Bugzilla – Bug 80581
VUL-0: CVE-2005-1470: Ethereal once again
Last modified: 2021-11-04 16:07:38 UTC
Be warned. This is a huge list of issues. Looks like a version upgrade is needed? Date: Tue, 26 Apr 2005 14:45:18 -0500 From: Gerald Combs <gerald@ethereal.com> To: vendor-sec@lst.de Subject: [vendor-sec] Upcoming Ethereal release (0.10.11) fixes a large number of vulnerabilities An aggressive testing program along with independent reports have revealed a large number of bugs in Ethereal. These will be fixed in the next release, tentatively scheduled for May 2nd or 3rd. Bugs discovered so far are listed below, and there are several more in the pipeline. I'll send an update in a few days as more bugs are fixed. The ANSI A dissector was susceptible to format string vulnerabilities. Discovered by Bryan Fulton. Versions affected: 0.9.15 to 0.10.10 Fixed in revisions: 13793, 13794 The GSM MAP dissector could crash. Versions affected: 0.10.0 to 0.10.10 Fixed in revisions: 13984, 13985, 13986 The AIM dissector could cause a crash. Versions affected: 0.9.14 to 0.10.10 Fixed in revisions: 13955 The DISTCC dissector was susceptible to a buffer overflow. Discovered by Ilja van Sprundel Versions affected: 0.9.13 to 0.10.10 Fixed in revisions: 14016 The FCELS dissector was susceptible to a buffer overflow. Discovered by Neil Kettle Versions affected: 0.9.9 to 0.10.10 Fixed in revisions: 14027 The SIP dissector was susceptible to a buffer overflow. Discovered by Ejovi Nuwere. Versions affected: 0.10.0 to 0.10.10 Fixed ini revisions: 14155 The KINK dissector was susceptible to a null pointer exception, endless looping, and other problems. Versions affected: 0.10.10 Fixed in revisions: 13797, 13803, 13853, 13896 The LMP dissector was susceptible to an endless loop. Versions affected: 0.9.4 to 0.10.10 Fixed in revisions: 13878, 13879 The Telnet dissector could abort. Versions affected: 0.9.10 to 0.10.10 Fixed in revisions: 13739, 13740 The TZSP dissector could cause a segmentation fault. Versions affected: 0.10.10 to 0.10.10 Fixed in revsions: 13790 The WSP dissector was susceptible to a null pointer exception and assertions. Versions affected: 0.10.0 to 0.10.10 Fixed in revisions: 13868, 13869, 13876, 14018, 14029, 14110, 14111 The 802.3 Slow protocols dissector could throw an assertion. Versions affected: 0.10.10 Fixed in revisions: 13950 The BER dissector could throw assertions. Versions affected: 0.10.2 to 0.10.10 Fixed in revisions: 14064, 14065, 14078, 14079, 14080, 14092, 14145 The SMB Mailslot dissector was susceptible to a null pointer exception and could throw assertions. Versions affected: 0.9.0 to 0.10.10 Fixed in revisions: 14066, 14067, 14129 The H.245 dissector was susceptible to a null pointer exception. Versions affected: 0.10.10 Fixed in revisions: 14072 The Bittorrent dissector could cause a segmentation fault. Versions affected: 0.10.8 to 0.10.10 Fixed in revisions: 14136 The SMB dissector could cause a segmentation fault and throw assertions. Versions affected: 0.9.0 to 0.10.10 Fixed in revisions: 13968, 14077, 14107, 14149 The Fibre Channel dissector could cause a crash. Versions affected: 0.9.9 to 0.10.10 Fixed in revisions: 14115, 14154 The DICOM dissector could attempt to allocate large amounts of memory. Versions affected: 0.10.4 to 0.10.10 Fixed in revisions: 14117 The MGCP dissector was susceptible to a null pointer exception, could loop indefinitely, and segfault. Versions affected: 0.8.14 to 0.10.10 Fixed in revisions: 14119, 14121, 14181 The RSVP dissector could loop indefinitely. Versions affected: 0.9.8 to 0.10.10 Fixed in revisions: 14128, 14153, 14165, 14168 The DHCP dissector was susceptible to format string vulnerabilities, and could abort. Versions affected: 0.10.7 to 0.10.10 Fixed in revisions: 14019, 14141 The SRVLOC dissector could crash unexpectedly or go into an infinite loop. Versions affected: 0.9.8 to 0.10.10 Fixed in revisions: 14150, 14182 The EIGRP dissector could loop indefinitely. Versions affected: 0.8.18 to 0.10.10 Fixed in revisions: 14151 The ISIS dissector could overflow a buffer. Versions affected: 0.8.18 to 0.10.10 Fixed in revisions: 14161 The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, and X.509 dissectors could overflow buffers. Versions affected: 0.10.4 to 0.10.10 Fixed in revisions: 14169 The NDPS dissector could exhaust system memory or cause an assertion. Versions affected: 0.9.12 to 0.10.10 Fixed in revisions: 14172, 14183 The Q.931 dissector could try to free a null pointer and overflow a buffer. Versions affected: 0.10.10 Fixed in revisions: 14173 The IAX2 dissector could throw an assertion. Versions affected: 0.10.1 to 0.10.10 Fixed in revisions: 14175 The ICEP dissector could try to free the same memory twice. Versions affected: 0.10.7 to 0.10.10 Fixed in revisions: 14176 The MEGACO dissector was susceptible to an infinite loop. Versions affected: Fixed in revisions: The DLSw dissector was susceptible to an infinite loop. Versions affected: 0.9.1 to 0.10.10 Fixed in revisions: 14178 The RPC dissector was susceptible to a null pointer exception and Versions affected: 0.9.2 to 0.10.10 Fixed in revisions: 14186 The following dissectors could throw an assertion when passing an invalid protocol tree item length. Versions affected: 0.10.8 to 0.10.10 PPP: 13897, 13898, 13900, 13901, 13906, 13908, 13921, 13927 FCP: 13899, 13917 ISAKMP: 13974 Vines: 13925 MIPv6: 13963 PER: 13970 T.38: 14014 SSL: 14120 NCP: 14159 MMSE: 14163 DCERPC: 14171 ISMP: 14171 EPM: 14174 Ethereal's SVN repository can be browsed online at http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ Information on obtaining the source code can be found at http://www.ethereal.com/development.html#source Please don't hesitate to contact me if you have any questions.
;) super, The version update will help me, the backportig different version consumed a lot of time ;(. Can I make it?
i queried AJ and RF ... AJ has goiven his approval for the box products already, waiting for Ralf.
Today realeased new version of ethereal (http://www.ethereal.com/appnotes/enpa-sa-00019.html ). I pam reparing update for SL BOXes and I am still waiting for Ralf decision (update for SLES9-SP2 is urgent).
I read now, that Gerald Pfeifer is responsible for SLES8 and SLES9. Gerald, could you decide version update for SLES?
Petr, if you do not hear otherwise by Monday, 16:00, the version update for SLES9 is okay. If you urgently need a decision before then, the version update is also okay. (I'll try to check with Ralf.)
Petr, the update is okay but please make sure that this does not change any existing command-line options or file formats (if applicable, I don't know whether Etherreal has any specific files).
I have updated ethereal in sles8,9.0,9.1,sles9, sles9-sp2 (=sles9-beta),9.2,9.3 and stable. Markus make swamp id and patchinfo for it.
swampid: 1143
Yes, see below. ---------- Forwarded message ---------- Date: Thu, 5 May 2005 19:31:22 -0400 (EDT) From: Steven M. Christey <coley@linus.mitre.org> To: Mark J Cox <mjc@redhat.com> Cc: Steven M. Christey <coley@linus.mitre.org>, bressers@redhat.com Subject: Re: 20+ CVE names needed ..... OK, I took a look at this advisory, and also at that massive Oracle advisory. I'm currently of the mindset that in large-scale reports like this (where let's say there are 20 or more issues), I'd SPLIT by bug type and the *maximum* affected version, but ignore the starting versions. This is a change from previous approaches, ESPECIALLY since we have all the relevant details right here, but I want to keep this exception to large-scale discoveries only. This leaves 15 CANs for Ethereal and about 27 for that massive Oracle advisory. Still large, but not ludicrous large. See the Ethereal CANs below. - Steve ====================================================== Candidate: CAN-2005-1456 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1456 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown vulnerabilities in the (1) DHCP and (2) Telnet dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (abort). ====================================================== Candidate: CAN-2005-1457 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1457 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3) FibreChannel, (4) GSM_MAP, (5) SRVLOC, and (6) NTLMSSP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash). ====================================================== Candidate: CAN-2005-1458 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1458 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown "other problems" in the KINK dissector in Ethereal before 0.10.11 have unknown impact and attack vectors. ====================================================== Candidate: CAN-2005-1459 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1459 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown vulnerabilities in the (1) WSP, (2) BER, (3) SMB, (4) NDPS, (5) IAX2, (6) RADIUS, (7) TCAP, (8) MRDISC, (9) 802.3 Slow, (10) SMBMailslot, or (11) SMB PIPE dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error). ====================================================== Candidate: CAN-2005-1460 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1460 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error) via an invalid protocol tree item length. ====================================================== Candidate: CAN-2005-1461 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1461 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17) PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. ====================================================== Candidate: CAN-2005-1462 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1462 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Double-free vulnerability in the ICEP dissector in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code. ====================================================== Candidate: CAN-2005-1463 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1463 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple format string vulnerabilities in the (1) DHCP and (2) ANSI A dissectors in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code. ====================================================== Candidate: CAN-2005-1464 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1464 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, (4) EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (infinite loop). ====================================================== Candidate: CAN-2005-1465 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1465 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Unknown vulnerability in the NCP dissector in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (long loop). ====================================================== Candidate: CAN-2005-1466 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1466 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Unknown vulnerability in the DICOM dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (large memory allocation) via unknown vectors. ====================================================== Candidate: CAN-2005-1467 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1467 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Unknown vulnerability in the NDPS dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (memory exhaustion) via unknown vectors. ====================================================== Candidate: CAN-2005-1468 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1468 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown vulnerabilities in the (1) WSP, (2) Q.931, (3) H.245, (4) KINK, (5) MGCP, (6) RPC, (7) SMBMailslot, and (8) SMB NETLOGON Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) via unknown vectors that lead to a null dereference. ====================================================== Candidate: CAN-2005-1469 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1469 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Unknown vulnerability in the GSM dissector in Ethereal before 0.10.11 allows remote attackers to cause the dissector to access an invalid pointer. ====================================================== Candidate: CAN-2005-1470 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1470 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP, (4) SMB, or (5) Bittorrent dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (segmentation fault) via unknown vectors.
Created attachment 36934 [details] ethereal_sip.c sample crash demo, run with: ./ethereal_sip <hpostname>
*** Bug 83751 has been marked as a duplicate of this bug. ***
Why is there no submission for 8.2?
my fault, no it is ok
packages approved
CVE-2005-1470: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)