Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to various errors (e.g. large loops with extreme memory consumption, endless loops, crashes, and buffer overflows) within the following: * SSL, ANSI MAP, Firebird/Interbase, NCP, HTTP, MEGACO, DCP ETSI, PPP, and Bluetooth SDP dissectors * when processing a malformed MP3 or iSeries (OS/400) Communication trace file * when processing a malformed DNP or RPC Portmap packet These can be exploited to crash Wireshark or consume large amounts of system resources by e.g. parsing a specially crafted packet that is either captured off the wire or loaded via a capture file. The vulnerabilities are reported in various versions from 0.8.16 through 0.99.6. Other versions may also be affected. Solution: Update to version 0.99.7. Provided and/or discovered by: Stefan Esser (SSL dissector) Beyond Security (DNP packet) Fabiodds (iSeries (OS/400) Communication trace file) Peter Leeming (ANSI MAP) Steve (Firebird/Interbase) ainsley (RPC Portmap) Original Advisory: http://www.wireshark.org/security/wnpa-sec-2007-03.html Reproducible: Always
maintainers - please provide an updated ebuild
Upgrading to B2 because it might be possible to execute code according to the CVE entries: CVE-2007-6111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6111): Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow remote attackers to cause a denial of service (crash) via (1) a crafted MP3 file or (2) unspecified vectors to the NCP dissector. CVE-2007-6112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6112): Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. CVE-2007-6113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6113): Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP packet. CVE-2007-6114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6114): Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser. CVE-2007-6115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6115): Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. CVE-2007-6116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6116): The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors. CVE-2007-6117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6117): Unspecified vulnerability in the HTTP dissector for Wireshark (formerly Ethereal) 0.10.14 to 0.99.6 has unknown impact and remote attack vectors related to chunked messages. CVE-2007-6118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6118): The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. CVE-2007-6119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6119): The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. CVE-2007-6120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6120): The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVE-2007-6121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6121): Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to cause a denial of service (crash) via a malformed RPC Portmap packet.
Lars, there is no official release yet. I've prepared ebuild for pre-release in my overlay http://overlays.gentoo.org/dev/pva/browser/net-analyzer/wireshark so if you wish to test, please, do it. I'm interested in reports. On the other hand this package is known to have new vulnerabilities every new release is out. After reading this mail http://www.wireshark.org/lists/wireshark-dev/200711/msg00055.html I've got a feeling that the it will ready very soon and so I think it's not necessary to bump pre-release in our tree. We'll bump new version as soon as upstream considers it ready...
Upgrading again since these flaws might allow root compromise. Peter, please have a look at the new packaging options described in section "3. Privileges" here: http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging It allows to install some components of wireshark (TShark and dumpcap) setuid root, so the dissector part of wireshark is not run with root privileges. Upstream encourages packages to enable this feature, but make the files only executable by a certain unix group. Would that be an option we could introduce with the new wireshark release's ebuild?
Release delayed until Dec. 5/6. http://www.wireshark.org/lists/wireshark-dev/200711/msg00418.html
I've updated ebuild in my overlay to _pre2. http://overlays.gentoo.org/dev/pva/browser/net-analyzer/wireshark Everybody are welcome to test it. Robert, it contains improvements you mentioned.
Wireshark 0.99.7 was finally released. Peter, thanks for taking note of the new setuid feature. However, it is important that do not install that file the way wireshark leaves it (setuid root), because that way every user on the system can execute it and sniff packets, which usually is a huge security leak. In order to use the setuid feature, the best way to go is to set the setuid files o-x, bug g+x and change the group to "wireshark" -- that group then contains all users trusted to sniff packets. Or use another net analyzer group if available.
Robert, thank you again. Of course its better to allow only trusted users sniff the traffic. New version with some cleanups and your suggestions is in portage.
Seems you missed to add a file. Not ready for stable testing :-)
I was 5 seconds earlier. The bug 202866 is fixed :)
Additional issues already covered by 0.99.7 CVE-2007-6451 Unspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory. CVE-2007-6450 The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVE-2007-6441 The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to "unaligned access on some platforms." CVE-2007-6439 Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite or large loop) via the (1) IPv6 or (2) USB dissector, which can trigger resource consumption or a crash. NOTE: this identifier originally included Firebird/Interbase, but it is already covered by CVE-2007-6116. The DCP ETSI issue is already covered by CVE-2007-6119. CVE-2007-6438 Unspecified vulnerability in the SMB dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service via unknown vectors. NOTE: this identifier originally included MP3 and NCP, but those issues are already covered by CVE-2007-6111.
Peter, your new ebuild looks fine. Thanks a lot for the fast reactions. Arches, please test and mark stable net-analyzer/wireshark-0.99.7. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
ppc and ppc64 done
x86 stable
Stable for HPPA.
alpha/ia64/sparc stable
amd64 done
GLSA request filed.
GLSA 200712-23, thank you.
