CVE-2011-0538 Wireshark: memory corruption when reading a malformed pcap file

Bug #730413 reported by Mahyuddin Susanto on 2011-03-07
342
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wireshark (Ubuntu)
Medium
Unassigned
Karmic
Medium
Unassigned
Lucid
Medium
Mahyuddin Susanto
Maverick
Medium
Unassigned

Bug Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 affects ubuntu/wireshark
 status inprogress
 assignee udienz
 importance medium
 security yes
 done

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0538 to
the following vulnerability:

Name: CVE-2011-0538
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0538
Assigned: 20110120
Reference: MLIST:[oss-security] 20110204 Wireshark: Freeing uninitialized
pointer
Reference: URL:http://openwall.com/lists/oss-security/2011/02/04/1
Reference:
MISC:https://srcm.symantec.com/EditVulnerabilityFixes.aspx?docId=549474
Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5652
Reference: BID:46167
Reference: URL:http://www.securityfocus.com/bid/46167

Wireshark 1.5.0, 1.4.3, and earlier frees an uninitialized pointer
during processing of a .pcap file in the pcap-ng format, which allows
remote attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via a malformed file.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk10WSMACgkQdr7GbwjmqKVgaAD/VQ4eFumo+hLdPWPRjn5IDsoQ
xuXMhWvd4xK6JKV8GrgA/3JK4ctEWBogkIZH+5ptQyaYBpxgt80sz2nCCp2uwDCX
=fAxp
-----END PGP SIGNATURE-----

visibility: private → public
Mahyuddin Susanto (udienz) wrote :

Attached lucid patch, fixing:
 - CVE-2010-4300 LP: #682549
 - CVE-2011-0444 LP: #730415
 - CVE-2010-4538 LP: #730417
 - CVE-2010-3445 LP: #682549
 - CVE-2010-2995 CVE-2010-2287 LP: #730419
 - CVE-2011-0538 LP: #730413
 - CVE-2011-0713 LP: #730412
 - CVE-2011-1139 LP: #730409

Changed in wireshark (Ubuntu):
assignee: Mahyuddin Susanto (udienz) → nobody
status: In Progress → New
Micah Gersten (micahg) wrote :

This was fixed in natty with 1.4.4-1

Changed in wireshark (Ubuntu):
status: New → Fix Released
Changed in wireshark (Ubuntu Karmic):
importance: Undecided → Medium
Changed in wireshark (Ubuntu Lucid):
importance: Undecided → Medium
Changed in wireshark (Ubuntu Maverick):
importance: Undecided → Medium
status: New → Triaged
Changed in wireshark (Ubuntu Karmic):
status: New → Triaged
Micah Gersten (micahg) on 2011-03-08
Changed in wireshark (Ubuntu Lucid):
status: New → Triaged
status: Triaged → New
Changed in wireshark (Ubuntu Lucid):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Thank you for preparing this update! Unfortunately I have to NACK the lucid debdiff for the following reasons:
* debian/patches/CVE-2011-0444.patch lists this as fixing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5530, and there are two commits for this (as mentioned in the patch):
 http://anonsvn.wireshark.org/viewvc?view=rev&revision=35292
 http://anonsvn.wireshark.org/viewvc?view=rev&revision=35298

However the patch to epan/dissectors/packet-snmp.c is missing.

* debian/patches/CVE-2010-3445.patch lists this as fixing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230, with the fix in http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ber.c?r1=34111&r2=34110&pathrev=34111&view=patch. Now, packet-ber.c differs a bit in Lucid as opposed to later releases of wireshark, but I found this at the end of the patch:
@@ -1001,7 +1013,7 @@
  tmp_length = 0;
  tmp_ind = FALSE;

- if (nest_level > BER_MAX_INDEFINITE_NESTING) {
+ if (nest_level > BER_MAX_NESTING) {
   /* Assume that we have a malformed packet. */
   THROW(ReportedBoundsError);
  }

The Lucid version does not have the if statement at all, but I wonder if it should use the patched version. Can you comment?

* debian/patches/CVE-2011-0538.patch uses the Debian bug for both 'Bug' and 'Bug-Debian'. It should use https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5652 for 'Bug'.

* debian/patches/CVE-2011-0713.patch has two 'Origin' statements, but no upstream 'Bug' statement. One of the Origin statements is wrong and is for CVE-2011-0538. The correct one should be http://anonsvn.wireshark.org/viewvc?revision=35953&view=revision.

* debian/patches/CVE-2011-1139.patch does not reference the upstream bug (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5661) or the Ubuntu bug (https://launchpad.net/bugs/730409)

Please adjust the debdiff for the above issues, and respond to my question regarding the 'if (nest_level > BER_MAX_NESTING)' test in the patch for CVE-2010-3445. Thanks!

Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Please also detail the testing performed for packages you compiled with the update.

Changed in wireshark (Ubuntu Lucid):
assignee: nobody → Mahyuddin Susanto (udienz)
status: Confirmed → Incomplete
Jamie Strandboge (jdstrand) wrote :

One more thing, the debian/changelog states that debian/patches/CVE-2010-2995.patch fixes CVE-2010-2287, but it does not. The fixes for CVE-2010-2287 are:
 http://anonsvn.wireshark.org/viewvc?view=revision&revision=33061
 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4826

tags: added: patch-needswork
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in wireshark (Ubuntu Karmic):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in wireshark (Ubuntu Maverick):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in wireshark (Ubuntu):
status: Fix Released → Invalid
Changed in wireshark (Ubuntu Lucid):
status: Incomplete → Invalid
Changed in wireshark (Ubuntu Maverick):
status: Won't Fix → Invalid
Changed in wireshark (Ubuntu Karmic):
status: Won't Fix → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.