Bugzilla – Bug 98446
VUL-0: CVE-2005-2367: ethereal security fixes
Last modified: 2021-11-11 14:41:33 UTC
We received the following report via vendor-sec. The issue is public. Date: Mon, 25 Jul 2005 17:56:04 -0500 From: Gerald Combs <gerald@ethereal.com> To: vendor-sec@lst.de Subject: [vendor-sec] Upcoming Ethereal release (0.10.12) fixes another passel of vulnerabilities Our continuing testing program has turned up several vulnerabilites in Ethereal. Independent reviews by Red Hat and iDEFENSE have turned up several more. Each vulnerability is listed below along with affected versions and the SVN revision(s) that fixed the problem. All of the problems below will be fixed in version 0.10.12. It is scheduled to be released July 26 (tomorrow) or July 27. The LDAP dissector could free static memory and crash. Versions affected: 0.8.5 to 0.10.11 Fixed in: 14337 The AgentX dissector could crash. Versions affected: 0.10.10 to 0.10.11 Fixed in: 14344 The 802.3 dissector could go into an infinite loop. Versions affected: 0.8.16 to 0.10.11 Fixed in: 14368 The PER dissector could abort. Versions affected: 0.10.5 to 0.10.11 Fixed in: 14424 The DHCP dissector could go into an infinite loop. Versions affected: 0.10.7 to 0.10.11 Fixed in: 14425 The BER dissector could abort or loop infinitely. Version affected: 0.10.11 Fixed in: 14799 The MEGACO dissector could go into an infinite loop. Versions affected: 0.9.14 to 0.10.11 Fixed in: 14057 The GIOP dissector could dereference a null pointer. Versions affected: 0.8.20 to 0.10.11 Fixed in: 14113 The SMB dissector could overflow a buffer or exhaust system memory. Versions affected: 0.9.0 to 0.10.11 Fixed in: 14501, 14515, 14526 The WBXML could dereference a null pointer. Versions affected: 0.10.1 to 0.10.11 Fixed in: 14522 The H1 dissector could go into an infinite loop. Versions affected: 0.8.15 to 0.10.11 Fixed in: 14589 The DOCSIS dissector could cause a crash. Versions affected: 0.9.13 to 0.10.11 Fixed in: 14422 The SMPP dissector could go into an infinite loop. Versions affected: 0.10.1 to 0.10.11 Fixed in: 14639, 14664, 14830 SCTP graphs could crash. Version affected: 0.10.11 Fixed in: 14876 The HTTP dissector could crash. Versions affected: 0.10.4 to 0.10.11 Fixed in: 14981 The DCERPC dissector could crash. Versions affected: 0.9.16 to 0.10.11 Fixed in: 14525 Several dissectors could crash while reassembling packets. Versions affected: 0.9.0 to 0.10.11 Steve Grubb at Red Hat found the following issues: The CAMEL dissector could dereference a null pointer. Version affected: 0.10.11 Fixed in: 14495 The DHCP dissector could crash. Versions affected: 0.10.4 to 0.10.11 Fixed in: 14494 The PER dissector could crash. Versions affected: 0.10.10 to 0.10.11 Fixed in: 14498 The RADIUS dissector could crash. Versions affected: 0.9.4 to 0.10.11 Fixed in: 14498 The Telnet dissector could crash. Versions affected: 0.9.10 to 0.10.11 Fixed in: 14499 The IS-IS LSP dissector could crash. Versions affected: 0.8.19 to 0.10.11 Fixed in: 14627 The NCP dissector could crash. Versions affected: 0.9.15 to 0.10.11 Fixed in: 14627 iDEFENSE found the following issue: Several dissectors were susceptible to a format string overflow. Versions affected: 0.9.4 to 0.10.11 Fixed in: 14713 Ethereal's SVN repository can be browsed online at http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ Information on obtaining the source code can be found at http://www.ethereal.com/development.html#source Please don't hesitate to contact me if you have any questions. _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Date: Tue, 26 Jul 2005 14:52:05 -0400 (EDT) From: "Steven M. Christey" <coley@linus.mitre.org> To: Mark J Cox <mjc@redhat.com> Cc: "Steven M. Christey" <coley@linus.mitre.org>, vendor-sec@lst.de, rvokal@redhat.com Subject: [vendor-sec] Re: urgent CVE names needed for Ethereal release OK, what a pain. (But I'm sure it's even harder on all of you :) ) Please pass the appropriate CAN back to iDEFENSE. I originally started looking at the specific bug reports, but that quickly got problematic. Of cource, splitting by result type can be highly erroneous relative to the underlying fault, and it's not CVE style, but operating under the assumption that we need to do something quickly, we will use it as "best available information." I was tempted to further split based on "0.8.x to 0.10" versus "0.9.x to 0.10", i.e. use broader ranges of versions, but maybe I'll try that next time. I'm definitely getting the mindset that bugs found by third parties should get their own CANs independently of developer-found issues. Summaries: CAN-2005-2360 - free static memory and crash in LDAP CAN-2005-2361 - crash in AgentX, PER, DOCSIS, SCTP, HTTP, DCERPC, DHCP, PER again [different version range], RADIUS, Telnet, IS-IS LSP, NCP CAN-2005-2362 - crash while reassembling packets in multiple dissectors CAN-2005-2363 - infinite loop in SMPP, 802.3, DHCP, MEGACO, H1 CAN-2005-2364 - null pointer dereference in GIOP, WBXML, CAMEL CAN-2005-2365 - buffer overflow or memory exhaustion in SMB CAN-2005-2366 - abort or infinite loop in BER CAN-2005-2367 - iDEFENSE-discovered format strings Details ---------- Use CAN-2005-2360 for: The LDAP dissector could free static memory and crash. Versions affected: 0.8.5 to 0.10.11 Fixed in: 14337 Use CAN-2005-2361 for: The AgentX dissector could crash. Versions affected: 0.10.10 to 0.10.11 Fixed in: 14344 The PER dissector could abort. Versions affected: 0.10.5 to 0.10.11 Fixed in: 14424 The DOCSIS dissector could cause a crash. Versions affected: 0.9.13 to 0.10.11 Fixed in: 14422 SCTP graphs could crash. Version affected: 0.10.11 Fixed in: 14876 The HTTP dissector could crash. Versions affected: 0.10.4 to 0.10.11 Fixed in: 14981 The DCERPC dissector could crash. Versions affected: 0.9.16 to 0.10.11 Fixed in: 14525 The DHCP dissector could crash. Versions affected: 0.10.4 to 0.10.11 Fixed in: 14494 The PER dissector could crash. Versions affected: 0.10.10 to 0.10.11 Fixed in: 14498 The RADIUS dissector could crash. Versions affected: 0.9.4 to 0.10.11 Fixed in: 14498 The Telnet dissector could crash. Versions affected: 0.9.10 to 0.10.11 Fixed in: 14499 The IS-IS LSP dissector could crash. Versions affected: 0.8.19 to 0.10.11 Fixed in: 14627 The NCP dissector could crash. Versions affected: 0.9.15 to 0.10.11 Fixed in: 14627 Use CAN-2005-2362 for: Several dissectors could crash while reassembling packets. Versions affected: 0.9.0 to 0.10.11 Use CAN-2005-2363 for: The SMPP dissector could go into an infinite loop. Versions affected: 0.10.1 to 0.10.11 Fixed in: 14639, 14664, 14830 The 802.3 dissector could go into an infinite loop. Versions affected: 0.8.16 to 0.10.11 Fixed in: 14368 The DHCP dissector could go into an infinite loop. Versions affected: 0.10.7 to 0.10.11 Fixed in: 14425 The MEGACO dissector could go into an infinite loop. Versions affected: 0.9.14 to 0.10.11 Fixed in: 14057 The H1 dissector could go into an infinite loop. Versions affected: 0.8.15 to 0.10.11 Fixed in: 14589 Use CAN-2005-2364 for: The GIOP dissector could dereference a null pointer. Versions affected: 0.8.20 to 0.10.11 Fixed in: 14113 The WBXML could dereference a null pointer. Versions affected: 0.10.1 to 0.10.11 Fixed in: 14522 The CAMEL dissector could dereference a null pointer. Version affected: 0.10.11 Fixed in: 14495 Use CAN-2005-2365 for: The SMB dissector could overflow a buffer or exhaust system memory. Versions affected: 0.9.0 to 0.10.11 Fixed in: 14501, 14515, 14526 Use CAN-2005-2366 for: The BER dissector could abort or loop infinitely. Version affected: 0.10.11 Fixed in: 14799 Use CAN-2005-2367 for: iDEFENSE found the following issue: Several dissectors were susceptible to a format string overflow. Versions affected: 0.9.4 to 0.10.11 Fixed in: 14713 _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
The new version of ethereal is released (http://ethereal.com/news/item_20050726_01.html) The Ethereal advisory is here http://ethereal.com/appnotes/enpa-sa-00020.html Can I make version update for older distros? (It will take me a lot of time to backported it, I need time for SL10)
SM-Tracker-1932 8 remote root user -1 extra package -1 default inactive -1 user interaction +1 command execution Total Score: 6 (Moderate)
We need a prjmgr ok for a version update
Okay.
Andreas, for SLES is version update ok, and for SL Boxes?
If it's fine for SLES, it's fine for me as well.
updated and submited for SLSES8, 8.2, 9.0, SLES9, 9.2, 9.3 SM-Tracker-1932
8.2 fix no longer necessary for bugs > 97000
fixed packages released
CVE-2005-2367: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)