Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Hi, Moritz proposed to upload fixes for DoS only security problems to stable and handle onnly more serious problems via stable-security: On Monday 06 July 2009 20:42:21 Moritz Muehlenhoff wrote: On Wed, Jul 01, 2009 at 03:36:44PM -0700, Bálint Réczey wrote: Hi, Wireshark 1.0.8 fixes CVE-2009-1829 and contain other changes fixing crashes and one fix for a memory leak. ... Traditionally we've been treating Wireshark crashes triggerable by network traffic as security issues, since someone could use tshark as a networking monitoring/intrusion detection tool. OTOH, both Wireshark's security record and the mere concept (analysing network traffic in a flaky implementation language like C) make this an impractical approach. I would like to propose to document in a file like README.Debian or README.Debian.security that Wireshark is great tool to analyse traffic patterns, but that crashes cannot be ruled out due to the complex nature of the task. Thus, it should not be deployed in scenarios where used for live network monitoring and live pure crash bugs unfixed. Of course all bugs which could trigger code injection will still be fixed in regular DSAs. Additionally we could talk to the stable release managers to allow the latest Wireshark point updates for each stable point update (since the QA done by upstream is quite good). There are similar exceptions already done for some packages, e.g. PostgreSQL. I support this approach. Joost The original suggestion was to upload full Wireshark releases from the stable and old stable Wireshark maintenance branches, but later we chose to extract the security related fixes and add only those to the Debian package. According to that plan I would like to upload the package to stable and I corrected the attached patch to reflect this. Thanks, Balint Index: debian/changelog === --- debian/changelog (revision 13620) +++ debian/changelog (revision 14468) @@ -1,3 +1,13 @@ +wireshark (1.0.2-3+lenny6) stable; urgency=high + + * security fixes from Wireshark 1.0.8 and 1.0.9: +- The PCNFSD dissector could crash (CVE-2009-1829) +- The AFS dissector could crash (CVE-2009-2562) +- The OpcUa dissector could use excessive CPU and memory (CVE-2009-3241) + (Closes: #533347) + + -- Balint Reczey bal...@balintreczey.hu Mon, 28 Sep 2009 13:05:13 +0100 + wireshark (1.0.2-3+lenny5) stable-security; urgency=high * Security fixes from Wireshark 1.0.7 Index: debian/patches/34_fix_opcua_lockup.dpatch === --- debian/patches/34_fix_opcua_lockup.dpatch (revision 0) +++ debian/patches/34_fix_opcua_lockup.dpatch (revision 14468) @@ -0,0 +1,256 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 34_fix_opcua_lockup.dpatch by bal...@balintreczey.hu +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix excessive CPU and memory use in OpcUa disssector + +...@dpatch@ + +Index: trunk/plugins/opcua/opcua_simpletypes.c +=== +--- trunk/plugins/opcua/opcua_simpletypes.c (revision 29828) trunk/plugins/opcua/opcua_simpletypes.c (revision 29829) +@@ -34,9 +34,6 @@ + #include string.h + #include epan/emem.h + +-/* string buffer */ +-#define MAX_BUFFER 256 +- + #define DIAGNOSTICINFO_ENCODINGMASK_SYMBOLICID_FLAG 0x01 + #define DIAGNOSTICINFO_ENCODINGMASK_NAMESPACE_FLAG0x02 + #define DIAGNOSTICINFO_ENCODINGMASK_LOCALIZEDTEXT_FLAG0x04 +@@ -53,6 +50,9 @@ + #define EXTOBJ_ENCODINGMASK_BINBODY_FLAG 0x01 + #define EXTOBJ_ENCODINGMASK_XMLBODY_FLAG 0x02 + ++/* Chosen arbitrarily */ ++#define MAX_ARRAY_LEN 1 ++ + static int hf_opcua_diag_mask_symbolicflag = -1; + static int hf_opcua_diag_mask_namespaceflag = -1; + static int hf_opcua_diag_mask_localizedtextflag = -1; +@@ -317,35 +317,28 @@ + + void parseString(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) + { +-char *szValue = ep_alloc(MAX_BUFFER); ++char *szValue; + gint iOffset = *pOffset; + gint32 iLen = tvb_get_letohl(tvb, *pOffset); + iOffset+=4; + +-if (szValue) ++if (iLen == -1) + { +-if (iLen == -1) +-{ +-g_snprintf(szValue, MAX_BUFFER, [OpcUa Null String]); +-} +-else if (iLen = 0) +-{ +-int iStrLen = iLen; +-if (iStrLen (MAX_BUFFER-1)) iStrLen = MAX_BUFFER - 1; +-/* copy non null terminated string of length iStrlen */ +-strncpy(szValue, (char*)tvb-real_data[iOffset], iStrLen); +-/* set null terminator */ +-szValue[iStrLen] = 0; +-iOffset += iLen; /* eat the whole string */ +-} +-else +-{ +-g_snprintf(szValue, MAX_BUFFER, [Invalid String] Ups, something is wrong with this message.); +-} +-
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
On Fri, 23 Oct 2009 19:46:24 +0200, Bálint Réczey wrote: Hi, Moritz proposed to upload fixes for DoS only security problems to stable and handle onnly more serious problems via stable-security: On Monday 06 July 2009 20:42:21 Moritz Muehlenhoff wrote: On Wed, Jul 01, 2009 at 03:36:44PM -0700, Bálint Réczey wrote: Hi, Wireshark 1.0.8 fixes CVE-2009-1829 and contain other changes fixing crashes and one fix for a memory leak. ... Traditionally we've been treating Wireshark crashes triggerable by network traffic as security issues, since someone could use tshark as a networking monitoring/intrusion detection tool. OTOH, both Wireshark's security record and the mere concept (analysing network traffic in a flaky implementation language like C) make this an impractical approach. I would like to propose to document in a file like README.Debian or README.Debian.security that Wireshark is great tool to analyse traffic patterns, but that crashes cannot be ruled out due to the complex nature of the task. Thus, it should not be deployed in scenarios where used for live network monitoring and live pure crash bugs unfixed. Of course all bugs which could trigger code injection will still be fixed in regular DSAs. Additionally we could talk to the stable release managers to allow the latest Wireshark point updates for each stable point update (since the QA done by upstream is quite good). There are similar exceptions already done for some packages, e.g. PostgreSQL. I support this approach. Joost The original suggestion was to upload full Wireshark releases from the stable and old stable Wireshark maintenance branches, but later we chose to extract the security related fixes and add only those to the Debian package. According to that plan I would like to upload the package to stable and I corrected the attached patch to reflect this. please submit a bug (including debdiff) to release.debian.org requesting acceptance of the new version for the next lenny point release. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Hi, On Fri, 2009-10-23 at 19:46 +0200, Bálint Réczey wrote: Moritz proposed to upload fixes for DoS only security problems to stable and handle onnly more serious problems via stable-security: [...] According to that plan I would like to upload the package to stable and I corrected the attached patch to reflect this. Assuming that the s/stable-security/stable/ is the only change to your original patch, then Luk already okayed uploading - see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550191#15 Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
On Fri, 2009-10-23 at 14:20 -0400, Michael Gilbert wrote: On Fri, 23 Oct 2009 19:46:24 +0200, Bálint Réczey wrote: According to that plan I would like to upload the package to stable and I corrected the attached patch to reflect this. please submit a bug (including debdiff) to release.debian.org requesting acceptance of the new version for the next lenny point release. #550191, which you replied to, *is* a release.d.o bug requesting exactly that. As I mentioned in my reply to the same message, upload permission was already given nearly a week ago. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
On Fri, 23 Oct 2009 20:05:39 +0100, Adam D. Barratt wrote: On Fri, 2009-10-23 at 14:20 -0400, Michael Gilbert wrote: On Fri, 23 Oct 2009 19:46:24 +0200, Bálint Réczey wrote: According to that plan I would like to upload the package to stable and I corrected the attached patch to reflect this. please submit a bug (including debdiff) to release.debian.org requesting acceptance of the new version for the next lenny point release. #550191, which you replied to, *is* a release.d.o bug requesting exactly that. As I mentioned in my reply to the same message, upload permission was already given nearly a week ago. oops, i thought this was a normal security bug that i was getting cc'd on via other mailing list subscription. may i suggest appending [debian-release] to subject lines in order to define/clarify the source of bugs automatically forwarded to the list? mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Hi Could you please allow uploading wireshark 1.0.2-3+lenny6 to stable-security? It fixes security issues only: --- debian/changelog(revision 13620) +++ debian/changelog(revision 14468) @@ -1,3 +1,13 @@ +wireshark (1.0.2-3+lenny6) stable-security; urgency=high + + * security fixes from Wireshark 1.0.8 and 1.0.9: +- The PCNFSD dissector could crash (CVE-2009-1829) +- The AFS dissector could crash (CVE-2009-2562) +- The OpcUa dissector could use excessive CPU and memory (CVE-2009-3242) + (Closes: #533347) + + -- Balint Reczey bal...@balintreczey.hu Mon, 28 Sep 2009 13:05:13 +0100 Please upload. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Package: release.debian.org User: release.debian@packages.debian.org Severity: normal Hi, Could you please allow uploading wireshark 1.0.2-3+lenny6 to stable-security? It fixes security issues only: --- debian/changelog(revision 13620) +++ debian/changelog(revision 14468) @@ -1,3 +1,13 @@ +wireshark (1.0.2-3+lenny6) stable-security; urgency=high + + * security fixes from Wireshark 1.0.8 and 1.0.9: +- The PCNFSD dissector could crash (CVE-2009-1829) +- The AFS dissector could crash (CVE-2009-2562) +- The OpcUa dissector could use excessive CPU and memory (CVE-2009-3242) + (Closes: #533347) + + -- Balint Reczey bal...@balintreczey.hu Mon, 28 Sep 2009 13:05:13 +0100 + wireshark (1.0.2-3+lenny5) stable-security; urgency=high Thanks, Balint Index: debian/changelog === --- debian/changelog (revision 13620) +++ debian/changelog (revision 14468) @@ -1,3 +1,13 @@ +wireshark (1.0.2-3+lenny6) stable-security; urgency=high + + * security fixes from Wireshark 1.0.8 and 1.0.9: +- The PCNFSD dissector could crash (CVE-2009-1829) +- The AFS dissector could crash (CVE-2009-2562) +- The OpcUa dissector could use excessive CPU and memory (CVE-2009-3242) + (Closes: #533347) + + -- Balint Reczey bal...@balintreczey.hu Mon, 28 Sep 2009 13:05:13 +0100 + wireshark (1.0.2-3+lenny5) stable-security; urgency=high * Security fixes from Wireshark 1.0.7 Index: debian/patches/34_fix_opcua_lockup.dpatch === --- debian/patches/34_fix_opcua_lockup.dpatch (revision 0) +++ debian/patches/34_fix_opcua_lockup.dpatch (revision 14468) @@ -0,0 +1,256 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 34_fix_opcua_lockup.dpatch by bal...@balintreczey.hu +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix excessive CPU and memory use in OpcUa disssector + +...@dpatch@ + +Index: trunk/plugins/opcua/opcua_simpletypes.c +=== +--- trunk/plugins/opcua/opcua_simpletypes.c (revision 29828) trunk/plugins/opcua/opcua_simpletypes.c (revision 29829) +@@ -34,9 +34,6 @@ + #include string.h + #include epan/emem.h + +-/* string buffer */ +-#define MAX_BUFFER 256 +- + #define DIAGNOSTICINFO_ENCODINGMASK_SYMBOLICID_FLAG 0x01 + #define DIAGNOSTICINFO_ENCODINGMASK_NAMESPACE_FLAG0x02 + #define DIAGNOSTICINFO_ENCODINGMASK_LOCALIZEDTEXT_FLAG0x04 +@@ -53,6 +50,9 @@ + #define EXTOBJ_ENCODINGMASK_BINBODY_FLAG 0x01 + #define EXTOBJ_ENCODINGMASK_XMLBODY_FLAG 0x02 + ++/* Chosen arbitrarily */ ++#define MAX_ARRAY_LEN 1 ++ + static int hf_opcua_diag_mask_symbolicflag = -1; + static int hf_opcua_diag_mask_namespaceflag = -1; + static int hf_opcua_diag_mask_localizedtextflag = -1; +@@ -317,35 +317,28 @@ + + void parseString(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) + { +-char *szValue = ep_alloc(MAX_BUFFER); ++char *szValue; + gint iOffset = *pOffset; + gint32 iLen = tvb_get_letohl(tvb, *pOffset); + iOffset+=4; + +-if (szValue) ++if (iLen == -1) + { +-if (iLen == -1) +-{ +-g_snprintf(szValue, MAX_BUFFER, [OpcUa Null String]); +-} +-else if (iLen = 0) +-{ +-int iStrLen = iLen; +-if (iStrLen (MAX_BUFFER-1)) iStrLen = MAX_BUFFER - 1; +-/* copy non null terminated string of length iStrlen */ +-strncpy(szValue, (char*)tvb-real_data[iOffset], iStrLen); +-/* set null terminator */ +-szValue[iStrLen] = 0; +-iOffset += iLen; /* eat the whole string */ +-} +-else +-{ +-g_snprintf(szValue, MAX_BUFFER, [Invalid String] Ups, something is wrong with this message.); +-} +- ++proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), ++ [OpcUa Null String]); ++} ++else if (iLen = 0) ++{ ++iOffset += iLen; /* eat the whole string */ ++proto_tree_add_item(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), TRUE); ++} ++else ++{ ++szValue = ep_strdup_printf([Invalid String] Invalid length: %d, iLen); + proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), szValue); +-*pOffset = iOffset; + } ++ ++*pOffset = iOffset; + } + + void parseStatusCode(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex) +@@ -623,11 +616,17 @@ + /* read array length */ + iLen = tvb_get_letohl(tvb, *pOffset); + proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE); +-*pOffset += 4; + + if (iLen == -1) return; /* no array */ + if (iLen == 0) return; /* array with zero elements*/ + ++if (iLen MAX_ARRAY_LEN) ++{ ++
Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Hi, On Thu, 2009-10-08 at 11:26 +0200, Bálint Réczey wrote: Package: release.debian.org User: release.debian@packages.debian.org Severity: normal [...] Could you please allow uploading wireshark 1.0.2-3+lenny6 to stable-security? It fixes security issues only: If you want to upload to stable-security, then you need to co-ordinate with the Security Team, not the Release Team. The Release Team don't manage stable-security. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org