Bugzilla – Bug 128637
VUL-0: CVE-2005-3249: ethereal: new version fixes several security-related bugs
Last modified: 2021-12-06 12:14:57 UTC
Hello Petr, we received this via vendor-sec. From: Gerald Combs <gerald@ethereal.com> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) To: vendor-sec@lst.de Subject: [vendor-sec] Upcoming Ethereal release (0.10.13) fixes several vulnerabilities Errors-To: vendor-sec-admin@lst.de Date: Fri, 14 Oct 2005 14:59:35 -0500 Black box testing along with independent reports have revealed several bugs in Ethereal. These will be fixed in the next release, scheduled for October 17. The bugs are listed below. The ISAKMP dissector could exhaust system memory. Fixed in: r15163 Bug IDs: none Versions affected: 0.10.11 to 0.10.12. The FC-FCS dissector could exhaust system memory. Fixed in: r15204 Bug IDs: 312 Versions affected: 0.9.0 to 0.10.12. The RSVP dissector could exhaust system memory. Fixed in: r15206, r15600 Bug IDs: 311, 314, 382 Versions affected: 0.9.4 to 0.10.12. The ISIS LSP dissector could exhaust system memory. Fixed in: r15245 Bug IDs: 320, 326 Versions affected: 0.8.18 to 0.10.12. The IrDA dissector could crash. Fixed in: r15265, r15267 Bug IDs: 328, 329, 330, 334, 335, 336 Versions affected: 0.10.0 to 0.10.12. The SLIMP3 dissector could overflow a buffer. Fixed in: r15279 Bug IDs: 327 Versions affected: 0.9.1 to 0.10.12. The BER dissector was susceptible to an infinite loop. Fixed in: r15292 Bug IDs: none Versions affected: 0.10.3 to 0.10.12. The SCSI dissector could dereference a null pointer and crash. Fixed in: r15289 Bug IDs: none Versions affected: 0.10.3 to 0.10.12. If the "Dissect unknown RPC program numbers" option was enabled, the ONC RPC dissector might be able to exhaust system memory. This option is disabled by default. Fixed in: r15290 Bug IDs: none Versions affected: 0.7.7 to 0.10.12. The sFlow dissector could dereference a null pointer and crash. Fixed in: r15375 Bug IDs: 356 Versions affected: 0.9.14 to 0.10.12. The RTnet dissector could dereference a null pointer and crash. Fixed in: r15673 Bug IDs: none Versions affected: 0.10.8 to 0.10.12. The SigComp UDVM could go into an infinite loop or crash. Fixed in: r15715, r15901, r15919 Bug IDs: none Versions affected: 0.10.12. If SMB transaction payload reassembly is enabled the SMB dissector could crash. This preference is disabled by default. Fixed in: r15789 Bug IDs: 421 Versions affected: 0.9.7 to 0.10.12. The X11 dissector could attempt to divide by zero. Fixed in: r15927 Bug IDs: none Versions affected: 0.10.1 to 0.10.12. The AgentX dissector could overflow a buffer. Fixed in: r16003 Bug IDs: none Versions affected: 0.10.10 to 0.10.12. The WSP dissector could free an invalid pointer. Fixed in: r16220 Bug IDs: none Versions affected: 0.10.1 to 0.10.12. iDEFENSE found a buffer overflow in the SRVLOC dissector. Fixed in: r16206 Bug IDs: none Versions affected: 0.10.0 to 0.10.12. Ethereal's SVN repository can be browsed online at http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ Information on obtaining the source code can be found at http://www.ethereal.com/development.html#source Please don't hesitate to contact me if you have any questions. _______________________________________________ Vendor Security mailing list
Thomas, could I prepare version update to save time? (same as last time we do it)
yes, please version update. it is probably too timextensive to seperate a patch. CAN-2005-3241 ISAKMP "exhaust system memory" from 0.10.11 to 0.10.12 FC-FCS "exhaust system memory" from 0.9.0 to 0.10.12 RSVP "exhaust system memory" from 0.9.4 to 0.10.12 ISIS LSP "exhaust system memory" from 0.8.18 to 0.10.12 CAN-2005-3242 IrDA crash from 0.10.0 to 0.10.12 SMB crash from 0.9.7 to 0.10.12 CAN-2005-3243 SLIMP3 "buffer overflow" from 0.9.1 to 0.10.12 AgentX "buffer overflow" from 0.10.10 to 0.10.12 CAN-2005-3244 BER "infinite loop" from 0.10.3 to 0.10.12 CAN-2005-3245 ONC RPC "exhaust system memory" from 0.7.7 to 0.10.12 CAN-2005-3246 SCSI "null dereference" from 0.10.3 to 0.10.12 sFlow "null dereference" from 0.9.14 to 0.10.12 RTnet "null dereference" from 0.10.8 to 0.10.12 CAN-2005-3247 SigComp UDVM "infinite loop or crash" 0.10.12 CAN-2005-3248 X11 "divide by zero" from 0.10.1 to 0.10.12 CAN-2005-3249 WSP "free an invalid pointer" from 0.10.1 to 0.10.12 CAN-2005-3184 (already assigned to iDEFENSE) SRVLOC "buffer overflow (iDEFENSE)" from 0.10.0 to 0.10.12
submited for sles8, sles9, 9.1, 9.2, 9.3, 10.0 and STABLE
Maintenance-Tracker-2654 i will do patchinfos.
The 9,0 version is missing...
9.0 submited
Date: Wed, 26 Oct 2005 11:32:31 +0200 From: Thierry Carrez <koon@gentoo.org> To: Gerald Combs <gerald@ethereal.com> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] Upcoming Ethereal release (0.10.13) fixes several vulnerabilities [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, Größe: 0,6K --] Gerald Combs wrote: > A couple of last-minute bugs popped up. 0.10.13 is now available on the > Ethereal web site. Gerald, We are preparing Gentoo packages for ethereal-0.10.13 and during QA we observed a freeze (with 100% CPU usage) when loading the attached dump.pkt capture file in ethereal. This has been observed at least on x86 and amd64. "tethereal -r dump.pkt" opens the file OK. Ethereal 0.10.12 opens the file OK. The regression currently blocks our security release. vendor-sec members might want to double-check their security releases using this file too. Regards, -- Thierry Carrez (Koon) Gentoo Linux Security
Created attachment 55508 [details] mentioned file
Do we need the fix? Date: Wed, 26 Oct 2005 09:57:24 -0500 From: Gerald Combs <gerald@ethereal.com> To: Thierry Carrez <koon@gentoo.org> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] Upcoming Ethereal release (0.10.13) fixes several vulnerabilities Thierry Carrez wrote: > Gerald Combs wrote: > > >>A couple of last-minute bugs popped up. 0.10.13 is now available on the >>Ethereal web site. > > > Gerald, > > We are preparing Gentoo packages for ethereal-0.10.13 and during QA we > observed a freeze (with 100% CPU usage) when loading the attached > dump.pkt capture file in ethereal. This has been observed at least on > x86 and amd64. > > "tethereal -r dump.pkt" opens the file OK. Ethereal 0.10.12 opens the > file OK. The regression currently blocks our security release. "tethereal -Vr dump.pkt" triggered the bug here. > vendor-sec members might want to double-check their security releases > using this file too. The problem was an infinite loop in the IRC dissector. It was discovered by our build system on the 23rd: http://bugs.ethereal.com/bugzilla/show_bug.cgi?id=548 and fixed on the 24th in revision 16290: http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/packet-irc.c It was introduced 4 weeks ago. Unfortunately it made it into the 0.10.13 release. BTW, may we add the capture file you sent (dump.pkt) to our collection of test captures? It would be used for the "menagerie" tests at http://buildbot.ethereal.com/. _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
YES we need it.
Patch added to all distros and submited.
CVE-2005-3313 for the new issue
updates released, thanks!
CVE-2005-3249: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)