Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 410871 (CVE-2012-1595) - <net-analyzer/wireshark-1.6.6 : multiple DoS (CVE-2012-{1593,1594,1595,1596})
Summary: <net-analyzer/wireshark-1.6.6 : multiple DoS (CVE-2012-{1593,1594,1595,1596})
Status: RESOLVED FIXED
Alias: CVE-2012-1595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48548/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2012-0041
  Show dependency tree
 
Reported: 2012-04-05 12:30 UTC by Agostino Sarubbo
Modified: 2012-05-12 14:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-05 12:30:49 UTC
From secunia security advisory at $URL:

Description
Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) A NULL pointer dereference error in the ANSI A dissector can be exploited to cause a crash via a specially crafted packet.

2) An error in the IEEE 802.11 dissector can be exploited to cause an infinite loop via a specially crafted packet.

This vulnerability is reported in versions 1.6.0 through 1.6.5 only.

3) An error in the MP2T dissector when allocating memory can be exploited to cause a crash via a specially crafted packet.

NOTE: A weakness exists in the pcap and pcap-ng file parsers when reading ERF data and can cause a crash via a specially crafted trace file.

The vulnerabilities are reported in versions 1.4.0 through 1.4.11 and 1.6.0 through 1.6.5.


Solution
Update to version 1.4.12 or 1.6.6.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-05 13:48:39 UTC
*wireshark-1.6.6 (01 Apr 2012)

  01 Apr 2012; Sebastian Pipping <sping@gentoo.org> +wireshark-1.6.6.ebuild:
  Bump to 1.6.6 (bug #410071), propagating denial of support for gnutls 3 by
  upstream due to license incompatibility


So 1.6.* is settled. Do we still care about 1.4.*?
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-05 13:54:10 UTC
(In reply to comment #1)
> So 1.6.* is settled. Do we still care about 1.4.*?

If you(netmon/maintainer) have planned to support 1.4.x series, yes.

Otherwise you can remove it and we will proceed to stabilization of 1.6.6
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-05 14:02:47 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > So 1.6.* is settled. Do we still care about 1.4.*?
> 
> If you(netmon/maintainer) have planned to support 1.4.x series, yes.

I was hinting at pva@'s input here.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-06 16:36:07 UTC
Arch teams, please test and mark stable:
=net-analyzer/wireshark-1.6.6
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-04-06 18:42:06 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-07 15:28:00 UTC
Stable for HPPA.
Comment 7 Andreas Schürch gentoo-dev 2012-04-07 18:01:42 UTC
I found bug #411175 on x86, which is a slight regression.
Should we continue anyway or wait?
Comment 8 Dan Dexter 2012-04-07 18:10:18 UTC
Archtested on x86: Everything OK _except_ for the issue in bug 411175. I'm seeing the same issue with USE="gtk -pcap"

Apart from the bug, all other USE flag combinations work. On a build without USE="gtk -pcap", I was able to perform manual runtime tests without any issues.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-04-10 19:24:05 UTC
x86: after applying patch all everything fine.
Comment 10 Andreas Schürch gentoo-dev 2012-04-10 20:09:58 UTC
x86 stable, thanks all!
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-04-15 18:11:16 UTC
alpha/ia64/sparc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2012-04-16 17:10:20 UTC
ppc done
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:37:17 UTC
CVE-2012-1596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1596):
  The mp2t_process_fragmented_payload function in
  epan/dissectors/packet-mp2t.c in the MP2T dissector in Wireshark 1.4.x
  before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a
  denial of service (application crash) via a packet containing an invalid
  pointer value that triggers an incorrect memory-allocation attempt.

CVE-2012-1595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1595):
  The pcap_process_pseudo_header function in wiretap/pcap-common.c in
  Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers
  to cause a denial of service (application crash) via a WTAP_ENCAP_ERF file
  containing an Extension or Multi-Channel header with an invalid pseudoheader
  size, related to the pcap and pcap-ng file parsers.

CVE-2012-1594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1594):
  epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark
  1.6.x before 1.6.6 allows remote attackers to cause a denial of service
  (infinite loop) via a crafted packet.

CVE-2012-1593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1593):
  epan/dissectors/packet-ansi_a.c in the ANSI A dissector in Wireshark 1.4.x
  before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a
  denial of service (NULL pointer dereference and application crash) via a
  malformed packet.
Comment 14 Brent Baude (RETIRED) gentoo-dev 2012-05-10 19:26:35 UTC
ppc64 done
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2012-05-10 21:59:51 UTC
Thanks, folks. GLSA Vote: no.
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-11 16:10:05 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > So 1.6.* is settled. Do we still care about 1.4.*?
> > 
> > If you(netmon/maintainer) have planned to support 1.4.x series, yes.
> 
> I was hinting at pva@'s input here.

It looks like the decision here was to stop support on 1.4.x, correct?

Also, please don't forget to remove vulnerable versions from tree. Thanks.
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-12 14:28:43 UTC
(In reply to comment #16)
> It looks like the decision here was to stop support on 1.4.x, correct?

I was waiting for pva to give his input, but it's taken very long, so I have removed 1.4.9 along with the vulnerable 1.6.* ebuilds.

> Also, please don't forget to remove vulnerable versions from tree. Thanks.

Done.
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-12 14:37:26 UTC
Thanks, Jeroen.

GLSA vote: no, client-side DoS. Closing noglsa.