Issue a) NULL pointer dereference in the RADIUS dissector: ---------------------------------------------------------- A NULL pointer dereference flaw was found in the Wireshark's RADIUS dissector. A remote attacker could provide a specially-crafted RADIUS packet capture file, which once opened by an unsuspecting user would lead to denial of service (Wireshark crash). References: ----------- http://www.wireshark.org/security/wnpa-sec-2009-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3578 Reproducer: ----------- https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3183 Upstream patch: --------------- http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-radius.c?r1=28891&r2=28890&pathrev=28891&view=patch
Information about affected Wireshark versions: ---------------------------------------------- Issue a) NULL pointer dereference in the RADIUS dissector: ---------------------------------------------------------- This issue affects the versions of the wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the Wireshark package, as shipped with Fedora releases of 10, 11, and Rawhide. Issue b) Integer overflow in the Bluetooth L2CAP dissector: ----------------------------------------------------------- This issue does NOT affect the versions of the wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue does NOT affect the version of the wireshark package, as shipped with Fedora release of 10. This issue affects the versions of the wireshark package, as shipped with Fedora releases of 11, and Rawhide. Issue c) Past-the-buffer read in the MIOP dissector: ---------------------------------------------------- This issue does NOT affect the versions of the wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue does NOT affect the version of the wireshark package, as shipped with Fedora release of 10. This issue affects the versions of the wireshark package, as shipped with Fedora releases of 11 and Rawhide.
MITRE's CVE-2009-2560 entry: --------------------------- Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (crash) via unspecified vectors in the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissectors. NOTE: the RADIUS dissector vulnerability also affects 1.0.8. References: ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560 http://www.wireshark.org/security/wnpa-sec-2009-04.html http://www.securityfocus.com/bid/35748 http://secunia.com/advisories/35884 http://www.vupen.com/english/advisories/2009/1970
Issue b) Integer overflow in the Bluetooth L2CAP dissector: ----------------------------------------------------------- An integer overflow flaw, leading to heap-based buffer overflow was found in the Wireshark's Bluetooth L2CAP dissector. A remote attacker could provide a specially-crafted L2CAP packet capture file, which once opened by an unsuspecting user would lead to denial of service (Wireshark crash). References: ---------- http://www.wireshark.org/security/wnpa-sec-2009-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3572 Reproducer: ---------- https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3179 Upstream patch: --------------- http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-btl2cap.c?r1=28884&r2=28883&pathrev=28884&view=patch
Issue c) Past-the-buffer read in the MIOP dissector: ---------------------------------------------------- An insufficient user-provided input validation flaw was found in the Wireshark's MIOP dissector. A remote attacker could provide a specially-crafted MIOP packet capture file, which once opened by an unsuspecting user, would attempt to read past the bounds of allocated buffer, leading to application (Wireshark) abort. References: ---------- http://www.wireshark.org/security/wnpa-sec-2009-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3652 Reproducer: ----------- https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3243 Upstream patch: --------------- http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ziop.c?r1=29095&r2=29094&pathrev=29095&view=patch
*** Bug 512996 has been marked as a duplicate of this bug. ***
*** Bug 513027 has been marked as a duplicate of this bug. ***
Official statement from Red Hat Security Response Team regarding this issue: ---------------------------------------------------------------------------- The Bluetooth L2CAP and MIOP dissector issues did not affect the versions of the Wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated the RADIUS dissector issue as having low security impact, a future Wireshark package update may address this flaw in Red Hat Enterprise Linux 3, 4, and 5. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Note: Radius dissector crash affecting 1.0.x versions was not fixed upstream in 1.0.9.
Fix committed now in 1.0 SVN branch too, to be released in 1.0.10: http://anonsvn.wireshark.org/viewvc?view=rev&revision=30219
Fixed now in 1.0.10: http://www.wireshark.org/security/wnpa-sec-2009-08.html
wireshark-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
wireshark-1.2.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Via RHSA-2010:0360 https://rhn.redhat.com/errata/RHSA-2010-0360.html