Bug#770300: unblock: security wireshark/1.12.1+g01b65bf-2
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: important
Dear Release Team,
Please unblock wireshark to let it migrate to Jessie.
The update consists of back-ported security fixes and a translation update.
Thanks in advance,
Balint
Changes:
wireshark (1.12.1+g01b65bf-2) unstable; urgency=medium
.
[Mert Dirik]
* Add Turkish translation (Closes: #757499)
.
[Balint Reczey]
* Fix typo in libwiretap4 description (Closes: #757469)
* security fixes from Wireshark 1.12.2 (Closes: #769410):
- SigComp UDVM buffer overflow (CVE-2014-8710)
- AMQP crash (CVE-2014-8711)
- NCP crashes (CVE-2014-8712, CVE-2014-8713)
- TN5250 infinite loops (CVE-2014-8714)
diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog 2014-09-20 00:52:12.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog 2014-11-16 15:23:28.000000000 +0100
@@ -1,3 +1,18 @@
+wireshark (1.12.1+g01b65bf-2) unstable; urgency=medium
+
+ [Mert Dirik]
+ * Add Turkish translation (Closes: #757499)
+
+ [Balint Reczey]
+ * Fix typo in libwiretap4 description (Closes: #757469)
+ * security fixes from Wireshark 1.12.2 (Closes: #769410):
+ - SigComp UDVM buffer overflow (CVE-2014-8710)
+ - AMQP crash (CVE-2014-8711)
+ - NCP crashes (CVE-2014-8712, CVE-2014-8713)
+ - TN5250 infinite loops (CVE-2014-8714)
+
+ -- Balint Reczey <balint@balintreczey.hu> Sun, 02 Nov 2014 20:31:06 +0100
+
wireshark (1.12.1+g01b65bf-1) unstable; urgency=high
* Increase priority of debconf question about capturing rights to high
diff -Nru wireshark-1.12.1+g01b65bf/debian/control wireshark-1.12.1+g01b65bf/debian/control
--- wireshark-1.12.1+g01b65bf/debian/control 2014-06-11 16:35:40.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/control 2014-11-02 20:35:17.000000000 +0100
@@ -210,7 +210,7 @@
* HP-UX nettl
* Toshiba ISDN Router
* ISDN4BSD "i4btrace" utility
- * Cisco Secure Intrustion Detection System iplogging facility
+ * Cisco Secure Intrusion Detection System iplogging facility
* pppd logs (pppdump-format files)
* VMS TCPTRACE
* DBS Etherwatch (text format)
@@ -242,7 +242,7 @@
* HP-UX nettl
* Toshiba ISDN Router
* ISDN4BSD "i4btrace" utility
- * Cisco Secure Intrustion Detection System iplogging facility
+ * Cisco Secure Intrusion Detection System iplogging facility
* pppd logs (pppdump-format files)
* VMS TCPTRACE
* DBS Etherwatch (text format)
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch 2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,36 @@
+From e0349a8514409420c60d89ca12d2d562628cb29c Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <wireshark@kaiser.cx>
+Date: Mon, 20 Oct 2014 22:37:51 +0200
+Subject: [PATCH 1/5] tn5250: fix an endless loop, exit when offset is not
+ incremented
+
+Bug: 10596
+Change-Id: I64509aa49fce4893dee4e7a74a560e09a98830f6
+Reviewed-on: https://code.wireshark.org/review/4878
+Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
+Tested-by: Martin Kaiser <wireshark@kaiser.cx>
+(cherry picked from commit bc2726578156f3608960fc65ce1f691639e6addc)
+Reviewed-on: https://code.wireshark.org/review/4879
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5338
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/dissectors/packet-tn5250.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/epan/dissectors/packet-tn5250.c b/epan/dissectors/packet-tn5250.c
+index a9ec088..0d46841 100644
+--- a/epan/dissectors/packet-tn5250.c
++++ b/epan/dissectors/packet-tn5250.c
+@@ -4651,6 +4651,8 @@ dissect_write_structured_field(proto_tree *tn5250_tree, tvbuff_t *tvb, gint offs
+ length = tvb_get_guint8(tvb,offset);
+ proto_tree_add_item(tn5250_tree, hf_tn5250_length, tvb, offset,
+ 1, ENC_BIG_ENDIAN);
++ if (length==0)
++ break;
+ proto_tree_add_item(tn5250_tree, hf_tn5250_dpt_ec, tvb, offset,
+ length, ENC_EBCDIC|ENC_NA);
+ offset += length;
+--
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch 2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,37 @@
+From 54510127483ebe114b5a19d2f8d9f07abb6f3c1d Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapache@gmail.com>
+Date: Sat, 25 Oct 2014 14:08:57 -0400
+Subject: [PATCH 2/5] ncp2222: initialize buffer in build_expert_data
+
+We do a bunch of conditional logic to fill in the buffer, and then were checking
+strlen(buffer) to see if we'd actually filled it in or not, but if we hadn't
+then the buffer was garbage and strlen(buffer) was throwing valgrind warnings.
+Ensure this works as intended by setting the first byte of the buffer
+unconditionally at the beginning, so strlen(buffer) returns 0 as expected in
+that case.
+
+Bug: 10628
+Change-Id: I6f6c29fbbcb601b6ebccb3a4b312f0fa72c169ae
+Reviewed-on: https://code.wireshark.org/review/4925
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5337
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/dissectors/packet-ncp2222.inc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc
+index c055d48..b74b3b0 100644
+--- a/epan/dissectors/packet-ncp2222.inc
++++ b/epan/dissectors/packet-ncp2222.inc
+@@ -2730,6 +2730,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer,
+ char temp_buffer[256]="\0";
+ gboolean in_struct=FALSE;
+
++ buffer[0] = '\0';
+ tree_loc = ncp_tree->first_child;
+ for (tree_pointer=tree_loc; tree_pointer!=NULL; tree_pointer=tree_pointer->next)
+ {
+--
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch 2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,39 @@
+From 6b8c5dba634cde2fe95fca81668337380f19d641 Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapache@gmail.com>
+Date: Mon, 13 Oct 2014 12:55:40 -0400
+Subject: [PATCH 3/5] ncp2222: don't overflow buffer constructing string
+
+Fixes stack-smashing vuln.
+
+Somehow there was already an XXX in the code about this, but nobody realized at
+the time it was worth fixing... really?
+
+Bug: 10552
+Change-Id: I849068bd6c45146339444f295b72430d3c6e08f2
+Reviewed-on: https://code.wireshark.org/review/4653
+Reviewed-by: Evan Huus <eapache@gmail.com>
+(cherry picked from commit b9988e2bbfc7c6c41ef82c559bd11a8c19170491)
+Reviewed-on: https://code.wireshark.org/review/4654
+Reviewed-on: https://code.wireshark.org/review/5336
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/dissectors/packet-ncp2222.inc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc
+index b74b3b0..7ef087c 100644
+--- a/epan/dissectors/packet-ncp2222.inc
++++ b/epan/dissectors/packet-ncp2222.inc
+@@ -2756,8 +2756,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer,
+ case 18:
+ case 19:
+ case 20: /* string */
+- /* XXX: Should we verify: buffer_size is as large as value returned by get_finfo_length(...) ??? */
+- uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), get_finfo_length(PTREE_FINFO(tree_pointer)), buffer);
++ uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), MIN(get_finfo_length(PTREE_FINFO(tree_pointer)), buffer_size), buffer);
+ if (repeat_lookup > 0) {
+ if (strlen(temp_buffer) + strlen(buffer) < 250) {
+ g_strlcat(temp_buffer, buffer, 256);
+--
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch 2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,39 @@
+From 9f8367d1a569a10778628981da8a877a1f6f9c3b Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapache@gmail.com>
+Date: Tue, 4 Nov 2014 21:31:17 -0500
+Subject: [PATCH 4/5] sigcomp-udvm: fix invalid access
+
+Way back in 2006, svn r20041 (now gd408f2f6fc) worked around a problem by
+limiting the amount of buffer dealt with in the udvm_state_access call (changing
+it from state_minimum_access_length_buff[n] to STATE_MIN_ACCESS_LEN).
+
+The very next line however, tries to read the same amount of buffer to display
+to the user - since it seems nobody ever applied a proper fix for the original
+case, just apply the same workaround to the second call.
+
+Bug: 10662
+Change-Id: I32c81ee2a8eb7b30ff7ab1fbbb6ea5f206385d4b
+Reviewed-on: https://code.wireshark.org/review/5125
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5331
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/sigcomp-udvm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/sigcomp-udvm.c b/epan/sigcomp-udvm.c
+index 1e23730..97c6736 100644
+--- a/epan/sigcomp-udvm.c
++++ b/epan/sigcomp-udvm.c
+@@ -2705,7 +2705,7 @@ execute_next_instruction:
+ udvm_state_create(sha1buff, sha1_digest_buf, STATE_MIN_ACCESS_LEN);
+ /* end partial state-id change cco@iptel.org */
+ proto_tree_add_text(udvm_tree,bytecode_tvb, 0, -1,"### Creating state ###");
+- proto_tree_add_string(udvm_tree,hf_id, bytecode_tvb, 0, 0, bytes_to_ep_str(sha1_digest_buf, state_minimum_access_length_buff[n]));
++ proto_tree_add_string(udvm_tree,hf_id, bytecode_tvb, 0, 0, bytes_to_ep_str(sha1_digest_buf, STATE_MIN_ACCESS_LEN));
+
+ n++;
+
+--
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch 2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,52 @@
+From 69875bf282dbd72486da981595f745a76c1346bd Mon Sep 17 00:00:00 2001
+From: Bill Meier <wmeier@newsguy.com>
+Date: Sun, 19 Oct 2014 10:04:39 -0400
+Subject: [PATCH 5/5] packet-amqp.c: Temporary/preliminary fix for Bug #10582
+ (crash)
+
+This is a temporary/preliminary fix to prevent the buildbot fuzz-test
+ failures seen when testing the capture file attached to Bug #10582.
+
+As noted in the bug, a complete fix will require some reworking of
+ the amqp dissector.
+
+Change-Id: I2571f1eeb46a7eede04b8d809e87b95f1ff529df
+Reviewed-on: https://code.wireshark.org/review/4835
+Reviewed-by: Bill Meier <wmeier@newsguy.com>
+(cherry picked from commit 8def8ef9c40189472a46d9b1ad95289780e09af5)
+Reviewed-on: https://code.wireshark.org/review/4837
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5332
+Reviewed-by: Balint Reczey <balint@balintreczey.hu>
+---
+ epan/dissectors/packet-amqp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/epan/dissectors/packet-amqp.c b/epan/dissectors/packet-amqp.c
+index 8609f87..558a4a4 100644
+--- a/epan/dissectors/packet-amqp.c
++++ b/epan/dissectors/packet-amqp.c
+@@ -53,10 +53,20 @@ static int amqp_port = 5672;
+
+ /* Generic defines */
+
++#if 0
+ #define AMQP_INCREMENT(offset, addend, bound) {\
+ offset += (addend);\
+ THROW_ON((offset > bound), ReportedBoundsError); \
+ }
++#else /* --> (temporary until in-progress code review completed; See Bug #10582) */
++#define AMQP_INCREMENT(offset, addend, bound) {\
++ THROW_ON( \
++ (((unsigned)(offset) + (unsigned)(addend)) < (unsigned)(offset)) || \
++ (((unsigned)(offset) + (unsigned)(addend)) > (unsigned)(bound )) \
++ , ReportedBoundsError); \
++ offset += (addend); \
++}
++#endif
+
+ /*
+ * This dissector handles AMQP 0-9, 0-10 and 1.0. The conversation structure
+--
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series
--- wireshark-1.12.1+g01b65bf/debian/patches/series 2014-09-20 00:52:12.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/patches/series 2014-11-19 13:23:28.000000000 +0100
@@ -6,3 +6,8 @@
08_wireshark-desktop-menu.patch
09_idl2wrs.patch
16_licence_about_location.patch
+17_1.12.2_fix_TN5250_loop.patch
+18_1.12.2_fix_NCP_crash_1.patch
+19_1.12.2_fix_NCP_crash_2.patch
+20_1.12.2_fix_SigComp_crash.patch
+21_1.12.2_fix_AMQP_crash.patch
diff -Nru wireshark-1.12.1+g01b65bf/debian/po/tr.po wireshark-1.12.1+g01b65bf/debian/po/tr.po
--- wireshark-1.12.1+g01b65bf/debian/po/tr.po 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/po/tr.po 2014-09-26 11:38:26.000000000 +0200
@@ -0,0 +1,59 @@
+# Turkish translation of wireshark package
+# Copyright (C) 2014 Mert Dirik
+# This file is distributed under the same license as the wireshark package.
+# Mert Dirik <mertdirik@gmail.com>, 2014.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: wireshark 1.10.8-1\n"
+"Report-Msgid-Bugs-To: wireshark@packages.debian.org\n"
+"POT-Creation-Date: 2010-06-20 16:35+0200\n"
+"PO-Revision-Date: 2014-08-01 17:26+0200\n"
+"Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
+"Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.5.4\n"
+"Language: tr\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid "Should non-superusers be able to capture packets?"
+msgstr "Süper kullanıcı olmayan kullanıcılar da paket yakalayabilsin mi?"
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid ""
+"Dumpcap can be installed in a way that allows members of the \"wireshark\" "
+"system group to capture packets. This is recommended over the alternative of "
+"running Wireshark/Tshark directly as root, because less of the code will run "
+"with elevated privileges."
+msgstr ""
+"Dumpcap \"wireshark\" sistem grubundaki kullanıcıların paket yakalamalarına "
+"izin verecek şekilde kurulabilir. Wireshark/Tshark'ı root olarak "
+"çalıştırmaktansa bu yolu seçmeniz önerilir, çünkü bu sayede daha az kod "
+"yüksek yetkilerle çalışacaktır."
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid ""
+"For more detailed information please see /usr/share/doc/wireshark-common/"
+"README.Debian."
+msgstr ""
+"Daha fazla bilgi için lütfen /usr/share/doc/wireshark-common/README.Debian "
+"dosyasına bakın."
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid ""
+"Enabling this feature may be a security risk, so it is disabled by default. "
+"If in doubt, it is suggested to leave it disabled."
+msgstr ""
+"Bu seçeneği etkinleştirmek bir güvenlik riski oluşturabilir, bu nedenle "
+"öntanımlı olarak kapalı haldedir. Kararsız kaldığınız takdirde bu seçeneği "
+"kapalı halde tutmanız önerilir."
Reply to: