Bug 867485 (CVE-2014-2281)

Summary: VUL-0: wireshark 1.10.6 and 1.8.13 maintenance releases fix several vulnerabilities
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <Andreas.Stieger>
Component: IncidentsAssignee: Chunyan Liu <cyliu>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, cyliu, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard: maint:released:sle11-sp1:56779 maint:released:sle10-sp3:56781 maint:released:sle11-sp3:56780
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2014-03-08 10:02:24 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0

https://www.wireshark.org/docs/relnotes/wireshark-1.10.6.html

* The NFS dissector could crash
  wnpa-sec-2014-01 CVE-2014-2281
* The M3UA dissector could crash
  wnpa-sec-2014-02 CVE-2014-2282
* The RLC dissector could crash
  wnpa-sec-2014-03 CVE-2014-2283
* The MPEG file parser could overflow a buffer
  wnpa-sec-2014-04 CVE-2014-2299

https://www.wireshark.org/docs/relnotes/wireshark-1.8.13.html

* The NFS dissector could crash
  wnpa-sec-2014-01 CVE-2014-2281
* The RLC dissector could crash
  wnpa-sec-2014-03 CVE-2014-2283
* The MPEG file parser could overflow a buffer
  wnpa-sec-2014-04 CVE-2014-2299

Reproducible: Didn't try
Comment 1 Andreas Stieger 2014-03-08 11:32:54 UTC 
Maintenance request for openSUSE 12.3 and 13.1:
https://build.opensuse.org/request/show/225145
Comment 2 Bernhard Wiedemann 2014-03-08 12:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (867485) was mentioned in
https://build.opensuse.org/request/show/225147 Factory / wireshark
Comment 3 Marcus Meissner 2014-03-13 10:23:58 UTC 
CVE-2014-2281 CVE-2014-2282 CVE-2014-2283 CVE-2014-2299
Comment 4 Swamp Workflow Management 2014-03-17 09:04:36 UTC 
openSUSE-SU-2014:0382-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 867485
CVE References: CVE-2014-2281,CVE-2014-2282,CVE-2014-2283,CVE-2014-2299
Sources used:
openSUSE 13.1 (src):    wireshark-1.10.6-8.1
openSUSE 12.3 (src):    wireshark-1.8.13-1.32.1
Comment 5 Swamp Workflow Management 2014-03-17 10:04:19 UTC 
openSUSE-SU-2014:0383-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 867485
CVE References: CVE-2014-2281,CVE-2014-2283,CVE-2014-2299
Sources used:
openSUSE 11.4 (src):    wireshark-1.8.13-69.1
Comment 8 Swamp Workflow Management 2014-03-25 09:35:43 UTC 
The SWAMPID for this issue is 56778.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-08.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 SMASH SMASH 2014-03-25 09:40:11 UTC 
Affected packages:

SLE-11-SP3: wireshark
SLE-10-SP3-TERADATA: wireshark
Comment 10 Swamp Workflow Management 2014-04-07 07:06:09 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 11 Swamp Workflow Management 2014-04-07 09:04:21 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-devel
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 12 Swamp Workflow Management 2014-04-07 23:13:01 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 13 Swamp Workflow Management 2014-04-08 03:04:23 UTC 
SUSE-SU-2014:0487-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 867485
CVE References: CVE-2014-2281,CVE-2014-2282,CVE-2014-2283,CVE-2014-2299
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    wireshark-1.8.13-0.5.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    wireshark-1.8.13-0.5.1
SUSE Linux Enterprise Server 11 SP3 (src):    wireshark-1.8.13-0.5.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    wireshark-1.8.13-0.5.1
Comment 14 Alexander Bergmann 2014-04-09 07:51:39 UTC 
Fixed and released. Closing bug.