Debian Bug report logs -
#885831
wireshark: CVE-2017-17935: Denial of service in the File_read_line function in epan/wslua/wslua_file.c
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Balint Reczey <rbalint@ubuntu.com>:
Bug#885831; Package src:wireshark.
(Sat, 30 Dec 2017 09:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Balint Reczey <rbalint@ubuntu.com>.
(Sat, 30 Dec 2017 09:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wireshark
Version: 2.4.3-1
Severity: normal
Tags: patch security upstream
Forwarded: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295
Hi,
the following vulnerability was published for wireshark.
CVE-2017-17935[0]:
| The File_read_line function in epan/wslua/wslua_file.c in Wireshark
| through 2.2.11 does not properly strip '\n' characters, which allows
| remote attackers to cause a denial of service (buffer underflow and
| application crash) via a crafted packet that triggers the attempted
| processing of an empty line.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17935
[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 04 Jan 2018 17:15:22 GMT) (full text, mbox, link).
Reply sent
to Balint Reczey <rbalint@ubuntu.com>:
You have taken responsibility.
(Sun, 14 Jan 2018 00:45:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 14 Jan 2018 00:45:10 GMT) (full text, mbox, link).
Message #12 received at 885831-close@bugs.debian.org (full text, mbox, reply):
Source: wireshark
Source-Version: 2.4.4-1
We believe that the bug you reported is fixed in the latest version of
wireshark, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 885831@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <rbalint@ubuntu.com> (supplier of updated wireshark package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 13 Jan 2018 01:31:25 +0100
Source: wireshark
Binary: wireshark-common wireshark wireshark-qt wireshark-gtk tshark wireshark-dev wireshark-doc libwireshark10 libwsutil8 libwsutil-dev libwscodecs1 libwireshark-data libwireshark-dev libwiretap7 libwiretap-dev
Architecture: source
Version: 2.4.4-1
Distribution: unstable
Urgency: medium
Maintainer: Balint Reczey <rbalint@ubuntu.com>
Changed-By: Balint Reczey <rbalint@ubuntu.com>
Description:
libwireshark-data - network packet dissection library -- data files
libwireshark-dev - network packet dissection library -- development files
libwireshark10 - network packet dissection library -- shared library
libwiretap-dev - network packet capture library -- development files
libwiretap7 - network packet capture library -- shared library
libwscodecs1 - network packet dissection codecs library -- shared library
libwsutil-dev - network packet dissection utilities library -- development files
libwsutil8 - network packet dissection utilities library -- shared library
tshark - network traffic analyzer - console version
wireshark - network traffic analyzer - meta-package
wireshark-common - network traffic analyzer - common files
wireshark-dev - network traffic analyzer - development tools
wireshark-doc - network traffic analyzer - documentation
wireshark-gtk - network traffic analyzer - GTK+ version
wireshark-qt - network traffic analyzer - Qt version
Closes: 885831 886619
Changes:
wireshark (2.4.4-1) unstable; urgency=medium
.
* New upstream release
- release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.4.html
- security fixes:
- Multiple dissectors could crash (CVE-2018-5336)
- The IxVeriWave file parser could crash (CVE-2018-5334)
- The WCP dissector could crash (CVE-2018-5335)
- Prior to this release dumpcap enabled the Linux kernel’s BPF JIT
compiler via the net.core.bpf_jit_enable sysctl. This could make
systems more vulnerable to Spectre variant 1 (CVE-2017-5753) and
this feature has been removed (Closes: #886619)
- There was a potential buffer underflow in File_read_line function
in epan/wslua/wslua_file.c file (CVE-2017-17935) (Closes: #885831)
* Update symbols files
* Fix dh_clean target in debian/rules
* Change wireshark-doc's priority to optional from extra following Policy
change
Checksums-Sha1:
0a2f402f03ec9f2c4fcb42e9a98f018a74fc22f0 3522 wireshark_2.4.4-1.dsc
f49bf9ed9539074f6988bfb14eb657ad7fc0bd84 28379472 wireshark_2.4.4.orig.tar.xz
425edc9c29ea32570ae582c33b4239fe56addce9 66496 wireshark_2.4.4-1.debian.tar.xz
Checksums-Sha256:
86aa51e6431c65fd18a2502ce60e0baf92da2909177d7bb7ca07ec75c33c0473 3522 wireshark_2.4.4-1.dsc
848bf9997b8d7a7a34bba7af6e6d4257d29682dd346af12b34cf28fe6cc4259f 28379472 wireshark_2.4.4.orig.tar.xz
fa605a47ccbe9cd3d6f036ffd9ac9e09f2e05f8c50ad4e142d3eaa6470759e19 66496 wireshark_2.4.4-1.debian.tar.xz
Files:
b009130ed343621da927bd1f76cd02dd 3522 net optional wireshark_2.4.4-1.dsc
c4c0c99efe0e1023ea60b037386f607e 28379472 net optional wireshark_2.4.4.orig.tar.xz
83673c689e1ea802a9f21d15c839d9bb 66496 net optional wireshark_2.4.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIwBAEBCAAaBQJaWWO8ExxyYmFsaW50QHVidW50dS5jb20ACgkQ9mTSVrRpGn2m
rRAAxPiiXUiLjWNXbXKflxpo/vZFG69g+gU2L/Sa1h6WHmv18fUZznl1rrGP1m3p
8KUv6TEdbqda/5d5qVV3RH+RBU9WR3phwOfPbj3gq+bzkXCSw+Blb4VvGOsao9EE
FulxmiVmYDUT+DaF/yOytwc6UzUBpSHAQFZze85W02yLDSnMFbS77ALB/C/ZXk83
W5ZgUDNk4DXVSurC0qSckW0W6VeGGxeUZxfNeLvyOWH5a7CwcNDnN6ZivON0PgF4
AU3euLAZLBiAy6FGIhWiggdbVU5KdDGhv01OdFT6Z3TDVh+XSs407y4AsybO50Se
michtshZjmCPIGnI3L+Mp+mIbkn0LXE6ztlOZVk33rAz/9k+L9N+g1iPba9S5SYh
KzWztKNdeBylZKaMSQSQJcXPaz+K6U5qEpiJG7Bf+nUi/MJw4Js4idBTifsQfndc
lXPoCRN4cmHTs9rl7mL2ak61HgvlGPmKKAK8C4C4fqFX8b5eahsbjExXy2khdSk0
Sg2HcL81icDy/nOhHHpSVo8eO/HPfqZ8MwOcu+q/2MwyLKewK5ZV/OgbwAYak4Mb
fxcWxoMYrYjyOPRv/BvTa6aqpHTIQbo00X4gW3mou64DAybFwCHHZa5w2HXSGp9Z
NCbuttBwsRppbERZKJbf/X8ix3mhGR2wTHVeIPO4i0aGMT0=
=1mRJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Feb 2018 07:25:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:36:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon