Wireshark 1.0.x updates for Etch

To: debian-release@lists.debian.org
Cc: Moritz Mühlenhoff <jmm@debian.org>, Joost Yervante Damad <andete@debian.org>, Frederic Peters <fpeters@debian.org>
Subject: Wireshark 1.0.x updates for Etch
From: Bálint Réczey <balint@balintreczey.hu>
Date: Tue, 11 Aug 2009 00:53:18 +0200
Message-id: <[🔎] ee1a84a50908101553sab14d21j88e548ef2283b6b6@mail.gmail.com>
Reply-to: balint@balintreczey.hu

Hi,

We had a discussion with Moritz Muehlenhoff from the Security Team and
he proposed
to include Wireshark bugfix releases in Debian stable updates.
The current stable, Lenny contains wireshark 1.0.3 and 1.0.8, the
latest version form
the 1.0.x branch was already packaged and uploaded to unstable.

What do you think about Moritz's proposal?

Joost Yervante Damad, who is the uploader for wireshark supported the
approach, and I support it, too.
(I packaged the last few wireshark versions, because the official
maintainer, Frederic Peters did not have enough time. I'm a Wireshark
developer, too.)

Best Regards,
Balint

---------- Forwarded message ----------
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: 2009/7/6
Subject: Re: wireshark security bug #533347
To: Bálint Réczey <balint@balintreczey.hu>
Másolatot kap: team@security.debian.org, Joost Yervante Damad
<andete@debian.org>, fpeters@debian.org

On Wed, Jul 01, 2009 at 03:36:44PM -0700, Bálint Réczey wrote:
> Hi,
>
> Wireshark 1.0.8 fixes CVE-2009-1829 and contain other changes fixing
> crashes and one fix for a memory leak.
>
> I collected the security related changes in a patch in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533347
>
> I also created a package containing the patch:
> http://rbalint.cs.bme.hu/ws-pkg/
>
> Since I'm not an official Debian developer, Joost Yervante Damad
> offered me to upload the patched version if i get approval from the
> Security Team.

[Adding Frederic to CC]

The advisory page for 1.0.8 mentions only the PCNFSD change as
security-relevant: http://www.wireshark.org/security/wnpa-sec-2009-03.html
Your patch includes more changes, though. Where did you pick them
from?

Since the PCNFSD issue by itself does not offer the possibility to
inject code, but only a crash triggerable through a malformed PCAP
file, I think we should postpone this update and add the patch when
new issues emerge.

Traditionally we've been treating Wireshark crashes triggerable by
network traffic as security issues, since someone could use tshark
as a networking monitoring/intrusion detection tool. OTOH, both
Wireshark's security record and the mere concept (analysing network
traffic in a flaky implementation language like C) make this an
impractical approach. I would like to propose to document in a file
like README.Debian or README.Debian.security that  Wireshark is
great tool to analyse traffic patterns, but that crashes cannot be
ruled out due to the complex nature of the task. Thus, it should
not be deployed in scenarios where used for live network monitoring
and live pure crash bugs unfixed. Of course all bugs which could
trigger code injection will still be fixed in regular DSAs.
Additionally we could talk to the stable release managers to allow
the latest Wireshark point updates for each stable point update
(since the QA done by upstream is quite good). There are similar
exceptions already done for some packages, e.g. PostgreSQL.

Cheers,
       Moritz

Reply to:

Follow-Ups:
- Re: Wireshark 1.0.x updates for Etch
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Wireshark 1.0.x updates for Etch
  - From: Luk Claes <luk@debian.org>

Prev by Date: libcdio transition
Next by Date: Re: libjpegv7 transition
Previous by thread: Re: libcdio transition
Next by thread: Re: Wireshark 1.0.x updates for Etch
Index(es):
- Date
- Thread