Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679004 (CVE-2019-9208, CVE-2019-9209) - <net-analyzer/wireshark-2.6.7 - multiple vulnerabilities (CVE-2019-{9208,9209,9214})
Summary: <net-analyzer/wireshark-2.6.7 - multiple vulnerabilities (CVE-2019-{9208,9209...
Status: RESOLVED FIXED
Alias: CVE-2019-9208, CVE-2019-9209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.wireshark.org/lists/wires...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2018-12086, CVE-2018-18225, CVE-2018-18226, CVE-2018-18227 CVE-2018-19622, CVE-2018-19623, CVE-2018-19624, CVE-2018-19625, CVE-2018-19626, CVE-2018-19627, CVE-2018-19628 CVE-2019-5716, CVE-2019-5717, CVE-2019-5718, CVE-2019-5719
  Show dependency tree
 
Reported: 2019-02-27 21:09 UTC by Jeroen Roovers (RETIRED)
Modified: 2019-03-24 21:24 UTC (History)
1 user (show)

See Also:
Package list:
net-analyzer/wireshark-2.6.7
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-02-27 21:09:34 UTC 
Bug Fixes

   The following vulnerabilities have been fixed:

     • wnpa-sec-2019-06[1] ASN.1 BER and related dissectors crash. Bug
       15447[2]. CVE-2019-9209[3].

     • wnpa-sec-2019-07[4] TCAP dissector crash. Bug 15464[5].
       CVE-2019-9208[6].

     • wnpa-sec-2019-08[7] RPCAP dissector crash. Bug 15536[8].
Comment 1 Larry the Git Cow gentoo-dev 2019-02-27 21:28:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=741dce1d4c4d9124b1188c830aead1e22aa99573

commit 741dce1d4c4d9124b1188c830aead1e22aa99573
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-02-27 21:27:20 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-02-27 21:27:57 +0000

    net-analyzer/wireshark: Version 2.6.7
    
    Bug: https://bugs.gentoo.org/679004
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/Manifest               |   1 +
 net-analyzer/wireshark/wireshark-2.6.7.ebuild | 240 ++++++++++++++++++++++++++
 2 files changed, 241 insertions(+)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 04:56:14 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.


I am going to block all the other vulnerabilities with this one, as nothing was fully stabilized for a while now. 

Lets use this bug to fix all the vulnerabilities.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 04:56:24 UTC 
_____________________________


CVE-2019-9209 Detail
Current Description
In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related dissectors could crash. This was addressed in epan/dissectors/packet-ber.c by preventing a buffer overflow associated with excessive digits in time values.

______________________________

CVE-2019-9208 Detail
Current Description
In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-03-11 06:42:02 UTC 
@arches, please stabilize.
Comment 5 Stabilization helper bot gentoo-dev 2019-03-11 07:01:24 UTC 
An automated check of this bug failed - repoman reported dependency errors:
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-14 19:38:26 UTC 
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-03-14 21:15:01 UTC 
amd64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 10:09:19 UTC 
arm stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 10:09:40 UTC 
alpha stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-17 09:54:24 UTC 
ppc64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-17 10:10:44 UTC 
commit 864cd1fa36cbb7459a6bd1d2c3659b41e406391d
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Thu Mar 14 09:54:03 2019 +0100

    net-analyzer/wireshark: Stable for AMD64 HPPA x86 too
Comment 12 Larry the Git Cow gentoo-dev 2019-03-18 20:47:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69727570d677e87bdd408c90a30c40e3ffb5e10f

commit 69727570d677e87bdd408c90a30c40e3ffb5e10f
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-03-18 20:46:49 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-03-18 20:47:15 +0000

    net-analyzer/wireshark: Old
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=679004
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/Manifest                    |   2 -
 .../files/wireshark-2.6.0-androiddump-wsutil.patch |  26 ---
 .../wireshark/files/wireshark-2.6.3-docbook.patch  |  56 -----
 net-analyzer/wireshark/wireshark-2.6.3.ebuild      | 243 ---------------------
 net-analyzer/wireshark/wireshark-2.6.6.ebuild      | 240 --------------------
 5 files changed, 567 deletions(-)