher Díaz from comment #4)
> > Now the only version needed is wireshark 2.2.10, with that you'll be able to
> > close all other reports, if you don't want to bump that version you can
> > stabilize 2.4.x.
> 
> We don't "need" 2.2.x at all. The 2.4 branch was promoted to stable in July.

I think that is quite obvious to all of us.  The problem is, we don't just drop maintainer owned packages because we feel like it.  So if you don't mind dropping 2.2.x then we can move forward.  If you want me to do it then so be it.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-28 13:33:07 UTC
(In reply to Aaron Bauman from comment #6)
> The problem is, we don't just
> drop maintainer owned packages because we feel like it.  So if you don't
> mind dropping 2.2.x then we can move forward.  If you want me to do it then
> so be it.

Why don't you stabilise 2.4.2?
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-28 14:08:45 UTC
@arches, please stabilize.

2.2.x branch will be dropped when we move to cleanup.
Comment 9 Stabilization helper bot gentoo-dev 2017-10-28 15:01:00 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/spandsp']
> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/spandsp']
Comment 10 Sergei Trofimovich gentoo-dev 2017-11-12 18:34:36 UTC
ppc64 stable
Comment 11 Sergei Trofimovich gentoo-dev 2017-11-18 20:57:05 UTC
ppc stable
Comment 12 Markus Meier gentoo-dev 2017-11-19 15:08:59 UTC
arm stable, all arches done.
Comment 13 Stabilization helper bot gentoo-dev 2017-11-19 18:01:02 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['app-arch/snappy']
> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['app-arch/snappy']
> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['app-arch/snappy']
Comment 14 Sergei Trofimovich gentoo-dev 2017-11-19 20:46:15 UTC
ia64 stable
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 18:45:48 UTC
2.2.x has been dekeyworded for all arches except alpha.  Cleanup of that version will be tracked in a newer bug.