Bug 960382 – VUL-0: wireshark: multiple dissector crashes fixed in 1.12.9 and 2.0.1

Bug 960382 - (CVE-2015-8711) VUL-0: wireshark: multiple dissector crashes fixed in 1.12.9 and 2.0.1

(CVE-2015-8711)
Summary:	VUL-0: wireshark: multiple dissector crashes fixed in 1.12.9 and 2.0.1

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-12-30 08:05 UTC by Andreas Stieger
Modified:	2016-04-27 19:49 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-12-30 08:05:07 UTC

Following bug 941500 and bug 950437, a number of protocol dissector crashes were fixed in wireshark releases.

Fixed only in 1.12.9:

* UMTS FP dissector crashes.
  wnpa-sec-2015-32
* DCOM dissector crash.
  wnpa-sec-2015-33
* AllJoyn dissector infinite loop.
  wnpa-sec-2015-34
* T.38 dissector crash.
  wnpa-sec-2015-35
* SDP dissector crash.
  wnpa-sec-2015-36
* DNS dissector crash.
  wnpa-sec-2015-38

Fixed in 1.12.9 and 2.0.1:

* NBAP dissector crashes.
  wnpa-sec-2015-31
* NLM dissector crash.
  wnpa-sec-2015-37
* BER dissector crash.
  wnpa-sec-2015-39
* Zlib decompression crash. ([8]Bug 11548)
  wnpa-sec-2015-40
* SCTP dissector crash.
  wnpa-sec-2015-41
* 802.11 decryption crash.
  wnpa-sec-2015-42
* DIAMETER dissector crash.
  wnpa-sec-2015-43
* VeriWave file parser crashes.
  wnpa-sec-2015-44
* RSVP dissector crash.
  wnpa-sec-2015-45
* ANSI A & GSM A dissector crashes.
  wnpa-sec-2015-46
* Ascend file parser crash. 
  wnpa-sec-2015-47
* NBAP dissector crash.
  npa-sec-2015-48
* RSL dissector crash.
  wnpa-sec-2015-49
* ZigBee ZCL dissector crash.
  wnpa-sec-2015-50
* Sniffer file parser crash
  wnpa-sec-2015-51
* NWP dissector crash. 
  wnpa-sec-2015-52
* BT ATT dissector crash.
  wnpa-sec-2015-53
* MP2T file parser crash. 
  wnpa-sec-2015-54
* MP2T file parser crash.
  wnpa-sec-2015-55
* S7COMM dissector crash.
  wnpa-sec-2015-56
* IPMI dissector crash.
  wnpa-sec-2015-57
* TDS dissector crash.
  wnpa-sec-2015-58
* PPI dissector crash.
  wnpa-sec-2015-59
* MS-WSP dissector crash. 
  wnpa-sec-2015-60

Comment 1 Bernhard Wiedemann 2015-12-30 10:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (960382) was mentioned in
https://build.opensuse.org/request/show/351292 Factory / wireshark

Comment 2 Bernhard Wiedemann 2015-12-30 12:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (960382) was mentioned in
https://build.opensuse.org/request/show/351317 42.1+13.2+13.1 / wireshark

Comment 3 Swamp Workflow Management 2015-12-30 23:00:13 UTC

bugbot adjusting priority

Comment 5 Johannes Segitz 2016-01-04 12:03:10 UTC

As this was already so kindly prepared by Andreas I'll use this bug as tracker bug for the wealth of wireshark issues. CVEs were assigned:

CVE-2015-8720: The dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 improperly checks an sscanf return value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-8721: Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet with zlib compression.
CVE-2015-8722: epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the frame pointer, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet.
CVE-2015-8723: The AirPDcapPacketProcess function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationship between the total length and the capture length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted
CVE-2015-8724: The AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not verify the WPA broadcast key length, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.
CVE-2015-8725: The dissect_diameter_base_framed_ipv6_prefix function in epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the IPv6 prefix length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet.
CVE-2015-8726: wiretap/vwr.c in the VeriWave file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate certain signature and Modulation and Coding Scheme (MCS) data, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.
CVE-2015-8727: The dissect_rsvp_common function in epan/dissectors/packet-rsvp.c in the RSVP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not properly maintain request-key data, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet.
CVE-2015-8728: The Mobile Identity parser in (1) epan/dissectors/packet-ansi_a.c in the ANSI A dissector and (2) epan/dissectors/packet-gsm_a_common.c in the GSM A dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 improperly uses the tvb_bcd_dig_to_wmem_packet_str function, which allows remote attackers to cause a denial of service (buffer overflow and application crash) via a crafted packet.
CVE-2015-8729: The ascend_seek function in wiretap/ascendtext.c in the Ascend file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not ensure the presence of a '\0' character at the end of a date string, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.

I exclude the one that only affect 2.0.x since Factory is fixed and nothing else is affected.

I'll start an update for this issue (only crashers, but a lot of them)

Comment 6 Johannes Segitz 2016-01-04 12:10:10 UTC

Next batch:

CVE-2015-8711: epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate conversation data, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet.
CVE-2015-8712: The dissect_hsdsch_channel_info function in epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not validate the number of PDUs, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-8713: epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not properly reserve memory for channel ID mappings, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet.
CVE-2015-8714: The dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c in the DCOM dissector in Wireshark 1.12.x before 1.12.9 does not initialize a certain IPv4 data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-8715: epan/dissectors/packet-alljoyn.c in the AllJoyn dissector in Wireshark 1.12.x before 1.12.9 does not check for empty arguments, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.
CVE-2015-8716: The init_t38_info_conv function in epan/dissectors/packet-t38.c in the T.38 dissector in Wireshark 1.12.x before 1.12.9 does not ensure that a conversation exists, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-8717: The dissect_sdp function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.12.x before 1.12.9 does not prevent use of a negative media count, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-8718: Double free vulnerability in epan/dissectors/packet-nlm.c in the NLM dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1, when the "Match MSG/RES packets for async NLM" option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-8719: The dissect_dns_answer function in epan/dissectors/packet-dns.c in the DNS dissector in Wireshark 1.12.x before 1.12.9 mishandles the EDNS0 Client Subnet option, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

Comment 7 Johannes Segitz 2016-01-04 12:16:55 UTC

Last one:

CVE-2015-8730: epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the number of items, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted packet.
CVE-2015-8731: The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not reject unknown TLV types, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.
CVE-2015-8732: The dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/packet-zbee-zcl-general.c in the ZigBee ZCL dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the Total Profile Number field, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.
CVE-2015-8733: The ngsniffer_process_record function in wiretap/ngsniffer.c in the Sniffer file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationships between record lengths and record header lengths, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.

Comment 8 Andreas Stieger 2016-01-04 15:15:41 UTC

CVEs added to incident changelogs.
SLE updates running

Comment 9 Swamp Workflow Management 2016-01-08 11:11:03 UTC

openSUSE-SU-2016:0054-1: An update that fixes 23 vulnerabilities is now available.

Category: security (low)
Bug References: 960382
CVE References: CVE-2015-8711,CVE-2015-8712,CVE-2015-8713,CVE-2015-8714,CVE-2015-8715,CVE-2015-8716,CVE-2015-8717,CVE-2015-8718,CVE-2015-8719,CVE-2015-8720,CVE-2015-8721,CVE-2015-8722,CVE-2015-8723,CVE-2015-8724,CVE-2015-8725,CVE-2015-8726,CVE-2015-8727,CVE-2015-8728,CVE-2015-8729,CVE-2015-8730,CVE-2015-8731,CVE-2015-8732,CVE-2015-8733
Sources used:
openSUSE Leap 42.1 (src):    wireshark-1.12.9-14.1
openSUSE 13.2 (src):    wireshark-1.12.9-29.1
openSUSE 13.1 (src):    wireshark-1.12.9-47.1

Comment 12 Swamp Workflow Management 2016-01-13 18:12:41 UTC

SUSE-SU-2016:0109-1: An update that fixes 24 vulnerabilities is now available.

Category: security (low)
Bug References: 950437,960382
CVE References: CVE-2015-7830,CVE-2015-8711,CVE-2015-8712,CVE-2015-8713,CVE-2015-8714,CVE-2015-8715,CVE-2015-8716,CVE-2015-8717,CVE-2015-8718,CVE-2015-8719,CVE-2015-8720,CVE-2015-8721,CVE-2015-8722,CVE-2015-8723,CVE-2015-8724,CVE-2015-8725,CVE-2015-8726,CVE-2015-8727,CVE-2015-8728,CVE-2015-8729,CVE-2015-8730,CVE-2015-8731,CVE-2015-8732,CVE-2015-8733
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    wireshark-1.12.9-22.1
SUSE Linux Enterprise Software Development Kit 12 (src):    wireshark-1.12.9-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    wireshark-1.12.9-22.1
SUSE Linux Enterprise Server 12 (src):    wireshark-1.12.9-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    wireshark-1.12.9-22.1
SUSE Linux Enterprise Desktop 12 (src):    wireshark-1.12.9-22.1

Comment 13 Swamp Workflow Management 2016-01-13 19:15:58 UTC

SUSE-SU-2016:0110-1: An update that fixes 24 vulnerabilities is now available.

Category: security (low)
Bug References: 950437,960382
CVE References: CVE-2015-7830,CVE-2015-8711,CVE-2015-8712,CVE-2015-8713,CVE-2015-8714,CVE-2015-8715,CVE-2015-8716,CVE-2015-8717,CVE-2015-8718,CVE-2015-8719,CVE-2015-8720,CVE-2015-8721,CVE-2015-8722,CVE-2015-8723,CVE-2015-8724,CVE-2015-8725,CVE-2015-8726,CVE-2015-8727,CVE-2015-8728,CVE-2015-8729,CVE-2015-8730,CVE-2015-8731,CVE-2015-8732,CVE-2015-8733
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Server 11-SP3 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    wireshark-1.12.9-0.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    wireshark-1.12.9-0.12.1