Bug 1127369 (CVE-2019-9209)

Summary: VUL-0: CVE-2019-9209: wireshark: ASN.1 BER and related dissectors could crash
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/225437/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-02-28 13:02:52 UTC 
CVE-2019-9209

In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related
dissectors could crash. This was addressed in epan/dissectors/packet-ber.c by
preventing a buffer overflow associated with excessive digits in time values.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9209
https://www.wireshark.org/security/wnpa-sec-2019-06.html
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f8fbe9f934d65b2694fa74622e5eb2e1dc8cd20b
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15447
Comment 3 Swamp Workflow Management 2019-03-15 20:09:56 UTC 
SUSE-SU-2019:0619-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1127367,1127369,1127370
CVE References: CVE-2019-9208,CVE-2019-9209,CVE-2019-9214
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    wireshark-2.4.13-3.22.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    wireshark-2.4.13-3.22.1
Comment 4 Swamp Workflow Management 2019-03-21 23:10:04 UTC 
SUSE-SU-2019:0688-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1127367,1127369,1127370
CVE References: CVE-2019-9208,CVE-2019-9209,CVE-2019-9214
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    wireshark-2.4.13-48.42.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    wireshark-2.4.13-48.42.1
SUSE Linux Enterprise Server 12-SP4 (src):    wireshark-2.4.13-48.42.1
SUSE Linux Enterprise Server 12-SP3 (src):    wireshark-2.4.13-48.42.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    wireshark-2.4.13-48.42.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    wireshark-2.4.13-48.42.1
Comment 5 Robert Frohl 2019-03-26 11:35:59 UTC 
I believe all fixed
Comment 6 Swamp Workflow Management 2019-04-02 16:19:01 UTC 
openSUSE-SU-2019:1108-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1127367,1127369,1127370
CVE References: CVE-2019-9208,CVE-2019-9209,CVE-2019-9214
Sources used:
openSUSE Leap 15.0 (src):    wireshark-2.4.13-lp150.2.23.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-05-13 13:10:41 UTC 
openSUSE-SU-2019:1390-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1127367,1127369,1127370,1131945
CVE References: CVE-2019-10894,CVE-2019-10895,CVE-2019-10896,CVE-2019-10899,CVE-2019-10901,CVE-2019-10903,CVE-2019-9208,CVE-2019-9209,CVE-2019-9214
Sources used:
openSUSE Leap 42.3 (src):    wireshark-2.4.14-52.1
Comment 8 Robert Frohl 2019-07-18 08:48:21 UTC 
released
Comment 9 Swamp Workflow Management 2020-03-13 20:19:48 UTC 
SUSE-SU-2020:0693-1: An update that fixes 59 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093733,1094301,1101776,1101777,1101786,1101788,1101791,1101794,1101800,1101802,1101804,1101810,1106514,1111647,1117740,1121231,1121232,1121233,1121234,1121235,1127367,1127369,1127370,1131941,1131945,1136021,1141980,1150690,1156288,1158505,1161052,1165241,1165710,957624
CVE References: CVE-2018-11354,CVE-2018-11355,CVE-2018-11356,CVE-2018-11357,CVE-2018-11358,CVE-2018-11359,CVE-2018-11360,CVE-2018-11361,CVE-2018-11362,CVE-2018-12086,CVE-2018-14339,CVE-2018-14340,CVE-2018-14341,CVE-2018-14342,CVE-2018-14343,CVE-2018-14344,CVE-2018-14367,CVE-2018-14368,CVE-2018-14369,CVE-2018-14370,CVE-2018-16056,CVE-2018-16057,CVE-2018-16058,CVE-2018-18225,CVE-2018-18226,CVE-2018-18227,CVE-2018-19622,CVE-2018-19623,CVE-2018-19624,CVE-2018-19625,CVE-2018-19626,CVE-2018-19627,CVE-2018-19628,CVE-2019-10894,CVE-2019-10895,CVE-2019-10896,CVE-2019-10897,CVE-2019-10898,CVE-2019-10899,CVE-2019-10900,CVE-2019-10901,CVE-2019-10902,CVE-2019-10903,CVE-2019-13619,CVE-2019-16319,CVE-2019-19553,CVE-2019-5716,CVE-2019-5717,CVE-2019-5718,CVE-2019-5719,CVE-2019-5721,CVE-2019-9208,CVE-2019-9209,CVE-2019-9214,CVE-2020-7044,CVE-2020-9428,CVE-2020-9429,CVE-2020-9430,CVE-2020-9431
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libmaxminddb-1.4.2-1.3.1, spandsp-0.0.6-3.2.1, wireshark-3.2.2-3.35.2
SUSE Linux Enterprise Server 15-LTSS (src):    libmaxminddb-1.4.2-1.3.1, spandsp-0.0.6-3.2.1, wireshark-3.2.2-3.35.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    spandsp-0.0.6-3.2.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    spandsp-0.0.6-3.2.1, wireshark-3.2.2-3.35.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libmaxminddb-1.4.2-1.3.1, spandsp-0.0.6-3.2.1, wireshark-3.2.2-3.35.2
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libmaxminddb-1.4.2-1.3.1, spandsp-0.0.6-3.2.1, wireshark-3.2.2-3.35.2
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libmaxminddb-1.4.2-1.3.1, spandsp-0.0.6-3.2.1, wireshark-3.2.2-3.35.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-03-19 23:16:25 UTC 
openSUSE-SU-2020:0362-1: An update that fixes 59 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093733,1094301,1101776,1101777,1101786,1101788,1101791,1101794,1101800,1101802,1101804,1101810,1106514,1111647,1117740,1121231,1121232,1121233,1121234,1121235,1127367,1127369,1127370,1131941,1131945,1136021,1141980,1150690,1156288,1158505,1161052,1165241,1165710,957624
CVE References: CVE-2018-11354,CVE-2018-11355,CVE-2018-11356,CVE-2018-11357,CVE-2018-11358,CVE-2018-11359,CVE-2018-11360,CVE-2018-11361,CVE-2018-11362,CVE-2018-12086,CVE-2018-14339,CVE-2018-14340,CVE-2018-14341,CVE-2018-14342,CVE-2018-14343,CVE-2018-14344,CVE-2018-14367,CVE-2018-14368,CVE-2018-14369,CVE-2018-14370,CVE-2018-16056,CVE-2018-16057,CVE-2018-16058,CVE-2018-18225,CVE-2018-18226,CVE-2018-18227,CVE-2018-19622,CVE-2018-19623,CVE-2018-19624,CVE-2018-19625,CVE-2018-19626,CVE-2018-19627,CVE-2018-19628,CVE-2019-10894,CVE-2019-10895,CVE-2019-10896,CVE-2019-10897,CVE-2019-10898,CVE-2019-10899,CVE-2019-10900,CVE-2019-10901,CVE-2019-10902,CVE-2019-10903,CVE-2019-13619,CVE-2019-16319,CVE-2019-19553,CVE-2019-5716,CVE-2019-5717,CVE-2019-5718,CVE-2019-5719,CVE-2019-5721,CVE-2019-9208,CVE-2019-9209,CVE-2019-9214,CVE-2020-7044,CVE-2020-9428,CVE-2020-9429,CVE-2020-9430,CVE-2020-9431
Sources used:
openSUSE Leap 15.1 (src):    libmaxminddb-1.4.2-lp151.3.3.1, spandsp-0.0.6-lp151.3.3.1, wireshark-3.2.2-lp151.2.9.1