990180 – (CVE-2013-4936) CVE-2013-4936 wireshark: DoS (NULL pointer dereference, crash) in the PROFINET Real-Time dissector (wnpa-sec-2013-53)

Bug 990180 (CVE-2013-4936) - CVE-2013-4936 wireshark: DoS (NULL pointer dereference, crash) in the PROFINET Real-Time dissector (wnpa-sec-2013-53)

Summary: CVE-2013-4936 wireshark: DoS (NULL pointer dereference, crash) in the PROFINE...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-4936
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	979246 990202 994914 994924
Blocks:	974906 990216
TreeView+	depends on / blocked

Reported:	2013-07-30 14:08 UTC by Jan Lieskovsky
Modified:	2021-02-17 07:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:	Wireshark 1.10.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-13 05:59:49 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1569	0	normal	SHIPPED_LIVE	Moderate: wireshark security, bug fix, and enhancement update	2013-11-20 21:40:01 UTC

Description Jan Lieskovsky 2013-07-30 14:08:36 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4936 to the following vulnerability:

The dissect_smtp function in epan/dissectors/packet-smtp.c in the PROFINET Real-Time dissector in Wireshark 1.10.x before 1.10.1 does not initialize certain structure members, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet.

References:
[1] http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=50472&r2=50471&pathrev=50472
[2] http://anonsvn.wireshark.org/viewvc?view=revision&revision=50472
[3] http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
[4] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8904
[5] https://www.wireshark.org/security/wnpa-sec-2013-53.html

Comment 1 Huzaifa S. Sidhpurwala 2013-08-08 08:27:24 UTC

The patches mentioned in comment #0 are not correct. The correct patch which corrects this flaw is:

http://anonsvn.wireshark.org/viewvc?view=revision&revision=50651

Comment 2 Huzaifa S. Sidhpurwala 2013-08-08 08:37:06 UTC

Statement:

This issue does not affect the version of wireshark as shipped with Red Hat Enterprise Linux 5.

Comment 5 errata-xmlrpc 2013-11-21 07:33:20 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1569 https://rhn.redhat.com/errata/RHSA-2013-1569.html

Comment 6 Peter Hatina 2014-03-12 11:45:58 UTC

(In reply to Huzaifa S. Sidhpurwala from comment #2)
> Statement:
> 
> This issue affects the version of wireshark as shipped with Red Hat
> Enterprise Linux 5. The Red Hat Security Response Team has rated this issue
> as having low security impact, a future update may address this flaw.

Using wireshark-1.0.15-5.el5

Having looked at the upstream bug report, I can't make tshark crash using provided capture file. The code doesn't dereference mentioned pointers.
IsDFP_Frame() isn't even present.

Can you, please, investigate this flaw again?

Note You need to log in before you can comment on or make changes to this bug.