wireshark: CVE-2008-46[80-85] multiple security issues

Debian Bug report logs - #503589
wireshark: CVE-2008-46[80-85] multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: wireshark: CVE-2008-46[80-85] multiple security issues

Date: Sun, 26 Oct 2008 21:09:20 +0100

[Message part 1 (text/plain, inline)]

Package: wireshark
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for wireshark.

CVE-2008-4685[0]:
| Use-after-free vulnerability in the dissect_q931_cause_ie function in
| packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3
| allows remote attackers to cause a denial of service (application
| crash or abort) via certain packets that trigger an exception.

CVE-2008-4684[1]:
| packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly
| handle exceptions thrown by post dissectors, which allows remote
| attackers to cause a denial of service (application crash) via a
| certain series of packets, as demonstrated by enabling the (1) PRP or
| (2) MATE post dissector.

CVE-2008-4683[2]:
| The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL
| dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to
| cause a denial of service (application crash or abort) via a packet
| with an invalid length, related to an erroneous tvb_memcpy call.

CVE-2008-4682[3]:
| wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to
| cause a denial of service (application abort) via a malformed Tamos
| CommView capture file (aka .ncf file) with an "unknown/unexpected
| packet type" that triggers a failed assertion.

CVE-2008-4681[4]:
| Unspecified vulnerability in the Bluetooth RFCOMM dissector in
| Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a
| denial of service (application crash or abort) via unknown packets.

CVE-2008-4680[5]:
| packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3
| allows remote attackers to cause a denial of service (application
| crash or abort) via a malformed USB Request Block (URB).

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4685
    http://security-tracker.debian.net/tracker/CVE-2008-4685
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4684
    http://security-tracker.debian.net/tracker/CVE-2008-4684
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4683
    http://security-tracker.debian.net/tracker/CVE-2008-4683
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4682
    http://security-tracker.debian.net/tracker/CVE-2008-4682
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4681
    http://security-tracker.debian.net/tracker/CVE-2008-4681
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4680
    http://security-tracker.debian.net/tracker/CVE-2008-4680

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 503589@bugs.debian.org (full text, mbox, reply):

From: "Stefan Lesicnik" <stefan@lsd.co.za>

To: 503589@bugs.debian.org

Subject: CVE Updates

Date: Wed, 29 Oct 2008 12:55:57 +0200

Hi,

I am busy patching these CVE's in Ubuntu and will forward the relevant
patches to Debian once done.

--
Stefan Lesicnik

Linux System Dynamics

Message #15 received at 503589@bugs.debian.org (full text, mbox, reply):

From: Frederic Peters <fpeters@debian.org>

To: Stefan Lesicnik <stefan@lsd.co.za>, 503589@bugs.debian.org

Subject: Re: Bug#503589: CVE Updates

Date: Wed, 29 Oct 2008 12:06:05 +0100

[Message part 1 (text/plain, inline)]

Hi Stefan, 

Stefan Lesicnik wrote:

> I am busy patching these CVE's in Ubuntu and will forward the relevant
> patches to Debian once done.

For the record I wrote that last week (and got too busy again just
afterwards):

  Thanks; I had a quick look at them [the subversion revisions] and
  they apply cleanly onto 1.0.2, except for changes to packet-usb.c
  where trailing whitespaces are touched but they are easy enough to
  remove (cleaned patch attached, note it only has changes related to
  packet-usb.c while the commit also touch packet-btrfcomm.c).

You will find the modified patch to packet-usb.c attached.


        Frederic

[packet-usb.c.diff (text/x-diff, attachment)]

Message #20 received at 503589@bugs.debian.org (full text, mbox, reply):

From: "Stefan Lesicnik" <stefan@lsd.co.za>

To: 503589@bugs.debian.org

Subject: Wireshark CVE patches

Date: Sun, 2 Nov 2008 19:44:42 +0200

User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu ubuntu-patch intrepid

Hi.

I have uploaded 3 debdiffs for the CVE's for Ubuntu - these are
currently awaiting review. The Ubuntu bug is here
https://bugs.edge.launchpad.net/ubuntu/+source/wireshark/+bug/290716

The POC's for each CVE are also attached to that report.

The debdiffs apply against 0.99.6, 1.0.0-3 and 1.0.3.

Please contact me if I can provide any more information, or you would
like the .dpatch files.
--
Stefan Lesicnik

Linux System Dynamics

Message #25 received at 503589@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: "Stefan Lesicnik" <stefan@lsd.co.za>, 503589@bugs.debian.org

Cc: andete@debian.org

Subject: Re: Bug#503589: Wireshark CVE patches

Date: Thu, 6 Nov 2008 08:24:38 +1100

On Monday 03 November 2008 04:44:42 Stefan Lesicnik wrote:
> I have uploaded 3 debdiffs for the CVE's for Ubuntu - these are
> currently awaiting review

Stefan,

Thanks for your work on this.

Frederic, Joost,

Are you in a position to upload a fixed package to fix this RC bug in lenny?

Mark

Message #32 received at 503589@bugs.debian.org (full text, mbox, reply):

From: Joost Yervante Damad <andete@debian.org>

To: Mark Purcell <msp@debian.org>

Cc: "Stefan Lesicnik" <stefan@lsd.co.za>, 503589@bugs.debian.org

Subject: Re: Bug#503589: Wireshark CVE patches

Date: Thu, 6 Nov 2008 19:08:00 +0100

On Wednesday 05 November 2008 22:24:38 Mark Purcell wrote:
> On Monday 03 November 2008 04:44:42 Stefan Lesicnik wrote:
> > I have uploaded 3 debdiffs for the CVE's for Ubuntu - these are
> > currently awaiting review
>
> Stefan,
>
> Thanks for your work on this.
>
> Frederic, Joost,
>
> Are you in a position to upload a fixed package to fix this RC bug in
> lenny?

Hi all,

like I stated before, I'd rather just upload 1.0.4 in lenny-security.  I think 
making backports of fixes in what is a stable branch of wireshark is a waste 
of time...

What's more, I don't see any gain of a 1.0.3 with backported fixes against 
1.0.4 for anyone:
	users: they prefer the latest version
	maintainers: they have to maintain a version different then upstream
        which is work

Frederik,  I see you're already working on the backports?

Joost
 

Message #37 received at 503589@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Joost Yervante Damad <andete@debian.org>

Cc: Mark Purcell <msp@debian.org>, Stefan Lesicnik <stefan@lsd.co.za>, 503589@bugs.debian.org

Subject: Re: Bug#503589: Wireshark CVE patches

Date: Thu, 6 Nov 2008 22:57:06 +0100

On Thu, Nov 06, 2008 at 07:08:00PM +0100, Joost Yervante Damad wrote:
> On Wednesday 05 November 2008 22:24:38 Mark Purcell wrote:
> > On Monday 03 November 2008 04:44:42 Stefan Lesicnik wrote:
> > > I have uploaded 3 debdiffs for the CVE's for Ubuntu - these are
> > > currently awaiting review
> >
> > Stefan,
> >
> > Thanks for your work on this.
> >
> > Frederic, Joost,
> >
> > Are you in a position to upload a fixed package to fix this RC bug in
> > lenny?
> 
> Hi all,
> 
> like I stated before, I'd rather just upload 1.0.4 in lenny-security.  I think 
> making backports of fixes in what is a stable branch of wireshark is a waste 
> of time...
> 
> What's more, I don't see any gain of a 1.0.3 with backported fixes against 
> 1.0.4 for anyone:
> 	users: they prefer the latest version
> 	maintainers: they have to maintain a version different then upstream
>         which is work
> 
> Frederik,  I see you're already working on the backports?

It's release policy to only upload mininal fixes that late in the release
cycle, so please go ahead with the isolated patches.

Cheers,
        Moritz

Message #42 received at 503589-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 503589-close@bugs.debian.org

Subject: Bug#503589: fixed in wireshark 1.0.2-3+lenny2

Date: Fri, 14 Nov 2008 23:32:10 +0000

Source: wireshark
Source-Version: 1.0.2-3+lenny2

We believe that the bug you reported is fixed in the latest version of
wireshark, which is due to be installed in the Debian FTP archive:

tshark_1.0.2-3+lenny2_i386.deb
  to pool/main/w/wireshark/tshark_1.0.2-3+lenny2_i386.deb
wireshark-common_1.0.2-3+lenny2_i386.deb
  to pool/main/w/wireshark/wireshark-common_1.0.2-3+lenny2_i386.deb
wireshark-dev_1.0.2-3+lenny2_i386.deb
  to pool/main/w/wireshark/wireshark-dev_1.0.2-3+lenny2_i386.deb
wireshark_1.0.2-3+lenny2.diff.gz
  to pool/main/w/wireshark/wireshark_1.0.2-3+lenny2.diff.gz
wireshark_1.0.2-3+lenny2.dsc
  to pool/main/w/wireshark/wireshark_1.0.2-3+lenny2.dsc
wireshark_1.0.2-3+lenny2_i386.deb
  to pool/main/w/wireshark/wireshark_1.0.2-3+lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated wireshark package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 13 Nov 2008 23:13:27 +0100
Source: wireshark
Binary: wireshark-common wireshark tshark wireshark-dev
Architecture: source i386
Version: 1.0.2-3+lenny2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Frederic Peters <fpeters@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 tshark     - network traffic analyzer (console)
 wireshark  - network traffic analyzer
 wireshark-common - network traffic analyser (common files)
 wireshark-dev - network traffic analyser (development tools)
Closes: 503589
Changes: 
 wireshark (1.0.2-3+lenny2) testing-proposed-updates; urgency=high
 .
   * Fix CVE-2008-4680 to CVE-2008-4685 (Closes: #503589)
Checksums-Sha1: 
 e4f4f3d5cd697744220ca20a543fb56c54d957c4 1490 wireshark_1.0.2-3+lenny2.dsc
 50d08d2a2bec3ceb3c26bcd591d7a5be14546375 95282 wireshark_1.0.2-3+lenny2.diff.gz
 1cc1604e1199dc429b0c70274256cef92cf6ce78 10117044 wireshark-common_1.0.2-3+lenny2_i386.deb
 ac6434d81c87e036fe6deae228c7856bb486ca94 619002 wireshark_1.0.2-3+lenny2_i386.deb
 3e66e841860bdf173dea380df348b4d1451fe99c 111394 tshark_1.0.2-3+lenny2_i386.deb
 b941529758de5a45c08384515630f1b5488e7cd1 569610 wireshark-dev_1.0.2-3+lenny2_i386.deb
Checksums-Sha256: 
 d568d806afa3e4d485943e3a6a9a0fe386a4e9ff9fbb68746674b99ee118e8a2 1490 wireshark_1.0.2-3+lenny2.dsc
 850950e6ec4bd1640bd0e829e1e173227400149d3a6add634807e6376169c700 95282 wireshark_1.0.2-3+lenny2.diff.gz
 d230fa65c14b55f8142629cc06c6987e8763ff12c413891ea754ac4853940f9a 10117044 wireshark-common_1.0.2-3+lenny2_i386.deb
 20e9b36b8c303c0e7a86349b830a5849d651802fe4d2a4483af8574f496d1014 619002 wireshark_1.0.2-3+lenny2_i386.deb
 d77d5e8a59ca8089a8e0fe377949238f91f3d5ba807c6575b952ebec67de9097 111394 tshark_1.0.2-3+lenny2_i386.deb
 21cd068286ca793318514c7f063c6139d24e89751f3e5c36148d8d1c5fc29f2e 569610 wireshark-dev_1.0.2-3+lenny2_i386.deb
Files: 
 332d415ce98ed23bd5ee01e6035f63e8 1490 net optional wireshark_1.0.2-3+lenny2.dsc
 d6df0cee11bdb96769ead9b61626ee11 95282 net optional wireshark_1.0.2-3+lenny2.diff.gz
 6d3400408c195f67d3c9c7579f03332f 10117044 net optional wireshark-common_1.0.2-3+lenny2_i386.deb
 d9cde8dbf8c29382ba8bde245cb104f7 619002 net optional wireshark_1.0.2-3+lenny2_i386.deb
 351940b302188fb6f47eae5de276c0fb 111394 net optional tshark_1.0.2-3+lenny2_i386.deb
 f4d4f413fecadf928c928536312dd929 569610 devel optional wireshark-dev_1.0.2-3+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJHfR9Xm3vHE4uyloRAj24AJ46IZoDR5rV3kaVMCA+0egh0sZHKACfXaVu
uKOFOQNCffdG4PE8+QIq/n4=
=9zbx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.