Bug 191571 - CVE-2006-1932 Multiple ethereal issues (CVE-2006-1933, CVE-2006-1934, CVE-2006-1935, CVE-2006-1936, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939, CVE-2006-1940, VE-2006-4805, CVE-2006-5468, CVE-2006-5469, CVE-2006-5740, CVE-2006-4574)
CVE-2006-1932 Multiple ethereal issues (CVE-2006-1933, CVE-2006-1934, CVE-200...
Status: CLOSED WONTFIX
Product: Fedora Legacy
Classification: Retired
Component: wireshark (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
impact=moderate, LEGACY, rhl73, rhl9,...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-12 19:57 EDT by Marc Deslauriers
Modified: 2013-01-09 22:42 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-30 15:57:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Deslauriers 2006-05-12 19:57:09 EDT
+++ This bug was initially created as a clone of Bug #189906 +++

Ethereal 0.99.0 has been released which fixes multiple issues.  The release
information can be found here:
http://www.ethereal.com/appnotes/enpa-sa-00023.html

These issues should also affect RHEL2 and RHEL3

-- Additional comment from bugzilla@redhat.com on 2006-05-03 12:28 EST --

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0420.html
Comment 1 Marc Deslauriers 2006-05-12 20:56:18 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA.

afa6f2afd499f28c84a58ce4ee2f430dd02351a5  7.3/ethereal-0.99.0-0.73.1.legacy.src.rpm
bc8193f9c0b8a25230e3550a83690e329d82168c  9/ethereal-0.99.0-0.90.1.legacy.src.rpm
57bc4f26640447d891e80d86e99198bd45546176  1/ethereal-0.99.0-1.FC1.1.legacy.src.rpm
57eb0b6890f0cf4906a1bd774b72bf666d7c6bec  2/ethereal-0.99.0-1.FC2.1.legacy.src.rpm
15a68c9ebe8304d0a639d24837814d1828b817a6  3/ethereal-0.99.0-1.FC3.1.legacy.src.rpm

Downloads:

http://www.infostrategique.com/linuxrpms/legacy/7.3/ethereal-0.99.0-0.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ethereal-0.99.0-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ethereal-0.99.0-1.FC1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/ethereal-0.99.0-1.FC2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/ethereal-0.99.0-1.FC3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEZTEpLMAs/0C4zNoRAuZxAKDAbMe9WanWs3SEsferE4siey+wTACfUXVE
E0caHMj0dZncz4GoA3yv9bo=
=0rkj
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-05-15 01:30:31 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches (where applicable) verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2, FC3
 
afa6f2afd499f28c84a58ce4ee2f430dd02351a5  ethereal-0.99.0-0.73.1.legacy.src.rpm
bc8193f9c0b8a25230e3550a83690e329d82168c  ethereal-0.99.0-0.90.1.legacy.src.rpm
57bc4f26640447d891e80d86e99198bd45546176  ethereal-0.99.0-1.FC1.1.legacy.src.rpm
57eb0b6890f0cf4906a1bd774b72bf666d7c6bec  ethereal-0.99.0-1.FC2.1.legacy.src.rpm
15a68c9ebe8304d0a639d24837814d1828b817a6  ethereal-0.99.0-1.FC3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEaBOOGHbTkzxSL7QRApoyAKCQ7eeOoiRaMN6XaJ4yMEckmw5CmgCcD4ko
K9RdtaP8Rmn7Gy3M2HYheh4=
=Dvwr
-----END PGP SIGNATURE-----
Comment 3 David Eisenstein 2006-06-18 00:13:03 EDT
Building on build server...  Sorry it has taken so long to start building these
packages...
Comment 4 David Eisenstein 2006-06-18 01:15:15 EDT
Peeking into the build log for RedHats 7.3, 9, and FC1 (FC2 and FC3 haven't
finished building yet), 
<http://turbosphere.fedoralegacy.org/logs/redhat-7.3-core/145-ethereal-0.99.0-0.73.1.legacy/i386/build.log>
<http://turbosphere.fedoralegacy.org/logs/redhat-9-core/146-ethereal-0.99.0-0.90.1.legacy/i386/build.log>
<http://turbosphere.fedoralegacy.org/logs/fedora-1-core/147-ethereal-0.99.0-1.FC1.1.legacy/i386/build.log>,

am noticing that during the ./configure phase, this comes up:

  checking for libgnutls-config... no
  checking for libgnutls - version >= 1.0.0... no
  *** The libgnutls-config script installed by LIBGNUTLS could not be found
  *** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in
  *** your path, or set the LIBGNUTLS_CONFIG environment variable to the
  *** full path to libgnutls-config.
  echo gnuTLS not found, disabling ssl decryption

Might we be missing some buildrequires here?  Or is this something that has
always been disabled in ethereal packages?
Comment 5 David Eisenstein 2006-06-18 01:37:16 EDT
Oh.  Just answered my own question:

   Author: karsten

   Update of /cvs/dist/rpms/ethereal/devel
   In directory cvs.devel.redhat.com:/tmp/cvs-serv4649

   Modified Files:
	   ethereal.spec 
   Log Message:
   - add buildrequires gnutls-devel, mock builds loose gnutls support otherwise:
   checking for libgnutls-config... no
   checking for libgnutls - version >= 1.0.0... no
   *** The libgnutls-config script installed by LIBGNUTLS could not be found
   *** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in
   *** your path, or set the LIBGNUTLS_CONFIG environment variable to the
   *** full path to libgnutls-config.
   echo gnuTLS not found, disabling ssl decryption

   ...

    %changelog
   +* Wed May 17 2006 Karsten Hopp <karsten redhat de> 0.99.0-2
   +- add buildrequires gnutls-devel
   +

From <http://www.redhat.com/archives/fedora-cvs-commits/2006-May/msg00941.html>,
(from googling [ethereal GNUtls]).

Looking at that CVS commit entry, it mentions "rpmdiff."  Is that a tool we
can use?  I use a hacked "rpm-build-compare.sh", which may do something 
similar, but I was wondering if "rpmdiff" is better?
Comment 6 David Eisenstein 2006-06-18 04:09:08 EDT
Here's the deal.  Before ethereal version 0.99.0, the ability to decrypt
SSL packets was not an option.  From file "/usr/share/doc/ethereal-0.99.0/NEWS":

     o The source distribution of Ethereal now supports SSL, IPsec
       ESP, and ISAKMP decryption. (This feature has not yet been
       enabled in the Windows installer.)
                                                                                
So it's a new feature.  This new feature evidently requires the GNUtls
library.  However, RHL7.3, RHL9, FC1 and FC2 do not supply a GNUtls library.
(Hence that diagnostic message in the ./configure phase in comment #4 & #5.)
However, FC3 appears to have GNUtls available.

So my proposed solution to this is that we will not support the new SSL
decryption feature in RHL7.3, RHL9, FC1 and FC2.  These four distros seemed
to compile just fine in mock without it.  For FC3, if merely adding
    buildrequires: gnutls-devel
allows it to build with this new feature, then we can push packages with this
new feature and let FC3 users play with it.

We might mention in our release notes that although ethereal 0.99.0 source
now has the capability to do SSL decryption, the lack of required libraries
in RHL7.3, RHL9, FC1 and FC2 prevents that feature from being enabled in
Legacy's builds of ethereal for those distros.  We're not taking away any
features users have been used to having in ethereal in these distros.  We're
just not enabling a new feature.

Please let me know what you think.  Thanks.   -David
Comment 7 Marc Deslauriers 2006-08-29 18:40:24 EDT
We need to migrate this to wireshark as a bunch of new issues came up.
Comment 8 Matthew Miller 2006-10-20 12:34:48 EDT
I agree that moving to wireshark and keeping up with current versions is the
only hope here. Backporting ethereal patches could be a full-time job.
Comment 9 Jeff Sheltren 2006-11-09 14:49:23 EST
OK, let's add some more issues to this while we're at it :)

Several flaws were found in Wireshark's HTTP, WBXML, LDAP, and XOT protocol
dissectors. Wireshark could crash or stop responding if it read a malformed
packet off the network. (CVE-2006-4805, CVE-2006-5468, CVE-2006-5469,
CVE-2006-5740)

A single NULL byte heap based buffer overflow was found in Wireshark's MIME
Multipart dissector. Wireshark could crash or possibly execute arbitrary
arbitrary code as the user running Wireshark. (CVE-2006-4574)

RHEL update announcement here:
https://rhn.redhat.com/errata/RHSA-2006-0726.html

Can someone update the summary please?  Also, we'll need to add wireshark to
legacy's bugzilla - I didn't see it just now.
Comment 10 David Eisenstein 2006-11-11 01:45:35 EST
I guess we should remove FC1 and FC2 from the list of releases to be fixed,
since they are no longer supported.  Are we going to support WireShark for RHL
7.3 and
RHL 9?
Comment 11 Eric Jon Rostetter 2006-11-11 17:34:35 EST
We should try to fix it RHL as it was opened before the deadline of October.
If it was a new report after October than it would not be accepted.  But this
ticket shows the RHL problem existed before the deadline, and hence should
remain.  If nothing gets resolved regarding by the December deadline then
the RHL versions can be dropped at that point.
Comment 12 David Eisenstein 2006-11-12 23:00:20 EST
Agreed.  We create new packages for RHL 7.3 and RHL 9, FC3 and FC4.

Changing package name to 'wireshark', which Jesse just added to the Bugzilla
database for FedoraLegacy.  Thanks, Jesse! :)
Comment 13 David Eisenstein 2006-11-12 23:09:45 EST
Uh.  Only one problem.  If wireshark requires GNUtls to build, then we would 
need to create *new* GNUtls packages for those Red Hat and Fedora Core releases
that don't already have them.

To quote myself from comment #6:

"Here's the deal.  Before ethereal version 0.99.0, the ability to decrypt
SSL packets was not an option.  From file "/usr/share/doc/ethereal-0.99.0/NEWS":

     o The source distribution of Ethereal [ I suppose it's now wireshark??]
       now supports SSL, IPsec ESP, and ISAKMP decryption. (This feature
       has not yet been enabled in the Windows installer.)
                                                                                
So it's a new feature.  This new feature evidently requires the GNUtls
library.  However, RHL7.3, RHL9, ... do not supply a GNUtls library.
(Hence that diagnostic message in the ./configure phase in comment #4 & #5.)
However, FC3 appears to have GNUtls available.

So my proposed solution to this is that we will not support the new SSL
decryption feature in RHL7.3, RHL9.  These releases seemed to compile just
fine in mock without it.  For FC3, if merely adding
    buildrequires: gnutls-devel
allows it to build with this new feature, then we can push packages with this
new feature and let FC3 users play with it.

We might mention in our release notes that although ethereal 0.99.0 source
now has the capability to do SSL decryption, the lack of required libraries
in RHL7.3 and RHL9 prevents that feature from being enabled in Legacy's
builds of ethereal for those distros.  We're not taking away any features
users have been used to having in ethereal in these distros.  We're just not
enabling a new feature."

What do you think?  Jeff?  Eric?  Marc?  Matt?  Anyone?
Comment 14 David Eisenstein 2006-11-12 23:15:01 EST
s/FC3/FC3 and FC4/
in above comment...  (sorry about bugzilla-spam)
Comment 15 Jesse Keating 2006-11-12 23:27:54 EST
(In reply to comment #13)

> So my proposed solution to this is that we will not support the new SSL
> decryption feature in RHL7.3, RHL9.  These releases seemed to compile just
> fine in mock without it.  For FC3, if merely adding
>     buildrequires: gnutls-devel
> allows it to build with this new feature, then we can push packages with this
> new feature and let FC3 users play with it.
> 
> We might mention in our release notes that although ethereal 0.99.0 source
> now has the capability to do SSL decryption, the lack of required libraries
> in RHL7.3 and RHL9 prevents that feature from being enabled in Legacy's
> builds of ethereal for those distros.  We're not taking away any features
> users have been used to having in ethereal in these distros.  We're just not
> enabling a new feature."
> 
> What do you think?  Jeff?  Eric?  Marc?  Matt?  Anyone?

This seems pretty sane to me. I vote go for it.
Comment 16 Marc Deslauriers 2006-11-13 08:09:08 EST
That's the way I did it in all the previous Ethereal releases for rhl. I never
mentioned it in the release notes though.
Comment 17 Eric Jon Rostetter 2006-11-14 11:55:22 EST
Sounds good to me.  Mention in the release notes would be nice, but not
absolutely required...
Comment 18 Jesse Keating 2007-08-30 15:57:11 EDT
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.