Debian Bug report logs -
#870172
wireshark: CVE-2017-11406 CVE-2017-11407 CVE-2017-11408
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Jul 2017 18:48:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version wireshark/1.12.1+g01b65bf-1
Fixed in version wireshark/2.4.0-1
Done: Balint Reczey <rbalint@ubuntu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Balint Reczey <rbalint@ubuntu.com>:
Bug#870172; Package src:wireshark.
(Sun, 30 Jul 2017 18:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Balint Reczey <rbalint@ubuntu.com>.
(Sun, 30 Jul 2017 18:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wireshark
Version: 1.12.1+g01b65bf-1
Severity: important
Tags: security patch upstream
Hi,
the following vulnerabilities were published for wireshark.
Rationale for filling one bug for the three CVEs, checked back to
1.12.1+g01b65bf based version and the CVEs should affect wireshark
back in jessie (thus wheezy as well with same version) up to current
unstable.
CVE-2017-11406[0]:
| In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector
| could go into an infinite loop. This was addressed in
| plugins/docsis/packet-docsis.c by rejecting invalid Frame Control
| parameter values.
CVE-2017-11407[1]:
| In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could
| crash. This was addressed in epan/dissectors/packet-mq.c by validating
| the fragment length before a reassembly attempt.
CVE-2017-11408[2]:
| In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector
| could crash. This was addressed in epan/dissectors/packet-amqp.c by
| checking for successful list dissection.
Note in the same set of applied CVEs there were CVE-2017-11409, which
though only affect versions prior 2.1.x and CVE-2017-11410 and
CVE-2017-11411 were assigned due to incomplete fixes for CVE-2017-7702
and CVE-2017-9350, which were not applied to older releases. But
please check the notes on the security-tracker for details.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11406
[1] https://security-tracker.debian.org/tracker/CVE-2017-11407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11407
[2] https://security-tracker.debian.org/tracker/CVE-2017-11408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11408
Please adjust the affected versions in the BTS as needed.
Salvatore
Reply sent
to Balint Reczey <rbalint@ubuntu.com>:
You have taken responsibility.
(Thu, 17 Aug 2017 15:03:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 17 Aug 2017 15:03:18 GMT) (full text, mbox, link).
Message #10 received at 870172-close@bugs.debian.org (full text, mbox, reply):
Source: wireshark
Source-Version: 2.4.0-1
We believe that the bug you reported is fixed in the latest version of
wireshark, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870172@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <rbalint@ubuntu.com> (supplier of updated wireshark package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 06 Aug 2017 13:22:45 -0400
Source: wireshark
Binary: wireshark-common wireshark wireshark-qt wireshark-gtk tshark wireshark-dev wireshark-doc libwireshark10 libwsutil8 libwsutil-dev libwscodecs1 libwireshark-data libwireshark-dev libwiretap7 libwiretap-dev
Architecture: source all amd64
Version: 2.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Balint Reczey <rbalint@ubuntu.com>
Changed-By: Balint Reczey <rbalint@ubuntu.com>
Description:
libwireshark-data - network packet dissection library -- data files
libwireshark-dev - network packet dissection library -- development files
libwireshark10 - network packet dissection library -- shared library
libwiretap-dev - network packet capture library -- development files
libwiretap7 - network packet capture library -- shared library
libwscodecs1 - network packet dissection codecs library -- shared library
libwsutil-dev - network packet dissection utilities library -- development files
libwsutil8 - network packet dissection utilities library -- shared library
tshark - network traffic analyzer - console version
wireshark - network traffic analyzer - meta-package
wireshark-common - network traffic analyzer - common files
wireshark-dev - network traffic analyzer - development tools
wireshark-doc - network traffic analyzer - documentation
wireshark-gtk - network traffic analyzer - GTK+ version
wireshark-qt - network traffic analyzer - Qt version
Closes: 870172 870174 870175 870179 870180
Changes:
wireshark (2.4.0-1) unstable; urgency=medium
.
* Use debconf messages instead of "echo" in postinst/postrm (LP: #1687344)
* New upstream release
- release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.0.html
- security fixes:
- deeply nested DAAP data may cause stack exhaustion
(uncontrolled recursion) in the dissect_daap_one_tag function
(CVE-2017-9617) (Closes: #870174)
- PROFINET IO data with a high recursion depth allows remote
attackers to cause a denial of service (stack exhaustion)
in the dissect_IODWriteReq function. (CVE-2017-9766)
(Closes: #870175)
- the DOCSIS dissector could go into an infinite loop (CVE-2017-11406)
(Closes: #870172)
- the MQ dissector could crash (CVE-2017-11407) (Closes: #870172)
- the AMQP dissector could crash (CVE-2017-11408) (Closes: #870172)
- the WBXML dissector could go into an infinite loop, triggered
by packet injection or a malformed capture file (CVE-2017-11410)
(Closes: #870180)
- the openSAFETY dissector could crash or exhaust system memory
(CVE-2017-11411) (Closes: #870179)
* Update shared library package names to match new .so versions
* Refresh patches
* Drop workaround to use system's nghttp2 since upstream does not
ship the embedded copy anymore
* Add build-dependency on libparse-yapp-perl, liblz4-dev, libsnappy-dev,
libspandsp-dev, libxml2-dev and lynx to enable new upstream features
* Update PO files about debconf templates
Checksums-Sha1:
1959c61149db28d50237dc2c134831d205225f77 3519 wireshark_2.4.0-1.dsc
97c31a4e7e162654c42d0a02ef7c5b7632c26f57 28317500 wireshark_2.4.0.orig.tar.xz
c9614e7fd11e957a717060c44c23e808b16fa169 64736 wireshark_2.4.0-1.debian.tar.xz
bcf2340785236ff749e423bf3300f24cc8f749c4 984210 libwireshark-data_2.4.0-1_all.deb
94c9152227f10aa7d4c594008815ba0a9b29436f 883136 libwireshark-dev_2.4.0-1_amd64.deb
63e08ce7d394e334225a0c1dac157630e18bb4c3 31390116 libwireshark10-dbgsym_2.4.0-1_amd64.deb
ab7031ed017db334df3d4ac2e243575930d98f5e 13471848 libwireshark10_2.4.0-1_amd64.deb
a7ae42798076e7ff36529e10756ebde3f0166938 88312 libwiretap-dev_2.4.0-1_amd64.deb
f7d36f4544958047d526a30ccf36d2873cee8503 591396 libwiretap7-dbgsym_2.4.0-1_amd64.deb
4c7e5a42e2f90180bfc99d1b4d1e44ea1f1e636c 216654 libwiretap7_2.4.0-1_amd64.deb
6bd13d71c883c6c119d1a156b749724f6d410f1f 28430 libwscodecs1-dbgsym_2.4.0-1_amd64.deb
6ec826b7e60af89d581daebc199d31a17d45ee39 60902 libwscodecs1_2.4.0-1_amd64.deb
c97635576d98adfd3f38b30a93721fe7761156e9 81192 libwsutil-dev_2.4.0-1_amd64.deb
9375420f627a678b4083f5a106e2d4552394f142 102262 libwsutil8-dbgsym_2.4.0-1_amd64.deb
6d39324d0576b4bb00a2acbdd319d894c53852fa 92248 libwsutil8_2.4.0-1_amd64.deb
f94fa671ec60c8ea89d03adb851d3fdb7954f485 432986 tshark-dbgsym_2.4.0-1_amd64.deb
c8707633890fb72d338a09bd8f782173c53e2fc4 175306 tshark_2.4.0-1_amd64.deb
6c50fa29ba24ed864e18861d239ae7ca7dc3adbc 552466 wireshark-common-dbgsym_2.4.0-1_amd64.deb
70b9016f294f88e94f8f9dc7a4ac27a0e1a056ab 412206 wireshark-common_2.4.0-1_amd64.deb
16776014325f14dd60597a379eb37982ff87a940 154102 wireshark-dev_2.4.0-1_amd64.deb
464dd4c1372256504bf968bbeeaae33f25d59b9f 3802750 wireshark-doc_2.4.0-1_all.deb
4f65a2835e006a2a3e5efd9d59281f7fcd2d9cd2 2875082 wireshark-gtk-dbgsym_2.4.0-1_amd64.deb
42a21268758f2ff2853de4ac2d6b2156a3d4de32 738828 wireshark-gtk_2.4.0-1_amd64.deb
4aec8e35974df91c28e3bb5dc161fbaa46ef8467 38436670 wireshark-qt-dbgsym_2.4.0-1_amd64.deb
f57324d2d9845dae5abe0707c0d1e3bfb4c075ba 3393102 wireshark-qt_2.4.0-1_amd64.deb
584539d54b81606fd9afd446f1998e098a23a087 23170 wireshark_2.4.0-1_amd64.buildinfo
f4a00977fd734c5a8fe0f175fcfb1ec6ac591661 49986 wireshark_2.4.0-1_amd64.deb
Checksums-Sha256:
f97a7bd01a03c4823a65ebd2f5859152703d33adda42ec26ddff212f20080b42 3519 wireshark_2.4.0-1.dsc
4c26d289cd1975b901e1b5069d171b58da64947f3e06233906ef8db783aa37ef 28317500 wireshark_2.4.0.orig.tar.xz
e561236418a8b7ec703ed6be0fb5b3b1441936db43902d719c436f5bf9250760 64736 wireshark_2.4.0-1.debian.tar.xz
6eba59e6c5232e26755f19156366cab53c7eec63fa3d033600a4b2f46f700232 984210 libwireshark-data_2.4.0-1_all.deb
e3c5dccf65089e40b9032ad61c638b615d2ab5787888a7218d623349d697fdaf 883136 libwireshark-dev_2.4.0-1_amd64.deb
03a83db401afef98b9ea0d42c8ce6e87879532e03961e39f9a286214d7f36123 31390116 libwireshark10-dbgsym_2.4.0-1_amd64.deb
e1a21006aeb3030edf4774a5b34b95fa988d4f0326976b4e039c1b11a97ceafd 13471848 libwireshark10_2.4.0-1_amd64.deb
153b40ea90e9fe1c44dbe53521596fa5db2352dbc3fc7c53e999dbfd0bc0cc9f 88312 libwiretap-dev_2.4.0-1_amd64.deb
044b2361768e52386f99d57b6a1afccc10667121a09533ccfd9018b5481fc338 591396 libwiretap7-dbgsym_2.4.0-1_amd64.deb
3f0acf72e989ca9faa6589079389b36b93b9c3f8d74496654f2825a31f307322 216654 libwiretap7_2.4.0-1_amd64.deb
0c81b99b252a379f252ea93636fc406167cbb4f0a8b4a3a70698dca3453dcbe9 28430 libwscodecs1-dbgsym_2.4.0-1_amd64.deb
6700bc6c32d1176fe47ea11453af409132f73ed6ca142cdaf84d39f04cde8e55 60902 libwscodecs1_2.4.0-1_amd64.deb
d33ec1fbec22ed5c0df6ff987e712881a7c41ef5bae4c5c61fae0420e83439b6 81192 libwsutil-dev_2.4.0-1_amd64.deb
5b2941318a055d9e8333081d15a54a6397043aba6b7395444a16fc5da777be59 102262 libwsutil8-dbgsym_2.4.0-1_amd64.deb
20b31b6bbc6920bbce9f14c46a0b75b75a130af2ae32c502528063d9fa881ece 92248 libwsutil8_2.4.0-1_amd64.deb
2995f6d3ee95f7e969bb013e832aa5849ec01415ea8a8bb84874f952f979da5d 432986 tshark-dbgsym_2.4.0-1_amd64.deb
7da076d0e6f359fa27c9463a5657ba55e5f0d336341849e69dcd2f3853dc30ba 175306 tshark_2.4.0-1_amd64.deb
63118c528f683bf870862686fe64f795f4bfa6c73554c85760eb3275ae231e7f 552466 wireshark-common-dbgsym_2.4.0-1_amd64.deb
0f6074f8ede9bda5ec7c7cfd43837cd7466d6d94de295ad860e8b47a5e7d7a30 412206 wireshark-common_2.4.0-1_amd64.deb
4bec65523459eb55ca27648088ec90f8f57a42bad85d59d4b4568fdaf16a80f6 154102 wireshark-dev_2.4.0-1_amd64.deb
cac43b5436b7cea2aff2f9dd6ae4954a24a0ac260180bcdb9386d14e33da31cc 3802750 wireshark-doc_2.4.0-1_all.deb
e8df5af00d003b03ec2027edb864631290d41fce4e75ea6acf46c3e8aa4473d7 2875082 wireshark-gtk-dbgsym_2.4.0-1_amd64.deb
109d6541aaa7c18bc6e4c01382698f2901a6fea5a99ac1963554c6d84f2a0db6 738828 wireshark-gtk_2.4.0-1_amd64.deb
b1892d1824f2ce4cd7f399c0de7042d380e530e0dfa1660d9e46655ef771b446 38436670 wireshark-qt-dbgsym_2.4.0-1_amd64.deb
53528deb84236d429e56a018cf7300211b066dd8d6bcca57a9a0a6aeafd8f658 3393102 wireshark-qt_2.4.0-1_amd64.deb
7d6fb67da4b60ee904b9ddc66895a6b0474705f0c69e093514d360b56b9e1a1f 23170 wireshark_2.4.0-1_amd64.buildinfo
301e5d7eead9282b117159c80ea455525cbaf3f4cbcb73638937ecd84d8d0705 49986 wireshark_2.4.0-1_amd64.deb
Files:
beca240f3f8fd90c902994c0f79f883a 3519 net optional wireshark_2.4.0-1.dsc
d018a201760e9a7eb7e28e70b46a94a3 28317500 net optional wireshark_2.4.0.orig.tar.xz
865eed0acc38c28fa2b23fa4f3921d51 64736 net optional wireshark_2.4.0-1.debian.tar.xz
8ed62d698cc8e7aec28fc2f7b71c335b 984210 libs optional libwireshark-data_2.4.0-1_all.deb
927d0b59b2e265609c621d855006f7ab 883136 libdevel optional libwireshark-dev_2.4.0-1_amd64.deb
9a91257d545007a5c15157df0fb4f0c5 31390116 debug extra libwireshark10-dbgsym_2.4.0-1_amd64.deb
3474e32b6b3efaa75de01dfa16d1f707 13471848 libs optional libwireshark10_2.4.0-1_amd64.deb
09d548bf56382290e840f1f9e75b831c 88312 libdevel optional libwiretap-dev_2.4.0-1_amd64.deb
d8a24f188b5af21e42578e9b995570e1 591396 debug extra libwiretap7-dbgsym_2.4.0-1_amd64.deb
b95822283d79393de4597b5adcfd45a7 216654 libs optional libwiretap7_2.4.0-1_amd64.deb
f6fbd7cb0f550e4fcdd97ab9302b9507 28430 debug extra libwscodecs1-dbgsym_2.4.0-1_amd64.deb
a3a7d6963fc668d049b2c0ea763e329a 60902 libs optional libwscodecs1_2.4.0-1_amd64.deb
69e2b0cfd1df400da387fa4299e5b32f 81192 libdevel optional libwsutil-dev_2.4.0-1_amd64.deb
e5f34191ecd7799dc5ceace9e546df76 102262 debug extra libwsutil8-dbgsym_2.4.0-1_amd64.deb
5d885e75253c477d8c10a6b8202ffee1 92248 libs optional libwsutil8_2.4.0-1_amd64.deb
c3aca9fce04ee347af4fe9d4201c69c3 432986 debug extra tshark-dbgsym_2.4.0-1_amd64.deb
fb9b2c0f14505e30348a5164effb5915 175306 net optional tshark_2.4.0-1_amd64.deb
7e33a6306dd9633f7399a10f9cecee3f 552466 debug extra wireshark-common-dbgsym_2.4.0-1_amd64.deb
3167e2f7405911f965eff1c1972e7307 412206 net optional wireshark-common_2.4.0-1_amd64.deb
5f3ee94b60cd49763e06b2f0a4d23bd4 154102 devel optional wireshark-dev_2.4.0-1_amd64.deb
7605b1f7a8c61700b8863cda92470125 3802750 doc extra wireshark-doc_2.4.0-1_all.deb
3dac0028d46b93972d112bdcb6fff0dc 2875082 debug extra wireshark-gtk-dbgsym_2.4.0-1_amd64.deb
9878e2c637ed1f6764dbbf0330ed2f6a 738828 net optional wireshark-gtk_2.4.0-1_amd64.deb
d10a2eca5987680cbcb144d740fd69e2 38436670 debug extra wireshark-qt-dbgsym_2.4.0-1_amd64.deb
5a55a4ff93669ae5e984e3c3955925c6 3393102 net optional wireshark-qt_2.4.0-1_amd64.deb
72134c38db6657d8a7217a84b423b96f 23170 net optional wireshark_2.4.0-1_amd64.buildinfo
503c16a1ae1ae544668325886cc191c5 49986 net optional wireshark_2.4.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIwBAEBCAAaBQJZiJA1ExxyYmFsaW50QHVidW50dS5jb20ACgkQ9mTSVrRpGn0C
Xg/6A8aNxaeAjF0yjuOBCpM8sZQeJRKt+wqJEzbTM9Ji/1QJ/mlj/gHOEgpFGKAs
uIDDJFOUSxF4EwlZlLw2WeQs0NnlxnaWz/iP2yv82CYniXtOUpeHmMUnF6W7iSHR
IQ7msVM+m5URYa2JKykCeD/Ybc0OqjUGLZABnPREcTJqLWRNDMvSM8QxxURc1GnE
m0aB9o6Prxtep5eR9dnFG1RpLrAkMU1kzcyIs4q3/ouFGEsxhm2m35mFSH3euzEf
pcMzBf/fIRC8xbxxTdgUe9iwoGdYGlG6xLGFHRZdcMkW6CVADYtyWkrzteTb+PWv
SS507AwtxBJZSoCQFPKb+kzyMIbfecPfXeEEY4c8JPn+62VpGmqL7+aNbDIR5rH/
K4NEHz81P8m/p7fETsdQX3VwM/Jyfj1YhDCja+JkJLjrYakYxfvHRFygF0jT7qzX
M3dqp6IiGUG7G5iBwNKch/oZaGGKlsu8FpNvAyYAQWiE2F3/IVcpN1+BVxejMcc1
IuKAaC7I+a7z+SddRdkcpglqTHYeoZwoCsB58g8ahV/zH8w0LGEgKHUdgQOkg24O
7WQhXarA7HQ4a0rcR+Ha/PDAdBi8znnq1oEbWlYV9cUyn3AnDh4K4/rV1AoP+/W5
lCEqIz/MnLybPk7CoR2kAwfEYV6woYhfoJFGrHtIUN/5tpc=
=vz14
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 03 Oct 2017 07:28:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon