Ubuntu
wireshark package

[Security] April 3 2015 - 6 New CVEs affect Wireshark

Bug #1440202 reported by Thomas Ward
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wireshark (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Confirmed
Medium
Unassigned
Utopic
Fix Released
Medium
Steve Beattie

Bug Description

There are 6 new CVEs which impact Wireshark in Utopic. (Three of these also affect Trusty)

------

CVE-2015-2187: (Utopic)
The dissect_atn_cpdlc_heur function in asn1/atn-cpdlc/packet-atn-cpdlc-template.c in the ATN-CPDLC dissector in Wireshark 1.12.x before 1.12.4 does not properly follow the TRY/ENDTRY code requirements, which allows remote attackers to cause a denial of service (stack memory corruption and application crash) via a crafted packet.

CVE-2015-2188: (Trusty, Utopic)
epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet that is improperly handled during decompression.

CVE-2015-2189: (Trusty, Utopic)
Off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid Interface Statistics Block (ISB) interface ID in a crafted packet.

CVE-2015-2190: (Utopic)
epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly handle integer data types greater than 32 bits in size, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet that is improperly handled by the LLDP dissector.

CVE-2015-2191: (Trusty, Utopic)
Integer overflow in the dissect_tnef function in epan/dissectors/packet-tnef.c in the TNEF dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet.

CVE-2015-2192: (Utopic)
Integer overflow in the dissect_osd2_cdb_continuation function in epan/dissectors/packet-scsi-osd.c in the SCSI OSD dissector in Wireshark 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet.

------

Vivid is not affected by these CVEs as the archive autosync pulled in a version from Debian that has patches from Wireshark 1.12.4 which fix the problem.

Trusty and Utopic are affected.

Importance set to medium because the majority of these CVEs have a "medium" severity in the Ubuntu CVE tracker.

See original description
Tags: trusty utopic
Revision history for this message
Thomas Ward (teward) wrote :

Marking Fix Released against the devel release as this is already fixed there.

description: updated
tags: added: trusty
removed: precise
Changed in wireshark (Ubuntu Trusty):
status: New → Confirmed
Changed in wireshark (Ubuntu Utopic):
status: New → Confirmed
Changed in wireshark (Ubuntu Trusty):
importance: Undecided → Critical
importance: Critical → Medium
Changed in wireshark (Ubuntu Utopic):
importance: Undecided → Medium
Changed in wireshark (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Thomas Ward (teward) wrote :

Attached is a debdiff for Utopic to address this bug and the 6 CVEs. The included patches were taken from the auto-synced Vivid package, but had their patch names renamed in order to keep the sequential numbering in Utopic, as only security fixes were included, and there is an extra patch in Vivid which would make the CVE patches push the numbering out of sequence.

Steve Beattie (sbeattie)
Changed in wireshark (Ubuntu Utopic):
status: Confirmed → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wireshark - 1.12.1+g01b65bf-2~ubuntu14.10.3

---------------
wireshark (1.12.1+g01b65bf-2~ubuntu14.10.3) utopic-security; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1440202)
  * Additional new patches (from 1.12.4) in debian/patches/ (from vivid
    package, renamed for numerical sequence differences in Utopic):
    * 29_1.12.4_fix_ATN_CPDLC_crash.patch: Fix ATN-CPDLC dissector crash
      (CVE-2015-2187)
    * 30_1.12.4_fix_pcapng_crash.patch: Fix pcapng file parser crash
      (CVE-2015-2189)
    * 31_1.12.4_fix_TNEF_crash.patch: Fix TNEF dissector crash
      (CVE-2015-2191)
    * 32_1.12.4_fix_SCSI_OSD_crash.patch: Fix SCSI OSD dissector crash
      (CVE-2015-2192)
    * 33_1.12.4_fix_LLDP_crash.patch: Fix LLDP dissector crash
      (CVE-2015-2190)
    * 34_1.12.4_fix_WCP_crash.patch: Fix WCP dissector crash
      (CVE-2015-2188)
 -- Thomas Ward <email address hidden> Fri, 03 Apr 2015 17:12:34 -0400

Changed in wireshark (Ubuntu Utopic):
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Unsubscribing ubuntu-security-sponsors as there's nothing additional here to do at this time. Please resubscribe when a debdiff for trusty is prepared. Thanks for helping to improve Ubuntu!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.