Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109348 - net-analyzer/ethereal: 0.10.13 fixes several vulnerabilities
Summary: net-analyzer/ethereal: 0.10.13 fixes several vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker
Assignee: Gentoo Security
URL: http://www.ethereal.com/distribution/...
Whiteboard: B0 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-15 02:52 UTC by Thierry Carrez (RETIRED)
Modified: 2006-03-23 19:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-10-15 02:52:03 UTC
0.10.13 will be out October 17th with the following fixorz :

  The ISAKMP dissector could exhaust system memory.
  The FC-FCS dissector could exhaust system memory.
  The RSVP dissector could exhaust system memory.
  The ISIS LSP dissector could exhaust system memory.
  The IrDA dissector could crash.
  The SLIMP3 dissector could overflow a buffer.
  The BER dissector was susceptible to an infinite loop.
  The SCSI dissector could dereference a null pointer and crash.
  If the "Dissect unknown RPC program numbers" option was enabled, the ONC RPC
dissector might be able to exhaust system memory.
  The sFlow dissector could dereference a null pointer and crash.
  The RTnet dissector could dereference a null pointer and crash.
  The SigComp UDVM could go into an infinite loop or crash.
  If SMB transaction payload reassembly is enabled the SMB dissector could crash.
  The X11 dissector could attempt to divide by zero.
  The AgentX dissector could overflow a buffer.
  The WSP dissector could free an invalid pointer.
  iDEFENSE found a buffer overflow in the SRVLOC dissector.

Get ready.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-16 22:29:25 UTC
GLSA drafted. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 01:16:39 UTC
CAN assignment :

CAN-2005-3184
  SRVLOC "buffer overflow (iDEFENSE)" from 0.10.0 to 0.10.12

CAN-2005-3241
  ISAKMP "exhaust system memory" from 0.10.11 to 0.10.12
  FC-FCS "exhaust system memory" from 0.9.0 to 0.10.12
  RSVP "exhaust system memory" from 0.9.4 to 0.10.12
  ISIS LSP "exhaust system memory" from 0.8.18 to 0.10.12

CAN-2005-3242
  IrDA crash from 0.10.0 to 0.10.12
  SMB crash from 0.9.7 to 0.10.12

CAN-2005-3243
  SLIMP3 "buffer overflow" from 0.9.1 to 0.10.12
  AgentX "buffer overflow" from 0.10.10 to 0.10.12

CAN-2005-3244
  BER "infinite loop" from 0.10.3 to 0.10.12

CAN-2005-3245
  ONC RPC "exhaust system memory" from 0.7.7 to 0.10.12

CAN-2005-3246
  SCSI "null dereference" from 0.10.3 to 0.10.12
  sFlow "null dereference" from 0.9.14 to 0.10.12
  RTnet "null dereference" from 0.10.8 to 0.10.12

CAN-2005-3247
  SigComp UDVM "infinite loop or crash" 0.10.12

CAN-2005-3248
  X11 "divide by zero" from 0.10.1 to 0.10.12

CAN-2005-3249
  WSP "free an invalid pointer" from 0.10.1 to 0.10.12
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-19 10:56:17 UTC
Still nothing upstream. ETA unknown. 
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-19 13:59:23 UTC
Still no announcements but tarball available. Setting to SEMI-PUBLIC for now. 
 
Daniel please provide an updated ebuild. 
Comment 5 Daniel Black (RETIRED) gentoo-dev 2005-10-19 15:21:10 UTC
added masked - had trouble reading from pcap file - 100% cpu and no action. 
 
If someone could test that would be great. feel free to unmask. 
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-20 00:37:17 UTC
Now public.
Comment 7 Daniel Black (RETIRED) gentoo-dev 2005-10-20 00:47:37 UTC
ethereal-0.10.13 commited and ready for stabilisation. 
 
Test plan: 
 
1. capture some network traffic (tcpdump -i eth0 -w dump.pkt) and run ethereal 
-r dump.pkt as non-root user. 
2. run as ethereal as root and see if it can capture packets. 
 
last arch out please remove 0.10.12. 
 
Apoligies for cc you on a bug you can't see but I'm sure the ethereal web page 
will tell all. 
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2005-10-20 02:00:14 UTC
Worky worky on x86.
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2005-10-20 02:00:48 UTC
Forgot to unCC...
Comment 10 Brent Baude (RETIRED) gentoo-dev 2005-10-20 09:05:46 UTC
Folks, I went to stablize on ppc64 and also tried with the adns USE flag.  The
adns package failed one of its tests with a memory leak.  So it might take us a
while to get this one under the wraps.
Comment 11 Jason Wever (RETIRED) gentoo-dev 2005-10-20 10:48:16 UTC
On my ~amd64 box, emerging ethereal generates the following syslog entry;

lt-tethereal[31339]: segfault at 00002aaaac0c1f68 rip 00002aaaac0c1f68 rsp
00007ffffff938a8 error 15

Is that to be expected?
Comment 12 Daniel Black (RETIRED) gentoo-dev 2005-10-20 16:00:26 UTC
I tend not to expect that (memleak or syslog).  
Netmon friends can you do a bit more testing. I'm pretty busy at the moment. 
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-21 23:56:19 UTC
netmon please advise. 
Comment 14 Marco Morales 2005-10-24 08:38:38 UTC
Its working ok in x86 as far as i can test :)
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 08:40:24 UTC
Please mark stable if it doesn't work worse than the previous version. We need
to GLSA this one soon because of the potential impact of the vulnerability.

ppc64: maybe mask the adns USE flag to get out of the deadlock.
Comment 16 Brent Baude (RETIRED) gentoo-dev 2005-10-24 09:45:50 UTC
Marking ppc64 stable.  Also discussed the test failure of adns with dostrow and
we agreed to stablize anyways.
Comment 17 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-10-24 11:15:56 UTC
alpha seems to have the same problems that ppc64 with memory leaks. It could be
a 64bits related problem since in x86 is working fine and amd64 also presents
some issues (maybe sparc folks can check this).

To check it out just make: emerge adns  with FEATURES="test".

I *really* against mark ethereal stable with this bug so, is the way to go to
mask the global use flag "adns"? If so, i will do it in a few hours. 
Comment 18 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-24 12:57:44 UTC
adns works on ppc(32), marked stable.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 14:05:41 UTC
yoswink: of course if there is a regression in 0.10.13 you shouldn't mark it
stable. But if it's just a bug that is already there in 0.10.12 (in adns support
or anywhere else), then you should mark it stable.

The idea here is not to mark stable beacuse it's perfect, but to mark stable
because it's the same as the current stable + security fixes.

So please check 0.10.12 status on the problem you detected to determine if it's
a regression in 0.10.13 or not.
Comment 20 Fernando J. Pereda (RETIRED) gentoo-dev 2005-10-24 14:14:17 UTC
If adns causes problems then ethereal-0.10.13 should be marked stable and adns
use.mask'ed. That way you keep everyone happy :)

Cheers,
Ferdy
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-24 14:20:52 UTC
sparc stable, adns seems safe for us.
Comment 22 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-10-24 16:39:39 UTC
After more serious tests on ethereal (with adns support), more tests on adns and
check how many time adns has been stable on alpha (29 Mar 2004) without any bug
(on any arch) i decided ... 

Marked 0.10.13 as Stable on alpha and *not* mask the USE "adns".

If sometime in future, errors appear on it, please punish me until I die ;)
Comment 23 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-10-24 20:39:24 UTC
Running this ethereal on amd64 on a small dump file (72k) dump file generated by
tcpdump causes it to go into a hard loop consuming all available CPU.  I cannot
mark it stable under these circumstances, as it does not work at all with a dump
file.

Note that it works fine capturing it's own dump.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 00:48:17 UTC
Daniel: can you confirm the same test works correctly on 0.10.12 ?

Any chance you can attach your dump file so that we can test and narrow it down
to amd64 ? We need to push this upstream asap if we want to have a security fix
soon.
Comment 25 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-10-25 12:15:22 UTC
It works fine on 0.10.12.  There's a dump that fails at
http://dev.gentoo.org/~dang/dump.pkt
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 02:35:15 UTC
I can reproduce the problem on x86 with this capture file, so it's not
amd64-specific. I pushed the issue upstream, hopefully we'll get a fix.

Calling stable arches back as they might want to test with the file and
downgrade to ~ or mask 0.10.13 if they are affected.
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 08:33:03 UTC
Gerald Combs answered, it's an IRC loop that was introduced in the 0.10.13
release. This patch should solve it :

http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/packet-irc.c?r1=15985&r2=16290&rev=16290&makepatch=1&diff_format=u
netmon, please revbump with patch.
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-26 22:12:10 UTC
Use CVE-2005-3313 for the DoS issue reported on this bug. 
Comment 29 Aaron Walker (RETIRED) gentoo-dev 2005-10-27 05:36:17 UTC
Archs, 0.10.13-r1 is in cvs with the patch in comment 27 applied.  Please
test/re-keyword.
Comment 30 Brent Baude (RETIRED) gentoo-dev 2005-10-27 08:30:42 UTC
marked ppc64 stable
Comment 31 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-27 13:07:48 UTC
sparc does it again!
Comment 32 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-10-27 16:59:32 UTC
Alpha is ready.

Thanks to Daniel for reporting it.
Comment 33 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 08:24:50 UTC
amd64 stable
Comment 34 Mark Loeser (RETIRED) gentoo-dev 2005-10-28 17:12:55 UTC
x86 done
Comment 35 Thierry Carrez (RETIRED) gentoo-dev 2005-10-29 02:24:00 UTC
Waiting on ppc to mark 0.10.13-r1 stable to release GLSA. ia64 should stable too.
Comment 36 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-29 08:41:00 UTC
Stable on ppc. Sorry for the delay.
Comment 37 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-30 00:44:25 UTC
Security please review the updated draft (approvals was downgraded). 
Comment 38 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-30 09:06:04 UTC
GLSA 200510-25