Bug 1180195 (CVE-2015-0563)

Summary: CVE-2015-0563 wireshark: SMTP dissector crash (wnpa-sec-2015-04)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: huzaifas, jrusnack, lemenkov, phatina, rvokal, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Wireshark 1.12.3, Wireshark 1.10.12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 04:48:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1180196, 1245763    
Bug Blocks: 1180203, 1210268    

Description Martin Prpič 2015-01-08 15:28:38 UTC 
It was reported that Wireshark's SMTP dissector could crash. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

This is reported to affect Wireshark versions 1.12.0 to 1.12.2, and 1.10.0 to 1.10.11. It is fixed in versions 1.12.3 and 1.10.12.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10823

External References:

https://www.wireshark.org/security/wnpa-sec-2015-04.html
Comment 1 Martin Prpič 2015-01-08 15:29:21 UTC 
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1180196]
Comment 2 Siddharth Sharma 2015-01-15 14:26:17 UTC 
upstream fix
============

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=patch;h=0e3d6b0c74a0e04625cf80b426728deaa9204d7a
Comment 4 Siddharth Sharma 2015-01-20 01:01:02 UTC 
Analysis
========

In the function dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) of smtp dissector

if ((session_state->auth_state != SMTP_AUTH_STATE_NONE) &&
              (pinfo->fd->num >= session_state->first_auth_frame) &&
              ((session_state->last_auth_frame == 0) || (pinfo->fd->num <= session_state->last_auth_frame))) {
                 decrypt = tvb_get_ephemeral_string(tvb, loffset, linelen);
                    if ((stmp_decryption_enabled) && (epan_base64_decode(decrypt) > 0)) {
                        line = decrypt;
                    } else {
                        line = tvb_get_ptr(tvb, loffset, linelen);
                    }
          } else {
              line = tvb_get_ptr(tvb, loffset, linelen);
          }

          linep = line;
          lineend = line + linelen;

decoding base-64, the result is the length of the decoded result as it would be different , so linelen should be assigned the value of epan_base64_decode(decrypt)

which calculates wrongly the lineend at lineend = line + linelen;

which is used in while loop  which can lead to crash    

while (linep < lineend && *linep != ' ') { 
...
}
Comment 6 errata-xmlrpc 2015-11-19 12:36:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2393 https://rhn.redhat.com/errata/RHSA-2015-2393.html
Comment 7 Huzaifa S. Sidhpurwala 2015-11-20 04:48:52 UTC 
Statement:

This issue did not affect the version of wireshark as shipped with Red Hat Enterprise Linux 5 and 6.