Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629370 (CVE-2017-13765, CVE-2017-13766, CVE-2017-13767) - <net-analyzer/wireshark-2.4.2: multiple vulnerabilities
Summary: <net-analyzer/wireshark-2.4.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-13765, CVE-2017-13766, CVE-2017-13767
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 635686
Blocks: CVE-2017-9616, CVE-2017-9617, CVE-2017-9766 CVE-2017-15191, CVE-2017-15192, CVE-2017-15193 CVE-2017-11406, CVE-2017-11407, CVE-2017-11408, CVE-2017-11409, CVE-2017-11410, CVE-2017-11411
  Show dependency tree
 
Reported: 2017-08-30 12:03 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-03-25 18:45 UTC (History)
1 user (show)

See Also:
Package list:
=net-analyzer/wireshark-2.4.3-r1 =media-libs/spandsp-0.0.6_pre12-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-30 12:03:00 UTC
CVE-2017-13765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13765):

In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM dissector has a buffer over-read and application crash. This was addressed in plugins/irda/packet-ircomm.c by adding length validation. 

References:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13929
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94666d4357096fc45e3bcad3d9414a14f0831bc8
https://www.wireshark.org/security/wnpa-sec-2017-41.html

CVE-2017-13766 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13766):

In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector could crash with an out-of-bounds write. This was addressed in plugins/profinet/packet-dcerpc-pn-io.c by adding string validation. 

References:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2096bc1e5078732543e0a3ee115a2ce520a72bbc
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=af7b093ca528516c14247acb545046199d30843e
https://www.wireshark.org/security/wnpa-sec-2017-39.html

CVE-2017-13767 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13767):

In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation. 

References:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13933
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f18ace2a2683418a9368a8dfd92da6bd8213e15
https://www.wireshark.org/security/wnpa-sec-2017-38.html
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-12 00:30:28 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

net-analyzer/wireshark-2.4.1-r3 - In tree.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-26 01:31:45 UTC
2.2.x is still vulnerable.  Latest upstream is 2.2.10.  Please bump that branch or let us know if you intend to drop 2.2.x in favor of the latest stable versions in the 2.4.x branch.
Comment 3 Jeroen Roovers gentoo-dev 2017-10-27 01:33:49 UTC
(In reply to Aaron Bauman from comment #2)
> 2.2.x is still vulnerable.  Latest upstream is 2.2.10.  Please bump that
> branch or let us know if you intend to drop 2.2.x in favor of the latest
> stable versions in the 2.4.x branch.

Help yourselves.

Keywords for net-analyzer/wireshark:
         | a a a h i p p x a m m n r s s s | e u s          | r
         | l m r p a p p 8 r i 6 i i 3 h p | a n l          | e
         | p d m p 6 c c 6 m p 8 o s 9   a | p u o          | p
         | h 6   a 4   6   6 s k s c 0   r | i s t          | o
         | a 4         4   4     2 v     c |   e            |
         |                                 |   d            |
---------+---------------------------------+----------------+-------
2.2.7    | + + + + + + + + o o o o o o o + | 6 o 0/2.2.7    | gentoo
---------+---------------------------------+----------------+-------
[I]2.4.2 | o + ~ + o ~ ~ + ~ o o o o o o o | 6 o 0/2.4.2    | gentoo
---------+---------------------------------+----------------+-------
99999999 | o o o o o o o o o o o o o o o o | 6 o 0/99999999 | gentoo
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 16:10:13 UTC
(In reply to Jeroen Roovers from comment #1 from bug 635546)
> Bug #625474	net-analyzer/wireshark: Multiple Vulnerabilities
> Bug #629370	net-analyzer/wireshark: multiple vulnerabilities
> Bug #629454	net-analyzer/wireshark: Modbus dissector crash (wnpa-sec-2017-40)
> Bug #634872	net-analyzer/wireshark: Multiple vulnerabilities
> (Bug #635546	net-analyzer/wireshark: Multiple vulnerabilities)
> 
> It's so confusing without versions, isn't it? Now of which of these is this
> bug report a duplicate?

Now the only version needed is wireshark 2.2.10, with that you'll be able to close all other reports, if you don't want to bump that version you can stabilize 2.4.x.

Thank you
Comment 5 Jeroen Roovers gentoo-dev 2017-10-28 13:17:09 UTC
(In reply to Christopher Díaz from comment #4)
> Now the only version needed is wireshark 2.2.10, with that you'll be able to
> close all other reports, if you don't want to bump that version you can
> stabilize 2.4.x.

We don't "need" 2.2.x at all. The 2.4 branch was promoted to stable in July.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-28 13:23:11 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Christopher Díaz from comment #4)
> > Now the only version needed is wireshark 2.2.10, with that you'll be able to
> > close all other reports, if you don't want to bump that version you can
> > stabilize 2.4.x.
> 
> We don't "need" 2.2.x at all. The 2.4 branch was promoted to stable in July.

I think that is quite obvious to all of us.  The problem is, we don't just drop maintainer owned packages because we feel like it.  So if you don't mind dropping 2.2.x then we can move forward.  If you want me to do it then so be it.
Comment 7 Jeroen Roovers gentoo-dev 2017-10-28 13:33:07 UTC
(In reply to Aaron Bauman from comment #6)
> The problem is, we don't just
> drop maintainer owned packages because we feel like it.  So if you don't
> mind dropping 2.2.x then we can move forward.  If you want me to do it then
> so be it.

Why don't you stabilise 2.4.2?
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-28 14:08:45 UTC
@arches, please stabilize.

2.2.x branch will be dropped when we move to cleanup.
Comment 9 Stabilization helper bot gentoo-dev 2017-10-28 15:01:00 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/spandsp']
> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/spandsp']
Comment 10 Sergei Trofimovich gentoo-dev 2017-11-12 18:34:36 UTC
ppc64 stable
Comment 11 Sergei Trofimovich gentoo-dev 2017-11-18 20:57:05 UTC
ppc stable
Comment 12 Markus Meier gentoo-dev 2017-11-19 15:08:59 UTC
arm stable, all arches done.
Comment 13 Stabilization helper bot gentoo-dev 2017-11-19 18:01:02 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['app-arch/snappy']
> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['app-arch/snappy']
> dependency.bad net-analyzer/wireshark/wireshark-2.4.2.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['app-arch/snappy']
Comment 14 Sergei Trofimovich gentoo-dev 2017-11-19 20:46:15 UTC
ia64 stable
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 18:45:48 UTC
2.2.x has been dekeyworded for all arches except alpha.  Cleanup of that version will be tracked in a newer bug.