Bug 37948 - wireshark: Multiple issues (4.1)
wireshark: Multiple issues (4.1)
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P4 normal (vote)
: UCS 4.1-x-errata
Assigned To: UCS maintainers
:
Depends on: 44401
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-06 08:31 CET by Moritz Muehlenhoff
Modified: 2019-04-11 19:24 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2015-03-06 08:31:05 CET
Denial of service in the WCP dissector (CVE-2015-2188)
Denial of service in the TNEF dissector (CVE-2015-2191)
Comment 1 Arvid Requate univentionstaff 2015-05-06 16:56:01 CEST
Fixed in upstream Debian package version 1.8.2-5wheezy15
Comment 2 Arvid Requate univentionstaff 2015-05-18 11:47:51 CEST
New issues:

* LBMR infinite loop (CVE-2015-3809)
* WebSocket DoS (CVE-2015-3810)
* WCP dissector crash (CVE-2015-3811)
* X11 memory leak (CVE-2015-3812)
* Reassembly memory leak (CVE-2015-3813)
* IEEE 802.11 infinite loop (CVE-2015-3814)
Comment 3 Arvid Requate univentionstaff 2015-06-08 18:39:37 CEST
Fixed in upstream Debian package version 1.8.2-5wheezy16
Comment 4 Arvid Requate univentionstaff 2016-01-04 17:19:42 CET
Another minor issue, not yet fixed in Debian:

* The pcapng_read_if_descr_block function in wiretap/pcapng.c in the pcapng parser in Wireshark 1.12.x before 1.12.8 uses too many levels of pointer indirection, which allows remote attackers to cause a denial of service (incorrect free and application crash) via a crafted packet that triggers interface-filter copying (CVE-2015-7830)
Comment 5 Arvid Requate univentionstaff 2016-03-07 17:45:50 CET
Upstream Debian package version 1.8.2-5wheezy17 fixes CVE-2015-7830 and these additional issues:

* Crash in the dissector table implementation (CVE-2015-6243)
* The WaveAgent dissector could crash (CVE-2015-6246)
* The ptvcursor implementation could crash (CVE-2015-6248)
* Pcapng file parser crash (CVE-2015-7830)
* DCOM dissector crash (CVE-2015-8714)
* NLM dissector crash (CVE-2015-8718)
* BER dissector crash (CVE-2015-8720)
* Zlib decompression crash (CVE-2015-8721)
* RSVP dissector crash (CVE-2015-8727)
* Ascend file parser crash (CVE-2015-8729)
Comment 6 Arvid Requate univentionstaff 2016-03-14 20:23:37 CET
Upstream Debian package version 1.8.2-5wheezy18 fixes these issues:

* 802.11 decryption crash (CVE-2015-8723, CVE-2015-8724)
* DIAMETER dissector crash (CVE-2015-8725)
* ANSI A & GSM A dissector crashes (CVE-2015-8728)
* RSL dissector crash (CVE-2015-8731)
* DNP dissector infinite loop (CVE-2016-2523)
* RSL dissector crash (CVE-2016-2530 CVE-2016-2531)
* LLRP dissector crash (CVE-2016-2532)
* GSM A-bis OML dissector crash
* ASN.1 BER dissector crashes
Comment 7 Arvid Requate univentionstaff 2016-05-23 20:13:58 CEST
New issues have been reported as fixed in Debian Jessie:

* epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree depth, which allows remote attackers to cause a denial of service (stack memory consumption and application crash) via a crafted packet. (CVE-2016-4006)
* epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted packet. (CVE-2016-4079)
* epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. (CVE-2016-4080)
* epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. (CVE-2016-4081)
* epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of service (out-of-bounds access and application crash) via a crafted packet. (CVE-2016-4082)
* Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet. (CVE-2016-4085)
Comment 8 Arvid Requate univentionstaff 2016-05-31 12:59:35 CEST
Upstream Debian package version 1.12.1+g01b65bf-4+deb8u6~deb7u1 fixes these issues:

CVE-2012-6052 CVE-2012-6053 CVE-2012-6054 CVE-2012-6055
CVE-2012-6056 CVE-2012-6057 CVE-2012-6058 CVE-2012-6059
CVE-2012-6060 CVE-2012-6061 CVE-2012-6062 CVE-2013-1572
CVE-2013-1573 CVE-2013-1574 CVE-2013-1575 CVE-2013-1576
CVE-2013-1577 CVE-2013-1578 CVE-2013-1579 CVE-2013-1580
CVE-2013-1581 CVE-2013-2476 CVE-2013-2479 CVE-2013-2482
CVE-2013-2485 CVE-2013-2486 CVE-2013-2487 CVE-2013-4079
CVE-2013-4080 CVE-2013-4927 CVE-2013-4929 CVE-2013-4931
CVE-2013-5719 CVE-2013-5721 CVE-2013-6339 CVE-2013-7112
CVE-2015-6243 CVE-2015-6246 CVE-2015-6248 CVE-2016-4006
CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE-2016-4082
CVE-2016-4085

The DLA says: "Multiple vulnerabilities were discovered in the dissectors/parsers for PKTC, IAX2, GSM CBCH and NCP which could result in denial of service.

This update also fixes many older less important issues by updating the package to the version found in Debian 8 also known as Jessie."
Comment 9 Janek Walkenhorst univentionstaff 2016-07-01 18:20:59 CEST
* The SPOOLS dissector could go into an infinite loop (CVE-2016-5350)
* The IEEE 802.11 dissector could crash (CVE-2016-5351)
* The UMTS FP dissector could crash (CVE-2016-5353)
* Some USB dissectors could crash (CVE-2016-5354)
* The Toshiba file parser could crash (CVE-2016-5355)
* The CoSine file parser could crash (CVE-2016-5356)
* The NetScreen file parser could crash (CVE-2016-5357)
* The WBXML dissector could go into an infinite loop (CVE-2016-5359)

For Debian 7 "Wheezy", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u6~deb7u2.
Comment 10 Arvid Requate univentionstaff 2016-08-15 20:56:11 CEST
Upstream Debian package version 1.12.1+g01b65bf-4+deb8u6~deb7u3 fixes these issues:

* epan/dissectors/packet-ncp2222.inc in the NDS dissector in Wireshark 1.12.x before 1.12.13 does not properly maintain a ptvc data structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. (CVE-2016-6504)
* epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted packet. (CVE-2016-6505)
* epan/dissectors/packet-wsp.c in the WSP dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. (CVE-2016-6506)
* epan/dissectors/packet-mmse.c in the MMSE dissector in Wireshark 1.12.x before 1.12.13 allows 
remote attackers to cause a denial of service (infinite loop) via a crafted packet. (CVE-2016-6507)
* epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (large loop) via a crafted packet. (CVE-2016-6508)
* epan/dissectors/packet-ldss.c in the LDSS dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 mishandles conversations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. (CVE-2016-6509)
* Off-by-one error in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. (CVE-2016-6510)
* epan/proto.c in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (OpenFlow dissector large loop) via a crafted packet. (CVE-2016-6511)
Comment 11 Janek Walkenhorst univentionstaff 2016-09-21 17:44:18 CEST
wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium
   * security fixes from Wireshark 2.0.6:
     - The H.225 dissector could crash (CVE-2016-7176)
     - The Catapult DCT2000 dissector could crash (CVE-2016-7177)
     - The UMTS FP dissector could crash (CVE-2016-7178)
     - The Catapult DCT2000  dissector could crash (CVE-2016-7179)
     - The IPMI trace dissector could crash (CVE-2016-7180)
Comment 12 Arvid Requate univentionstaff 2016-11-21 17:33:53 CET
Fixed in 1.12.1+g01b65bf-4+deb8u6~deb7u5:

* The DCERPC dissector could crash with a use-after-free, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dcerpc-nt.c and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings. (CVE-2016-9373)
* The AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable. (CVE-2016-9374)
* The DTN dissector could go into an infinite loop, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dtn.c by checking whether SDNV evaluation was successful. (CVE-2016-9375)
* The OpenFlow dissector could crash with memory exhaustion, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-openflow_v5.c by ensuring that certain length values were sufficiently large. (CVE-2016-9376)
Comment 13 Arvid Requate univentionstaff 2017-02-20 14:56:53 CET
1.12.1+g01b65bf-4+deb8u6~deb7u6 fixes:

* In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from will not advance, causing continuous attempts to read the same zero length packet. This will quickly exhaust all system memory. (CVE-2017-6014)
Comment 14 Arvid Requate univentionstaff 2017-04-19 09:48:53 CEST
1.12.1+g01b65bf-4+deb8u6~deb7u7 fixes:

* In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-asterix.c by changing a data type to avoid an integer overflow. (CVE-2017-5596)
* In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector could go into a large loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-dhcpv6.c by changing a data type to avoid an integer overflow. (CVE-2017-5597)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler file parser infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by changing the restrictions on file size. (CVE-2017-6467)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser crash, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by validating the relationship between pages and records. (CVE-2017-6468)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an LDSS dissector crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-ldss.c by ensuring that memory is allocated for a certain data structure. (CVE-2017-6469)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-iax2.c by constraining packet lateness. (CVE-2017-6470)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wsp.c by validating the capability length. (CVE-2017-6471)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an RTMPT dissector infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-rtmpt.c by properly incrementing a certain sequence value. (CVE-2017-6472)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12 file parser crash, triggered by a malformed capture file. This was addressed in wiretap/k12.c by validating the relationships between lengths and offsets. (CVE-2017-6473)
* In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by validating record sizes. (CVE-2017-6474)
Comment 15 Arvid Requate univentionstaff 2018-04-17 15:56:38 CEST
This issue has been filed against UCS 4.1.

UCS 4.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.