Bug 773726 (CVE-2012-0041)

Summary: CVE-2012-0041 wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alekcejk, huzaifas, jsafrane, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 09:10:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 781268, 809045, 809046, 834180    
Bug Blocks: 773730, 807617, 816611    

Description Vincent Danen 2012-01-12 17:46:22 UTC 
Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats.  It may be possible to make Wireshark crash by convincing someone to read a malformed packet trace file.  This is corrected in upstream 1.4.11 and 1.6.5.

http://www.wireshark.org/security/wnpa-sec-2012-01.html
Comment 1 Huzaifa S. Sidhpurwala 2012-01-13 06:19:53 UTC 
Created wireshark tracking bugs for this issue

Affects: fedora-all [bug 781268]
Comment 2 Huzaifa S. Sidhpurwala 2012-01-17 07:23:52 UTC 
This CVE includes fixes for 6 upstream issues (bugs), details as follows:

1. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663
This is a type cast issue, caused because of casting an unsigned int to signed int. 
In the unfixed version this would throw an exception which the application would catch, but leave it in an unstable state. The patch makes sure that the value passed was less than G_MAXINT
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40164

2. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666
5Views file format DoS due to request to allocate too large a buffer size. Normally glib should terminate the application with something like
"GLib-ERROR **: gmem.c:239: failed to allocate 3221228094 bytes"
Resolved by clamping the value of packet_size
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40165

3. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667
Same problem and solution but with i4b capture format now
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40166

4. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668
Same problem and solution but with iptrace capture format. Also some checks for bad file format.
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40167

5. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669
Similar issue with netmon file format.
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40168

6. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670
Similar issue with netmon file format.
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40169
Comment 3 Huzaifa S. Sidhpurwala 2012-01-17 07:45:20 UTC 
So there are three distinct categories in which these flaws fall:

1. Type-cast error: Caused because of casting unsigned to signed int (ws bug 6663). This leaves the app in an unstable state.

2. Application crash/Dos because of trying to allocate too large a buffer size
(ws bug 6666, 6667, 6669). Integer underflow causing too large buffer to be allocated and a crash (ws bug 6668).

3. Memory corruption (buffer-overflow) when reading novell capture file format. glibc however detects this and terminates the application (ws bug 6670)
Comment 4 Huzaifa S. Sidhpurwala 2012-01-20 05:33:05 UTC 
Based on:

http://thread.gmane.org/gmane.comp.security.oss.general/6656/focus=6755

This issue is split into 4 parts. This bug is being used for CVE-2012-0041 which can be described as:

A typecast flaw was found in the way wireshark casted an unsigned int to signed
int. In the unfixed version this would throw an exception which the application
would catch, but leave it in an unstable state. The patch makes sure that the
value passed was less than G_MAXINT

Patch: http://anonsvn.wireshark.org/viewvc?view=revision&amp;revision=40164
Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663
Comment 6 Huzaifa S. Sidhpurwala 2012-01-20 06:52:24 UTC 
This issue affects the version of wireshark shipped with Fedora 15 and Fedora
16 and has been addressed in the following security advisories:

https://admin.fedoraproject.org/updates/wireshark-1.4.11-1.fc15
https://admin.fedoraproject.org/updates/wireshark-1.6.5-1.fc16
Comment 7 Fedora Update System 2012-01-22 22:52:37 UTC 
wireshark-1.6.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-01-24 20:00:56 UTC 
wireshark-1.4.11-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2012-04-23 16:52:46 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0509 https://rhn.redhat.com/errata/RHSA-2012-0509.html
Comment 12 errata-xmlrpc 2013-01-08 05:00:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0125 https://rhn.redhat.com/errata/RHSA-2013-0125.html
Comment 14 Huzaifa S. Sidhpurwala 2013-01-08 09:10:51 UTC 
Statement:

(none)