Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398549 (CVE-2012-0041) - <net-analyzer/wireshark-{1.4.12,1.6.6} : multiple vulnerabilities (CVE-2012-{0041,0042,0043,0066,0067,0068})
Summary: <net-analyzer/wireshark-{1.4.12,1.6.6} : multiple vulnerabilities (CVE-2012-...
Status: RESOLVED FIXED
Alias: CVE-2012-0041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47494/
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2012-1595
Blocks:
  Show dependency tree
 
Reported: 2012-01-11 16:02 UTC by Agostino Sarubbo
Modified: 2013-08-28 11:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-11 16:02:01 UTC
from secunia security advisory at $URL:

Description:
1) NULL pointer dereference errors when reading certain packet information can be exploited to cause a crash.

2) An error within the RLC dissector can be exploited to cause a buffer overflow via a specially crafted RLC packet capture file.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

NOTE: A weakness within the file parser, which can lead to a crash when handling capture files has also been reported.

The vulnerabilities are reported in versions 1.4.0 through 1.4.10 and 1.6.0 through 1.6.4.


Solution:
Update to version 1.4.11 or 1.6.5.
Comment 1 Viorel Tabara 2012-01-23 08:47:56 UTC
Wireshark failed to properly check record sizes for many packet capture file
formats.  It may be possible to make Wireshark crash by convincing someone to
read a malformed packet trace file.  This is corrected in upstream 1.4.11 and
1.6.5.
This issue was found with the following file formats:

5Views: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40165

i4b: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40166

netmon: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40168

Reference:
http://www.wireshark.org/security/wnpa-sec-2012-01.html
http://thread.gmane.org/gmane.comp.security.oss.general/6656/focus=6755

-----

RedHat and Debian have assigned CVE-2012-0066 to this.
Comment 2 Viorel Tabara 2012-01-23 08:52:58 UTC
More from RedHat and Debian:

CVE-2012-0067:

An integer overflow flaw leading to denial of service (application crash) was
found in the way wireshark parsed files in the IPTrace capture format. It may
be possible to make Wireshark crash by convincing someone to read a malformed
IPTrace packet capture file.  This is corrected in upstream 1.4.11 and 1.6.5.

Reference:
http://www.wireshark.org/security/wnpa-sec-2012-01.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668

Patch:
http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40167


-----


CVE-2012-0068:

A heap-based buffer underflow issue was found in way wireshark parsed LANalyzer
packet capture files. It may be possible to make Wireshark crash or possibly
execute arbitrary code (with the persmisisons of the user running wireshark) by
convincing someone to read a malformed
IPTrace packet capture file.  This is corrected in upstream 1.4.11 and 1.6.5.

Reference:
http://www.wireshark.org/security/wnpa-sec-2012-01.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670

Patch:
http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40169
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:36:06 UTC
CVE-2012-0068 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0068):
  The lanalyzer_read function in wiretap/lanalyzer.c in Wireshark 1.4.x before
  1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of
  service (application crash) via a Novell catpure file containing a record
  that is too small.

CVE-2012-0067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0067):
  wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5
  allows remote attackers to cause a denial of service (application crash) via
  a long packet in an AIX iptrace file.

CVE-2012-0066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0066):
  Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers
  to cause a denial of service (application crash) via a long packet in a (1)
  Accellent 5Views (aka .5vw) file, (2) I4B trace file, or (3) NETMON 2
  capture file.

CVE-2012-0043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0043):
  Buffer overflow in the reassemble_message function in
  epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.4.x before
  1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of
  service (application crash) or possibly execute arbitrary code via a series
  of fragmented RLC packets.

CVE-2012-0042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0042):
  Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly
  perform certain string conversions, which allows remote attackers to cause a
  denial of service (NULL pointer dereference and application crash) via a
  crafted packet, related to epan/to_str.c.

CVE-2012-0041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0041):
  The dissect_packet function in epan/packet.c in Wireshark 1.4.x before
  1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of
  service (application crash) via a long packet in a capture file, as
  demonstrated by an airopeek file.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-05-10 22:02:34 UTC
Stabilization completed via bug 410871. GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 11:43:42 UTC
This issue was resolved and addressed in
 GLSA 201308-05 at http://security.gentoo.org/glsa/glsa-201308-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).