[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770300: marked as done (unblock: wireshark/1.12.1+g01b65bf-2)

Your message dated Thu, 20 Nov 2014 13:14:12 +0000
with message-id <04d3edc68b3928722455df83c4ccbdf6@mail.adsl.funky-badger.org>
and subject line Re: Bug#770300: unblock: security wireshark/1.12.1+g01b65bf-2
has caused the Debian Bug report #770300,
regarding unblock: wireshark/1.12.1+g01b65bf-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
770300: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770300
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: important

Dear Release Team,

Please unblock wireshark to let it migrate to Jessie.
The update consists of back-ported security fixes and a translation update.

Thanks in advance,
Balint

Changes:
 wireshark (1.12.1+g01b65bf-2) unstable; urgency=medium
 .
   [Mert Dirik]
   * Add Turkish translation (Closes: #757499)
 .
   [Balint Reczey]
   * Fix typo in libwiretap4 description (Closes: #757469)
   * security fixes from Wireshark 1.12.2 (Closes: #769410):
     - SigComp UDVM buffer overflow (CVE-2014-8710)
     - AMQP crash (CVE-2014-8711)
     - NCP crashes (CVE-2014-8712, CVE-2014-8713)
     - TN5250 infinite loops (CVE-2014-8714)

diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog	2014-09-20 00:52:12.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog	2014-11-16 15:23:28.000000000 +0100
@@ -1,3 +1,18 @@
+wireshark (1.12.1+g01b65bf-2) unstable; urgency=medium
+
+  [Mert Dirik]
+  * Add Turkish translation (Closes: #757499)
+
+  [Balint Reczey]
+  * Fix typo in libwiretap4 description (Closes: #757469)
+  * security fixes from Wireshark 1.12.2 (Closes: #769410):
+    - SigComp UDVM buffer overflow (CVE-2014-8710)
+    - AMQP crash (CVE-2014-8711)
+    - NCP crashes (CVE-2014-8712, CVE-2014-8713)
+    - TN5250 infinite loops (CVE-2014-8714)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sun, 02 Nov 2014 20:31:06 +0100
+
 wireshark (1.12.1+g01b65bf-1) unstable; urgency=high
 
   * Increase priority of debconf question about capturing rights to high
diff -Nru wireshark-1.12.1+g01b65bf/debian/control wireshark-1.12.1+g01b65bf/debian/control
--- wireshark-1.12.1+g01b65bf/debian/control	2014-06-11 16:35:40.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/control	2014-11-02 20:35:17.000000000 +0100
@@ -210,7 +210,7 @@
   * HP-UX nettl
   * Toshiba ISDN Router
   * ISDN4BSD "i4btrace" utility
-  * Cisco Secure Intrustion Detection System iplogging facility
+  * Cisco Secure Intrusion Detection System iplogging facility
   * pppd logs (pppdump-format files)
   * VMS TCPTRACE
   * DBS Etherwatch (text format)
@@ -242,7 +242,7 @@
   * HP-UX nettl
   * Toshiba ISDN Router
   * ISDN4BSD "i4btrace" utility
-  * Cisco Secure Intrustion Detection System iplogging facility
+  * Cisco Secure Intrusion Detection System iplogging facility
   * pppd logs (pppdump-format files)
   * VMS TCPTRACE
   * DBS Etherwatch (text format)
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/17_1.12.2_fix_TN5250_loop.patch	2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,36 @@
+From e0349a8514409420c60d89ca12d2d562628cb29c Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <wireshark@kaiser.cx>
+Date: Mon, 20 Oct 2014 22:37:51 +0200
+Subject: [PATCH 1/5] tn5250: fix an endless loop, exit when offset is not
+ incremented
+
+Bug: 10596
+Change-Id: I64509aa49fce4893dee4e7a74a560e09a98830f6
+Reviewed-on: https://code.wireshark.org/review/4878
+Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
+Tested-by: Martin Kaiser <wireshark@kaiser.cx>
+(cherry picked from commit bc2726578156f3608960fc65ce1f691639e6addc)
+Reviewed-on: https://code.wireshark.org/review/4879
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5338
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/dissectors/packet-tn5250.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/epan/dissectors/packet-tn5250.c b/epan/dissectors/packet-tn5250.c
+index a9ec088..0d46841 100644
+--- a/epan/dissectors/packet-tn5250.c
++++ b/epan/dissectors/packet-tn5250.c
+@@ -4651,6 +4651,8 @@ dissect_write_structured_field(proto_tree *tn5250_tree, tvbuff_t *tvb, gint offs
+           length = tvb_get_guint8(tvb,offset);
+           proto_tree_add_item(tn5250_tree, hf_tn5250_length, tvb, offset,
+                               1, ENC_BIG_ENDIAN);
++          if (length==0)
++            break;
+           proto_tree_add_item(tn5250_tree, hf_tn5250_dpt_ec, tvb, offset,
+                               length, ENC_EBCDIC|ENC_NA);
+           offset += length;
+-- 
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/18_1.12.2_fix_NCP_crash_1.patch	2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,37 @@
+From 54510127483ebe114b5a19d2f8d9f07abb6f3c1d Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapache@gmail.com>
+Date: Sat, 25 Oct 2014 14:08:57 -0400
+Subject: [PATCH 2/5] ncp2222: initialize buffer in build_expert_data
+
+We do a bunch of conditional logic to fill in the buffer, and then were checking
+strlen(buffer) to see if we'd actually filled it in or not, but if we hadn't
+then the buffer was garbage and strlen(buffer) was throwing valgrind warnings.
+Ensure this works as intended by setting the first byte of the buffer
+unconditionally at the beginning, so strlen(buffer) returns 0 as expected in
+that case.
+
+Bug: 10628
+Change-Id: I6f6c29fbbcb601b6ebccb3a4b312f0fa72c169ae
+Reviewed-on: https://code.wireshark.org/review/4925
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5337
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/dissectors/packet-ncp2222.inc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc
+index c055d48..b74b3b0 100644
+--- a/epan/dissectors/packet-ncp2222.inc
++++ b/epan/dissectors/packet-ncp2222.inc
+@@ -2730,6 +2730,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer,
+     char            temp_buffer[256]="\0";
+     gboolean        in_struct=FALSE;
+ 
++    buffer[0] = '\0';
+     tree_loc = ncp_tree->first_child;
+     for (tree_pointer=tree_loc; tree_pointer!=NULL; tree_pointer=tree_pointer->next)
+     {
+-- 
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/19_1.12.2_fix_NCP_crash_2.patch	2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,39 @@
+From 6b8c5dba634cde2fe95fca81668337380f19d641 Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapache@gmail.com>
+Date: Mon, 13 Oct 2014 12:55:40 -0400
+Subject: [PATCH 3/5] ncp2222: don't overflow buffer constructing string
+
+Fixes stack-smashing vuln.
+
+Somehow there was already an XXX in the code about this, but nobody realized at
+the time it was worth fixing... really?
+
+Bug: 10552
+Change-Id: I849068bd6c45146339444f295b72430d3c6e08f2
+Reviewed-on: https://code.wireshark.org/review/4653
+Reviewed-by: Evan Huus <eapache@gmail.com>
+(cherry picked from commit b9988e2bbfc7c6c41ef82c559bd11a8c19170491)
+Reviewed-on: https://code.wireshark.org/review/4654
+Reviewed-on: https://code.wireshark.org/review/5336
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/dissectors/packet-ncp2222.inc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc
+index b74b3b0..7ef087c 100644
+--- a/epan/dissectors/packet-ncp2222.inc
++++ b/epan/dissectors/packet-ncp2222.inc
+@@ -2756,8 +2756,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer,
+             case 18:
+             case 19:
+             case 20:            /* string */
+-                /* XXX: Should we verify: buffer_size is as large as value returned by get_finfo_length(...)  ???      */
+-                uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), get_finfo_length(PTREE_FINFO(tree_pointer)), buffer);
++                uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), MIN(get_finfo_length(PTREE_FINFO(tree_pointer)), buffer_size), buffer);
+                 if (repeat_lookup > 0) {
+                     if (strlen(temp_buffer) + strlen(buffer) < 250) {
+                         g_strlcat(temp_buffer, buffer, 256);
+-- 
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/20_1.12.2_fix_SigComp_crash.patch	2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,39 @@
+From 9f8367d1a569a10778628981da8a877a1f6f9c3b Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapache@gmail.com>
+Date: Tue, 4 Nov 2014 21:31:17 -0500
+Subject: [PATCH 4/5] sigcomp-udvm: fix invalid access
+
+Way back in 2006, svn r20041 (now gd408f2f6fc) worked around a problem by
+limiting the amount of buffer dealt with in the udvm_state_access call (changing
+it from state_minimum_access_length_buff[n] to STATE_MIN_ACCESS_LEN).
+
+The very next line however, tries to read the same amount of buffer to display
+to the user - since it seems nobody ever applied a proper fix for the original
+case, just apply the same workaround to the second call.
+
+Bug: 10662
+Change-Id: I32c81ee2a8eb7b30ff7ab1fbbb6ea5f206385d4b
+Reviewed-on: https://code.wireshark.org/review/5125
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5331
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+---
+ epan/sigcomp-udvm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/sigcomp-udvm.c b/epan/sigcomp-udvm.c
+index 1e23730..97c6736 100644
+--- a/epan/sigcomp-udvm.c
++++ b/epan/sigcomp-udvm.c
+@@ -2705,7 +2705,7 @@ execute_next_instruction:
+ 				udvm_state_create(sha1buff, sha1_digest_buf, STATE_MIN_ACCESS_LEN);
+ /* end partial state-id change cco@iptel.org */
+ 				proto_tree_add_text(udvm_tree,bytecode_tvb, 0, -1,"### Creating state ###");
+-				proto_tree_add_string(udvm_tree,hf_id, bytecode_tvb, 0, 0, bytes_to_ep_str(sha1_digest_buf, state_minimum_access_length_buff[n]));
++				proto_tree_add_string(udvm_tree,hf_id, bytecode_tvb, 0, 0, bytes_to_ep_str(sha1_digest_buf, STATE_MIN_ACCESS_LEN));
+ 
+ 				n++;
+ 
+-- 
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/21_1.12.2_fix_AMQP_crash.patch	2014-11-19 12:52:53.000000000 +0100
@@ -0,0 +1,52 @@
+From 69875bf282dbd72486da981595f745a76c1346bd Mon Sep 17 00:00:00 2001
+From: Bill Meier <wmeier@newsguy.com>
+Date: Sun, 19 Oct 2014 10:04:39 -0400
+Subject: [PATCH 5/5] packet-amqp.c: Temporary/preliminary fix for Bug #10582
+ (crash)
+
+This is a temporary/preliminary fix to prevent the buildbot fuzz-test
+ failures seen when testing the capture file attached to Bug #10582.
+
+As noted in the bug, a complete fix will require some reworking of
+  the amqp dissector.
+
+Change-Id: I2571f1eeb46a7eede04b8d809e87b95f1ff529df
+Reviewed-on: https://code.wireshark.org/review/4835
+Reviewed-by: Bill Meier <wmeier@newsguy.com>
+(cherry picked from commit 8def8ef9c40189472a46d9b1ad95289780e09af5)
+Reviewed-on: https://code.wireshark.org/review/4837
+Reviewed-by: Evan Huus <eapache@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/5332
+Reviewed-by: Balint Reczey <balint@balintreczey.hu>
+---
+ epan/dissectors/packet-amqp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/epan/dissectors/packet-amqp.c b/epan/dissectors/packet-amqp.c
+index 8609f87..558a4a4 100644
+--- a/epan/dissectors/packet-amqp.c
++++ b/epan/dissectors/packet-amqp.c
+@@ -53,10 +53,20 @@ static int amqp_port = 5672;
+ 
+ /*  Generic defines  */
+ 
++#if 0
+ #define AMQP_INCREMENT(offset, addend, bound) {\
+     offset += (addend);\
+     THROW_ON((offset > bound), ReportedBoundsError);  \
+ }
++#else /* --> (temporary until in-progress code review completed; See Bug #10582) */
++#define AMQP_INCREMENT(offset, addend, bound) {\
++        THROW_ON( \
++            (((unsigned)(offset) + (unsigned)(addend)) < (unsigned)(offset)) || \
++            (((unsigned)(offset) + (unsigned)(addend)) > (unsigned)(bound )) \
++            , ReportedBoundsError);  \
++    offset += (addend); \
++}
++#endif
+ 
+ /*
+  * This dissector handles AMQP 0-9, 0-10 and 1.0. The conversation structure
+-- 
+2.1.3
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series
--- wireshark-1.12.1+g01b65bf/debian/patches/series	2014-09-20 00:52:12.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/patches/series	2014-11-19 13:23:28.000000000 +0100
@@ -6,3 +6,8 @@
 08_wireshark-desktop-menu.patch
 09_idl2wrs.patch
 16_licence_about_location.patch
+17_1.12.2_fix_TN5250_loop.patch
+18_1.12.2_fix_NCP_crash_1.patch
+19_1.12.2_fix_NCP_crash_2.patch
+20_1.12.2_fix_SigComp_crash.patch
+21_1.12.2_fix_AMQP_crash.patch
diff -Nru wireshark-1.12.1+g01b65bf/debian/po/tr.po wireshark-1.12.1+g01b65bf/debian/po/tr.po
--- wireshark-1.12.1+g01b65bf/debian/po/tr.po	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/po/tr.po	2014-09-26 11:38:26.000000000 +0200
@@ -0,0 +1,59 @@
+# Turkish translation of wireshark package
+# Copyright (C) 2014 Mert Dirik
+# This file is distributed under the same license as the wireshark package.
+# Mert Dirik <mertdirik@gmail.com>, 2014.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: wireshark 1.10.8-1\n"
+"Report-Msgid-Bugs-To: wireshark@packages.debian.org\n"
+"POT-Creation-Date: 2010-06-20 16:35+0200\n"
+"PO-Revision-Date: 2014-08-01 17:26+0200\n"
+"Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
+"Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.5.4\n"
+"Language: tr\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid "Should non-superusers be able to capture packets?"
+msgstr "Süper kullanıcı olmayan kullanıcılar da paket yakalayabilsin mi?"
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid ""
+"Dumpcap can be installed in a way that allows members of the \"wireshark\" "
+"system group to capture packets. This is recommended over the alternative of "
+"running Wireshark/Tshark directly as root, because less of the code will run "
+"with elevated privileges."
+msgstr ""
+"Dumpcap \"wireshark\" sistem grubundaki kullanıcıların paket yakalamalarına "
+"izin verecek şekilde kurulabilir. Wireshark/Tshark'ı root olarak "
+"çalıştırmaktansa bu yolu seçmeniz önerilir, çünkü bu sayede daha az kod "
+"yüksek yetkilerle çalışacaktır."
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid ""
+"For more detailed information please see /usr/share/doc/wireshark-common/"
+"README.Debian."
+msgstr ""
+"Daha fazla bilgi için lütfen /usr/share/doc/wireshark-common/README.Debian "
+"dosyasına bakın."
+
+#. Type: boolean
+#. Description
+#: ../templates:2001
+msgid ""
+"Enabling this feature may be a security risk, so it is disabled by default. "
+"If in doubt, it is suggested to leave it disabled."
+msgstr ""
+"Bu seçeneği etkinleştirmek bir güvenlik riski oluşturabilir, bu nedenle "
+"öntanımlı olarak kapalı haldedir. Kararsız kaldığınız takdirde bu seçeneği "
+"kapalı halde tutmanız önerilir."

--- End Message ---
--- Begin Message --- 
On 2014-11-20 10:20, Bálint Réczey wrote:

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: important
Unblocks are normal severity at most. (They really don't need "security" adding to the subject either - the package isn't going to migrate for another four days anyway.) 


Dear Release Team,

Please unblock wireshark to let it migrate to Jessie.
The update consists of back-ported security fixes and a translation update. 

Done.

Regards,

Adam

--- End Message ---
Reply to: