Bug 742815 - VUL-0: wireshark more memory/typecast issues
VUL-0: wireshark more memory/typecast issues
Status: RESOLVED DUPLICATE of bug 741187
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Chunyan Liu
E-mail List
: Built
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-23 10:18 UTC by Sebastian Krahmer
Modified: 2012-02-03 01:49 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-01-23 10:18:17 UTC
We probably also need to fix these (via OSS-sec):
(3 new issues + CVE's, see end of the comment)

[...]

>> Type-cast error: Caused because of casting unsigned to signed int (ws
>> bug
>> 6663). This leaves the app in an unstable state.
>> -
>> 1. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663
>> This is a type cast issue, caused because of casting an unsigned int to
>> signed
>> int.
>> In the unfixed version this would throw an exception which the
>> application
>> would catch, but leave it in an unstable state. The patch makes sure
>> that the
>> value passed was less than G_MAXINT
>> Patch:
>> http://anonsvn.wireshark.org/viewvc?view=revision&revision=40164
>>
>> =======
>> Application crash/Dos because of trying to allocate too large a
>> buffer size
>> (ws bug 6666, 6667, 6669).
>> -
>> 2. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666
>> 5Views file format DoS due to request to allocate too large a buffer
>> size.
>> Normally glib should terminate the application with something like
>> "GLib-ERROR **: gmem.c:239: failed to allocate 3221228094 bytes"
>> Resolved by clamping the value of packet_size
>> Patch:
>> http://anonsvn.wireshark.org/viewvc?view=revision&revision=40165
>>
>> 3. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667
>> Same problem and solution but with i4b capture format now
>> Patch:
>> http://anonsvn.wireshark.org/viewvc?view=revision&revision=40166
>>
>> 5. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669
>> Similar issue with netmon file format.
>> Patch:
>> http://anonsvn.wireshark.org/viewvc?view=revision&revision=40168
>>
>> =======
>> Integer underflow causing too large buffer to be allocated and a crash
>> (ws bug 6668).
>> -
>> 4. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668
>> Same problem and solution but with iptrace capture format. Also some
>> checks for
>> bad file format.
>> Patch:
>> http://anonsvn.wireshark.org/viewvc?view=revision&revision=40167
>>
>> =======
>> Memory corruption (buffer-overflow) when reading novell capture file
>> format. glibc however detects this and terminates the application (ws
>> bug 6670)
>> -
>> 6. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670
>> Similar issue with netmon file format.
>> Patch:
>> http://anonsvn.wireshark.org/viewvc?view=revision&revision=40169
>>
>> =======
>>
>> So we already have one CVE assigned for all these, my thought would be
>> to use CVE-2012-0041 for the first one (6663) and assign new CVE's for
>> the rest. Comments/questions?
>>
>
>
> You are correct, we may need to split this into 4 parts:
>
>
> 6663 - typecast flaw
Please continue to use CVE-2012-0041 for this issue (6663)

> 6666, 6667, 6669 - Dos due to too large buffer alloc requst
Please use CVE-2012-0066 for these issues (6666, 6667, 6669)

> 6668 - Dos due to integer underflow and too large buffer alloc. request
Please use CVE-2012-0067 for this issue (6668)

> 6670 - memory corruption due to buffer underflow
Please use CVE-2012-0068 for this issue (6670)
Comment 1 Sebastian Krahmer 2012-01-23 11:07:49 UTC
We should use MaintenanceTracker-45064 for this.
You probably need to resubmit the wireshark packages, so
we can fix the bugs all along. :/
Comment 2 Swamp Workflow Management 2012-01-23 23:00:21 UTC
bugbot adjusting priority
Comment 3 Chunyan Liu 2012-01-29 02:21:15 UTC
Duplication of bug #741187. I've updated our package to 1.4.11, all these bugs have been fixed in this version.

*** This bug has been marked as a duplicate of bug 741187 ***