Red Hat Security Advisory: wireshark security, bug fix, and enhancement update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2013:0125 Final 1 1 2013-01-08T04:14:00Z Current version 2013-01-08T04:14:00Z 2013-01-08T04:14:00Z Red Hat rhsa-to-cvrf 1.0.1484 2013-01-08T04:58:01Z Updated wireshark packages that fix several security issues, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Wireshark, previously known as Ethereal, is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. A heap-based buffer overflow flaw was found in the way Wireshark handled Endace ERF (Extensible Record Format) capture files. If Wireshark opened a specially-crafted ERF capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-4102) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, CVE-2011-2698, CVE-2012-0041, CVE-2012-0042, CVE-2012-0066, CVE-2012-0067, CVE-2012-4285, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291) The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. This update also fixes the following bugs: * When Wireshark starts with the X11 protocol being tunneled through an SSH connection, it automatically prepares its capture filter to omit the SSH packets. If the SSH connection was to a link-local IPv6 address including an interface name (for example ssh -X [ipv6addr]%eth0), Wireshark parsed this address erroneously, constructed an incorrect capture filter and refused to capture packets. The "Invalid capture filter" message was displayed. With this update, parsing of link-local IPv6 addresses is fixed and Wireshark correctly prepares a capture filter to omit SSH packets over a link-local IPv6 connection. (BZ#438473) * Previously, Wireshark's column editing dialog malformed column names when they were selected. With this update, the dialog is fixed and no longer breaks column names. (BZ#493693) * Previously, TShark, the console packet analyzer, did not properly analyze the exit code of Dumpcap, Wireshark's packet capturing back end. As a result, TShark returned exit code 0 when Dumpcap failed to parse its command-line arguments. In this update, TShark correctly propagates the Dumpcap exit code and returns a non-zero exit code when Dumpcap fails. (BZ#580510) * Previously, the TShark "-s" (snapshot length) option worked only for a value greater than 68 bytes. If a lower value was specified, TShark captured just 68 bytes of incoming packets. With this update, the "-s" option is fixed and sizes lower than 68 bytes work as expected. (BZ#580513) This update also adds the following enhancement: * In this update, support for the "NetDump" protocol was added. (BZ#484999) All users of Wireshark are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. All running instances of Wireshark must be restarted for the update to take effect. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2013 Red Hat, Inc. All rights reserved. Moderate https://rhn.redhat.com/errata/RHSA-2013-0125.html https://rhn.redhat.com/errata/RHSA-2013-0125.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=438473 https://bugzilla.redhat.com/show_bug.cgi?id=438473 https://bugzilla.redhat.com/show_bug.cgi?id=484999 https://bugzilla.redhat.com/show_bug.cgi?id=484999 https://bugzilla.redhat.com/show_bug.cgi?id=580510 https://bugzilla.redhat.com/show_bug.cgi?id=580510 https://bugzilla.redhat.com/show_bug.cgi?id=580513 https://bugzilla.redhat.com/show_bug.cgi?id=580513 Red Hat Enterprise Linux Desktop (v. 5 client) RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) wireshark-1.0.15-5.el5.src.rpm wireshark-1.0.15-5.el5 as a component of Red Hat Enterprise Linux Desktop (v. 5 client) wireshark-1.0.15-5.el5 as a component of RHEL Desktop Workstation (v. 5 client) wireshark-1.0.15-5.el5 as a component of Red Hat Enterprise Linux (v. 5 server) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. 2011-05-31T00:00:00Z 2011-05-31T00:00:00Z CVE-2011-1958 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2011-1958.html CVE-2011-1958 https://bugzilla.redhat.com/show_bug.cgi?id=710184 bz#710184: CVE-2011-1958 wireshark (64bit): NULL pointer dereference by processing of a corrupted Diameter dictionary file This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. 2011-05-31T00:00:00Z 2011-05-31T00:00:00Z CVE-2011-1959 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2011-1959.html CVE-2011-1959 https://bugzilla.redhat.com/show_bug.cgi?id=710039 bz#710039: CVE-2011-1959 wireshark: Stack-based buffer over-read from tvbuff buffer when reading snoop capture files This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. 2011-05-31T00:00:00Z 2011-05-31T00:00:00Z CVE-2011-2175 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2011-2175.html CVE-2011-2175 https://bugzilla.redhat.com/show_bug.cgi?id=710109 bz#710109: CVE-2011-2175 wireshark: Heap-based buffer over-read in Visual Networks dissector This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2011-07-19T00:00:00Z 2011-06-20T00:00:00Z CVE-2011-2698 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2011-2698.html CVE-2011-2698 https://bugzilla.redhat.com/show_bug.cgi?id=723215 bz#723215: CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector A heap-based buffer overflow flaw was found in the way Wireshark handled Endace ERF (Extensible Record Format) capture files. If Wireshark opened a specially-crafted ERF capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. 2011-11-01T00:00:00Z 2011-10-21T00:00:00Z CVE-2011-4102 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html http://www.wireshark.org/security/wnpa-sec-2011-19.html http://www.wireshark.org/security/wnpa-sec-2011-19.html https://www.redhat.com/security/data/cve/CVE-2011-4102.html CVE-2011-4102 https://bugzilla.redhat.com/show_bug.cgi?id=750648 bz#750648: CVE-2011-4102 wireshark: buffer overflow in the ERF file reader This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-01-11T00:00:00Z 2012-01-10T00:00:00Z CVE-2012-0041 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-0041.html CVE-2012-0041 https://bugzilla.redhat.com/show_bug.cgi?id=773726 bz#773726: CVE-2012-0041 wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-01-11T00:00:00Z 2012-01-10T00:00:00Z CVE-2012-0042 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 2.9 AV:A/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-0042.html CVE-2012-0042 https://bugzilla.redhat.com/show_bug.cgi?id=773728 bz#773728: CVE-2012-0042 wireshark: NULL pointer vulnerabilities (wnpa-sec-2012-02) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-01-11T00:00:00Z 2012-01-10T00:00:00Z CVE-2012-0066 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-0066.html CVE-2012-0066 https://bugzilla.redhat.com/show_bug.cgi?id=783360 bz#783360: CVE-2012-0066 Wireshark: Dos via large buffer allocation request Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-01-11T00:00:00Z 2012-01-10T00:00:00Z CVE-2012-0067 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-0067.html CVE-2012-0067 https://bugzilla.redhat.com/show_bug.cgi?id=783363 bz#783363: CVE-2012-0067 Wireshark: Dos due to integer overflow in IPTrace capture format parser Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-08-15T00:00:00Z 2012-08-15T00:00:00Z CVE-2012-4285 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-4285.html CVE-2012-4285 https://bugzilla.redhat.com/show_bug.cgi?id=848541 bz#848541: CVE-2012-4285 wireshark: crash due to zero division in DCP ETSI dissector (wnpa-sec-2012-13) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-08-15T00:00:00Z 2012-08-15T00:00:00Z CVE-2012-4289 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-4289.html CVE-2012-4289 https://bugzilla.redhat.com/show_bug.cgi?id=848561 bz#848561: CVE-2012-4289 wireshark: DoS via excessive CPU consumption in AFP dissector (wnpa-sec-2012-17) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-08-15T00:00:00Z 2012-08-15T00:00:00Z CVE-2012-4290 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-4290.html CVE-2012-4290 https://bugzilla.redhat.com/show_bug.cgi?id=848578 bz#848578: CVE-2012-4290 wireshark: DoS via excessive CPU consumption in CTDB dissector (wnpa-sec-2012-23) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2012-08-15T00:00:00Z 2012-08-15T00:00:00Z CVE-2012-4291 5Client-Workstation:wireshark-1.0.15-5.el5 5Client:wireshark-1.0.15-5.el5 5Server:wireshark-1.0.15-5.el5 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0125.html https://www.redhat.com/security/data/cve/CVE-2012-4291.html CVE-2012-4291 https://bugzilla.redhat.com/show_bug.cgi?id=848572 bz#848572: CVE-2012-4291 wireshark: DoS via excessive system resource consumption in CIP dissector (wnpa-sec-2012-20)