156927 – multiple ethereal security issues

Bug 156927 - multiple ethereal security issues

Summary: multiple ethereal security issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ethereal
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Radek Vokál
QA Contact:
Docs Contact:
URL:	http://www.ethereal.com/news/item_200...
Whiteboard:	impact=important,embargoed=20050503,s...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-05-05 13:55 UTC by Josh Bressers
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-05-09 06:39:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Bressers 2005-05-05 13:55:23 UTC

+++ This bug was initially created as a clone of Bug #156911 +++

An aggressive testing program as well as independent discovery has turned up a
multitude of security issues:

The ANSI A dissector was susceptible to format string vulnerabilities.
Discovered by Bryan Fulton. Versions affected: 0.9.15 to 0.10.10

The GSM MAP dissector could crash. Versions affected: 0.10.0 to 0.10.10

The AIM dissector could cause a crash. Versions affected: 0.9.14 to 0.10.10

The DISTCC dissector was susceptible to a buffer overflow. Discovered by Ilja
van Sprundel Versions affected: 0.9.13 to 0.10.10

The FCELS dissector was susceptible to a buffer overflow. Discovered by Neil
Kettle Versions affected: 0.9.9 to 0.10.10

The SIP dissector was susceptible to a buffer overflow. Discovered by Ejovi
Nuwere. Versions affected: 0.10.0 to 0.10.10

The KINK dissector was susceptible to a null pointer exception, endless looping,
and other problems. Versions affected: 0.10.10

The LMP dissector was susceptible to an endless loop. Versions affected: 0.9.4
to 0.10.10

The Telnet dissector could abort. Versions affected: 0.9.10 to 0.10.10

The TZSP dissector could cause a segmentation fault. Versions affected: 0.10.10
to 0.10.10

The WSP dissector was susceptible to a null pointer exception and assertions.
Versions affected: 0.10.0 to 0.10.10

The 802.3 Slow protocols dissector could throw an assertion. Versions affected:
0.10.10

The BER dissector could throw assertions. Versions affected: 0.10.2 to 0.10.10

The SMB Mailslot dissector was susceptible to a null pointer exception and could
throw assertions. Versions affected: 0.9.0 to 0.10.10

The H.245 dissector was susceptible to a null pointer exception. Versions
affected: 0.10.10

The Bittorrent dissector could cause a segmentation fault. Versions affected:
0.10.8 to 0.10.10

The SMB dissector could cause a segmentation fault and throw assertions.
Versions affected: 0.9.0 to 0.10.10

The Fibre Channel dissector could cause a crash. Versions affected: 0.9.9 to 0.10.10

The DICOM dissector could attempt to allocate large amounts of memory. Versions
affected: 0.10.4 to 0.10.10

The MGCP dissector was susceptible to a null pointer exception, could loop
indefinitely, and segfault. Versions affected: 0.8.14 to 0.10.10

The RSVP dissector could loop indefinitely. Versions affected: 0.9.8 to 0.10.10

The DHCP dissector was susceptible to format string vulnerabilities, and could
abort. Versions affected: 0.10.7 to 0.10.10

The SRVLOC dissector could crash unexpectedly or go into an infinite loop.
Versions affected: 0.9.8 to 0.10.10

The EIGRP dissector could loop indefinitely. Versions affected: 0.8.18 to 0.10.10

The ISIS dissector could overflow a buffer. Versions affected: 0.8.18 to 0.10.10

The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, and X.509
dissectors could overflow buffers. Versions affected: 0.10.4 to 0.10.10

The NDPS dissector could exhaust system memory or cause an assertion, or crash.
Versions affected: 0.9.12 to 0.10.10

The Q.931 dissector could try to free a null pointer and overflow a buffer.
Versions affected: 0.10.10

The IAX2 dissector could throw an assertion. Versions affected: 0.10.1 to 0.10.10

The ICEP dissector could try to free the same memory twice. Versions affected:
0.10.7 to 0.10.10

The MEGACO dissector was susceptible to an infinite loop and a buffer overflow.
Versions affected: 0.9.14 to 0.10.10

The DLSw dissector was susceptible to an infinite loop. Versions affected: 0.9.1
to 0.10.10

The RPC dissector was susceptible to a null pointer exception. Versions
affected: 0.9.2 to 0.10.10

The NCP dissector could overflow a buffer or loop for a large amount of time.
Versions affected: 0.10.5 to 0.10.10

The RADIUS dissector could throw an assertion. Versions affected: 0.10.3 to 0.10.10

The GSM dissector could access an invalid pointer. Versions affected: 0.10.10

The SMB PIPE dissector could throw an assertion. Versions affected: 0.9.0 to 0.10.10

The L2TP dissector was susceptible to an infinite loop. Versions affected:
0.10.9 to 0.10.10

The SMB NETLOGON dissector could dereference a null pointer. Versions affected:
0.9.12 to 0.10.10

The MRDISC dissector could throw an assertion. Versions affected: 0.8.19 to 0.10.10

The ISUP dissector could overflow a buffer or cause a segmentation fault.
Versions affected: 0.8.19 to 0.10.10

The LDAP dissector could crash. Versions affected: 0.10.1 to 0.10.10

The TCAP dissector could overflow a buffer or throw an assertion. Versions
affected: 0.10.8 to 0.10.10

The NTLMSSP dissector could crash. Versions affected: 0.9.7 to 0.10.10

The Presentation dissector could overflow a buffer. Versions affected: 0.10.1 to
0.10.10

Additionally, a number of dissectors could throw an assertion when passing an
invalid protocol tree item length. Versions affected: 0.10.8 to 0.10.10

Comment 1 Matthew Miller 2005-05-07 13:40:26 UTC

Looks like there's an update for this in the updates tree but no announcement yet.

Comment 2 Radek Vokál 2005-05-09 06:39:56 UTC

Announce sent ..

Comment 3 Matthew Miller 2005-05-09 12:22:21 UTC

Thanks!

Note You need to log in before you can comment on or make changes to this bug.