Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats. It may be possible to make Wireshark crash by convincing someone to read a malformed packet trace file. This is corrected in upstream 1.4.11 and 1.6.5. http://www.wireshark.org/security/wnpa-sec-2012-01.html
Created wireshark tracking bugs for this issue Affects: fedora-all [bug 781268]
This CVE includes fixes for 6 upstream issues (bugs), details as follows: 1. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663 This is a type cast issue, caused because of casting an unsigned int to signed int. In the unfixed version this would throw an exception which the application would catch, but leave it in an unstable state. The patch makes sure that the value passed was less than G_MAXINT Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40164 2. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666 5Views file format DoS due to request to allocate too large a buffer size. Normally glib should terminate the application with something like "GLib-ERROR **: gmem.c:239: failed to allocate 3221228094 bytes" Resolved by clamping the value of packet_size Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40165 3. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667 Same problem and solution but with i4b capture format now Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40166 4. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668 Same problem and solution but with iptrace capture format. Also some checks for bad file format. Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40167 5. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669 Similar issue with netmon file format. Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40168 6. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670 Similar issue with netmon file format. Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40169
So there are three distinct categories in which these flaws fall: 1. Type-cast error: Caused because of casting unsigned to signed int (ws bug 6663). This leaves the app in an unstable state. 2. Application crash/Dos because of trying to allocate too large a buffer size (ws bug 6666, 6667, 6669). Integer underflow causing too large buffer to be allocated and a crash (ws bug 6668). 3. Memory corruption (buffer-overflow) when reading novell capture file format. glibc however detects this and terminates the application (ws bug 6670)
Based on: http://thread.gmane.org/gmane.comp.security.oss.general/6656/focus=6755 This issue is split into 4 parts. This bug is being used for CVE-2012-0041 which can be described as: A typecast flaw was found in the way wireshark casted an unsigned int to signed int. In the unfixed version this would throw an exception which the application would catch, but leave it in an unstable state. The patch makes sure that the value passed was less than G_MAXINT Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40164 Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663
This issue affects the version of wireshark shipped with Fedora 15 and Fedora 16 and has been addressed in the following security advisories: https://admin.fedoraproject.org/updates/wireshark-1.4.11-1.fc15 https://admin.fedoraproject.org/updates/wireshark-1.6.5-1.fc16
wireshark-1.6.5-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
wireshark-1.4.11-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0509 https://rhn.redhat.com/errata/RHSA-2012-0509.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0125 https://rhn.redhat.com/errata/RHSA-2013-0125.html
Statement: (none)