Bug 57820 (CVE-2004-0635)

Summary: VUL-0: CVE-2004-0635: ethereal: security bugs, possible code execution
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Ludwig Nussel <lnussel>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0635: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ethereal-smb-fix.diff
ethereal-snmp-fix.diff
ethereal-isns-fix.diff

Description Ludwig Nussel 2004-07-07 22:25:30 UTC 
Date: Tue, 06 Jul 2004 20:06:04 -0500 
From: Gerald Combs <gerald@ethereal.com> 
To: vendor-sec@lst.de 
Subject: [vendor-sec] Upcoming Ethereal release fixes potential security 
problems 
 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Potential security problems were recently found in the iSNS, SMB, and 
SNMP code in Ethereal: 
 
    http://www.ethereal.com/appnotes/enpa-sa-00015.html 
 
Version 0.10.5 will be released tomorrow or Thursday (July 7th or 8th) 
and will address these issues. 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.2 (GNU/Linux) 
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 
 
iD8DBQFA60x8kXaEuZt2wEERAnA8AJwNfUEGVNxiLhP8liGUxYgu31gzJwCeMuR6 
THp1jRw8N8tbQJpCJW2YTeg= 
=lSoP 
-----END PGP SIGNATURE-----
Comment 1 Ludwig Nussel 2004-07-07 22:27:44 UTC 
Created attachment 21987 [details]
ethereal-smb-fix.diff

by Josh Bressers: "Here are what appear to be the upstream patches for these
issues."
Comment 2 Ludwig Nussel 2004-07-07 22:28:00 UTC 
Created attachment 21988 [details]
ethereal-snmp-fix.diff
Comment 3 Ludwig Nussel 2004-07-07 22:28:15 UTC 
Created attachment 21989 [details]
ethereal-isns-fix.diff
Comment 4 Thomas Biege 2004-07-09 15:11:04 UTC 
====================================================== 
Candidate: CAN-2004-0633 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0633 
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040707 
Category: SF 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00015.html 
Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 
 
The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote 
attackers to cause a denial of service (process abort) via an integer 
overflow. 
 
 
 
====================================================== 
Candidate: CAN-2004-0634 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0634 
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040707 
Category: SF 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00015.html 
Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 
 
The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows 
remote attackers to cause a denial of service (process crash) via a 
handle without a policy name, which causes a null dereference. 
 
 
 
====================================================== 
Candidate: CAN-2004-0635 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0635 
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040707 
Category: SF 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00015.html 
Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 
 
The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote 
attackers to cause a denial of service (process crash) via a (1) 
malformed or (2) missing community string, which causes an 
out-of-bounds read.
Comment 5 Ludwig Nussel 2004-07-12 21:04:17 UTC 
Petr?
Comment 6 Petr Ostadal 2004-07-12 21:28:20 UTC 
Hi,
I am back from vacation and  I going to work on it.
Comment 7 Petr Ostadal 2004-07-13 22:22:37 UTC 
I fixed security bugs in SMB and SNMP code and submited it to autobuild.

I found that we aren't vulnerable by iSNS bug, because the faulty code isn't in
version 0.10.3, which we have in all distributions.

For STABLE I will update it later.
Comment 8 Ludwig Nussel 2004-07-14 16:24:38 UTC 
the ethereal as well as the CAN advisory explicitely state that iSNS affects 
versions 0.10.3 and 0.10.4. Fedora has also patched 0.10.3 against the iSNS 
flaw. See https://bugzilla.fedora.us/attachment.cgi?id=762&action=view seems 
like the variable just has a different name.
Comment 9 Petr Ostadal 2004-07-14 17:01:37 UTC 
Sorry, you are right. The attached patch in our bugzilla was only for newer
version, but in fedora is the right one. I will use the fix from fedora and then
submited it again.
Comment 10 Petr Ostadal 2004-07-14 18:46:19 UTC 
Done, I added backported fix from fedora and submited all packages to autobuild.
Comment 11 Thomas Biege 2004-07-15 19:56:32 UTC 
Ludwig, 
can you take care of the approval and the laufzettel please.
Comment 12 Ludwig Nussel 2004-08-10 18:03:18 UTC 
packages approved
Comment 13 Thomas Biege 2009-10-13 20:28:21 UTC 
CVE-2004-0635: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)