Bug 773726 - (CVE-2012-0041) CVE-2012-0041 wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01)
CVE-2012-0041 wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120110,reported=2...
: Security
Depends On: 781268 809045 809046 834180
Blocks: 773730 807617 816611
  Show dependency treegraph
 
Reported: 2012-01-12 12:46 EST by Vincent Danen
Modified: 2015-11-24 09:54 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-08 04:10:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-01-12 12:46:22 EST
Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats.  It may be possible to make Wireshark crash by convincing someone to read a malformed packet trace file.  This is corrected in upstream 1.4.11 and 1.6.5.

http://www.wireshark.org/security/wnpa-sec-2012-01.html
Comment 1 Huzaifa S. Sidhpurwala 2012-01-13 01:19:53 EST
Created wireshark tracking bugs for this issue

Affects: fedora-all [bug 781268]
Comment 2 Huzaifa S. Sidhpurwala 2012-01-17 02:23:52 EST
This CVE includes fixes for 6 upstream issues (bugs), details as follows:

1. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663
This is a type cast issue, caused because of casting an unsigned int to signed int. 
In the unfixed version this would throw an exception which the application would catch, but leave it in an unstable state. The patch makes sure that the value passed was less than G_MAXINT
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40164

2. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666
5Views file format DoS due to request to allocate too large a buffer size. Normally glib should terminate the application with something like
"GLib-ERROR **: gmem.c:239: failed to allocate 3221228094 bytes"
Resolved by clamping the value of packet_size
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40165

3. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667
Same problem and solution but with i4b capture format now
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40166

4. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668
Same problem and solution but with iptrace capture format. Also some checks for bad file format.
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40167

5. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669
Similar issue with netmon file format.
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40168

6. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670
Similar issue with netmon file format.
Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40169
Comment 3 Huzaifa S. Sidhpurwala 2012-01-17 02:45:20 EST
So there are three distinct categories in which these flaws fall:

1. Type-cast error: Caused because of casting unsigned to signed int (ws bug 6663). This leaves the app in an unstable state.

2. Application crash/Dos because of trying to allocate too large a buffer size
(ws bug 6666, 6667, 6669). Integer underflow causing too large buffer to be allocated and a crash (ws bug 6668).

3. Memory corruption (buffer-overflow) when reading novell capture file format. glibc however detects this and terminates the application (ws bug 6670)
Comment 4 Huzaifa S. Sidhpurwala 2012-01-20 00:33:05 EST
Based on:

http://thread.gmane.org/gmane.comp.security.oss.general/6656/focus=6755

This issue is split into 4 parts. This bug is being used for CVE-2012-0041 which can be described as:

A typecast flaw was found in the way wireshark casted an unsigned int to signed
int. In the unfixed version this would throw an exception which the application
would catch, but leave it in an unstable state. The patch makes sure that the
value passed was less than G_MAXINT

Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40164
Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663
Comment 6 Huzaifa S. Sidhpurwala 2012-01-20 01:52:24 EST
This issue affects the version of wireshark shipped with Fedora 15 and Fedora
16 and has been addressed in the following security advisories:

https://admin.fedoraproject.org/updates/wireshark-1.4.11-1.fc15
https://admin.fedoraproject.org/updates/wireshark-1.6.5-1.fc16
Comment 7 Fedora Update System 2012-01-22 17:52:37 EST
wireshark-1.6.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-01-24 15:00:56 EST
wireshark-1.4.11-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2012-04-23 12:52:46 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0509 https://rhn.redhat.com/errata/RHSA-2012-0509.html
Comment 12 errata-xmlrpc 2013-01-08 00:00:42 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0125 https://rhn.redhat.com/errata/RHSA-2013-0125.html
Comment 14 Huzaifa S. Sidhpurwala 2013-01-08 04:10:51 EST
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.