Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 744592 (CVE-2020-25862, CVE-2020-25863, CVE-2020-25866, wnpa-sec-2020-11, wnpa-sec-2020-12, wnpa-sec-2020-13) - <net-analyzer/wireshark-3.2.7: Multiple vulnerabilities (CVE-2020-{25862,25863,25866})
Summary: <net-analyzer/wireshark-3.2.7: Multiple vulnerabilities (CVE-2020-{25862,2586...
Status: RESOLVED FIXED
Alias: CVE-2020-25862, CVE-2020-25863, CVE-2020-25866, wnpa-sec-2020-11, wnpa-sec-2020-12, wnpa-sec-2020-13
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.wireshark.org/lists/wires...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-25 08:52 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-11-13 18:08 UTC (History)
2 users (show)

See Also:
Package list:
=net-analyzer/wireshark-3.2.7-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-09-25 08:52:03 UTC
wnpa-sec-2020-11[1] MIME Multipart dissector crash. Bug 16741[2]. Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b

wnpa-sec-2020-12[3] TCP dissector crash. Bug 16816[4]. Fixed in master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f

wnpa-sec-2020-13[5] BLIP dissector crash. Bug 16866[6]. Fixed in master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in master-3.0: 2fb6002559 Fixed in master-2.6: n/a

[1] https://www.wireshark.org/security/wnpa-sec-2020-11
[2] https://gitlab.com/wireshark/wireshark/-/issues/16741
[3] https://www.wireshark.org/security/wnpa-sec-2020-12
[4] https://gitlab.com/wireshark/wireshark/-/issues/16816
[5] https://www.wireshark.org/security/wnpa-sec-2020-13
[6] https://gitlab.com/wireshark/wireshark/-/issues/16866
Comment 1 Larry the Git Cow gentoo-dev 2020-09-25 08:52:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6abc81eb706e80d554d2fc68bd0131b8d9df5f58

commit 6abc81eb706e80d554d2fc68bd0131b8d9df5f58
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-25 08:51:46 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-25 08:52:22 +0000

    net-analyzer/wireshark: Version 3.2.7
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/744592
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/Manifest               |   1 +
 net-analyzer/wireshark/wireshark-3.2.7.ebuild | 261 ++++++++++++++++++++++++++
 2 files changed, 262 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2020-09-25 08:52:47 UTC
Unable to check for sanity:

> no match for package: =net-analyzer/wireshark-3.2.7
Comment 3 NATTkA bot gentoo-dev 2020-09-25 08:56:49 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-02 11:11:22 UTC
net-analyzer/wireshark-3.3.0, "an experimental release intended to test new features for Wireshark 3.4"[0] is vulnerable to at least wnpa-sec-2020-13. Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that ebuild was reverted due to unrelated reasons by someone apparently representing the QA team.

[0] https://www.wireshark.org/lists/wireshark-announce/202009/msg00000.html
Comment 5 Larry the Git Cow gentoo-dev 2020-10-02 11:11:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0467141c801b9dd66196fabec0c1d674d2bee66

commit b0467141c801b9dd66196fabec0c1d674d2bee66
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-10-02 11:02:40 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-10-02 11:11:28 +0000

    net-analyzer/wireshark: Fix EGIT_REPO_URI
    
    The old repository site is unmaintained, stuck in August 2020, and
    contains vulnerable code, yet still returns no redirect or other useful
    HTTP status code that would tell the user something is wrong. On
    visiting the site with a web browser, and some URL hacking, the original
    EGIT_REPO_URI does tell you where to go for the current repository, so
    use that instead.
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/744592
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/wireshark-99999999.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-03 14:50:42 UTC
arm done
Comment 7 Agostino Sarubbo gentoo-dev 2020-10-07 06:53:14 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-10-07 07:09:56 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-10-09 08:31:58 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-09 08:56:22 UTC
(In reply to Jeroen Roovers from comment #4)
> Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that
> ebuild was reverted due to unrelated reasons by someone apparently
> representing the QA team.

$SOMEONE would still need to re-add net-analyzer/wireshark-3.3.1 as 3.3.0 is vulnerable.
Comment 11 Larry the Git Cow gentoo-dev 2020-10-09 08:56:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f943db29b6756d207c6790470549b1d930f5576

commit 3f943db29b6756d207c6790470549b1d930f5576
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-10-09 08:55:51 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-10-09 08:56:40 +0000

    net-analyzer/wireshark: Old
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/744592
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/Manifest               |   1 -
 net-analyzer/wireshark/wireshark-3.2.6.ebuild | 261 --------------------------
 2 files changed, 262 deletions(-)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-09 13:17:57 UTC
(In reply to Jeroen Roovers from comment #10)
> (In reply to Jeroen Roovers from comment #4)
> > Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that
> > ebuild was reverted due to unrelated reasons by someone apparently
> > representing the QA team.
> 
> $SOMEONE would still need to re-add net-analyzer/wireshark-3.3.1 as 3.3.0 is
> vulnerable.

Responsibility for version bumps would seem to fall to the maintainer. Please bump, keeping in mind why the last one was reverted.
Comment 13 Larry the Git Cow gentoo-dev 2020-10-11 18:07:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=416da54e116f58cd4c2e3d59a07417348d3f79d7

commit 416da54e116f58cd4c2e3d59a07417348d3f79d7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-10-11 18:06:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-11 18:07:36 +0000

    profiles/pacckage.mask: security mask ~arch net-analyser/wireshark
    
    The maintainer did not want to update this after
    QA intervention, so masking the ~arch version.
    
    Use the stable version for the fixed variant.
    
    Bug: https://bugs.gentoo.org/744592
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 14 NATTkA bot gentoo-dev 2020-10-24 10:00:53 UTC
Unable to check for sanity:

> no match for package: =net-analyzer/wireshark-3.2.7
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-13 18:08:09 UTC
Obsoleted by https://security.gentoo.org/glsa/202011-08 anyway.