Bug 831718

Summary: VUL-0: wireshark: security updates to 1.10.1 and 1.8.9
Product: [openSUSE] openSUSE 12.3 Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Chunyan Liu <cyliu>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, cyliu, meissner
Version: Final   
Target Milestone: ---   
Hardware: All   
OS: openSUSE 12.3   
Whiteboard: maint:running:52994:moderate maint:released:sle11-sp1:54387 maint:released:sle11-sp3:54389 maint:released:sle11-sp2:54388 maint:running:54386:moderate
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Deadline: 2013-09-24   

Description Andreas Stieger 2013-07-26 22:39:45 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0

From https://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html

 The following vulnerabilities have been fixed.

    wnpa-sec-2013-45

    The Bluetooth SDP dissector could go into a large loop. Discovered by Laurent Butti. (Bug 8831)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4927

    wnpa-sec-2013-47

    The DIS dissector could go into a large loop. (Bug 8911)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4929

    wnpa-sec-2013-48

    The DVB-CI dissector could crash. Discovered by Laurent Butti. (Bug 8916)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4930

    wnpa-sec-2013-49

    The GSM RR dissector (and possibly others) could go into a large loop. (Bug 8923)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4931

    wnpa-sec-2013-50

    The GSM A Common dissector could crash. (Bug 8940)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4932

    wnpa-sec-2013-51

    The Netmon file parser could crash. Discovered by G. Geshev. (Bug 8742)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4933

    CVE-2013-4934

    wnpa-sec-2013-52

    The ASN.1 PER dissector could crash. Discovered by Oliver-Tobias Ripka. (Bug 8722)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8.

    CVE-2013-4935 


From https://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html

The following vulnerabilities have been fixed.

    wnpa-sec-2013-41

    The DCP ETSI dissector could crash. (Bug 8717)

    Versions affected: 1.10.0, 1.8.0 to 1.8.7

    CVE-2013-4083

    wnpa-sec-2013-42

    The P1 dissector could crash. Discovered by Laurent Butti. (Bug 8826)

    Versions affected: 1.10.0

    CVE-2013-4920

    wnpa-sec-2013-43

    The Radiotap dissector could crash. Discovered by Laurent Butti. (Bug 8830)

    Versions affected: 1.10.0

    CVE-2013-4921

    wnpa-sec-2013-44

    The DCOM ISystemActivator dissector could crash. Discovered by Laurent Butti. (Bug 8828)

    Versions affected: 1.10.0

    CVE-2013-4922 CVE-2013-4923 CVE-2013-4924 CVE-2013-4925 CVE-2013-4926

    wnpa-sec-2013-45

    The Bluetooth SDP dissector could go into a large loop. Discovered by Laurent Butti. (Bug 8831)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4927

    wnpa-sec-2013-46

    The Bluetooth OBEX dissector could go into an infinite loop. (Bug 8875)

    Versions affected: 1.10.0

    CVE-2013-4928

    wnpa-sec-2013-47

    The DIS dissector could go into a large loop. (Bug 8911)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4929

    wnpa-sec-2013-48

    The DVB-CI dissector could crash. Discovered by Laurent Butti. (Bug 8916)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4930

    wnpa-sec-2013-49

    The GSM RR dissector (and possibly others) could go into a large loop. (Bug 8923)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4931

    wnpa-sec-2013-50

    The GSM A Common dissector could crash. (Bug 8940)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4932

    wnpa-sec-2013-51

    The Netmon file parser could crash. Discovered by G. Geshev. (Bug 8742)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4933 CVE-2013-4934

    wnpa-sec-2013-52

    The ASN.1 PER dissector could crash. Discovered by Oliver-Tobias Ripka. (Bug 8722)

    Versions affected: 1.10.0, 1.8.0 to 1.8.8

    CVE-2013-4935

    wnpa-sec-2013-53

    The PROFINET Real-Time dissector could crash. (Bug 8904)

    Versions affected: 1.10.0

    CVE-2013-4936

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Andreas Stieger 2013-07-26 23:55:05 UTC 
Maintenance request for 1.8.8 -> 1.8.9 for openSUSE 12.2 and 12.3:
https://build.opensuse.org/request/show/184463
Comment 2 Bernhard Wiedemann 2013-07-27 00:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (831718) was mentioned in
https://build.opensuse.org/request/show/184462 Maintenance /
Comment 3 Bernhard Wiedemann 2013-07-27 01:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (831718) was mentioned in
https://build.opensuse.org/request/show/184465 Factory / wireshark
Comment 4 Bernhard Wiedemann 2013-07-29 07:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (831718) was mentioned in
https://build.opensuse.org/request/show/184572 Maintenance /
Comment 5 Swamp Workflow Management 2013-08-05 09:04:42 UTC 
openSUSE-SU-2013:1295-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 831718
CVE References: CVE-2013-4927,CVE-2013-4929,CVE-2013-4930,CVE-2013-4931,CVE-2013-4932,CVE-2013-4933,CVE-2013-4934,CVE-2013-4935
Sources used:
openSUSE 12.3 (src):    wireshark-1.8.9-1.16.1
openSUSE 12.2 (src):    wireshark-1.8.9-1.35.1
Comment 6 Swamp Workflow Management 2013-08-05 12:04:19 UTC 
openSUSE-SU-2013:1300-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 831718
CVE References: CVE-2013-4927,CVE-2013-4929,CVE-2013-4930,CVE-2013-4931,CVE-2013-4932,CVE-2013-4933,CVE-2013-4934,CVE-2013-4935
Sources used:
openSUSE 11.4 (src):    wireshark-1.8.9-53.1
Comment 7 Chunyan Liu 2013-08-06 07:34:51 UTC 
Updated SLE-11 to 1.8.9. sr#28177
Comment 9 Bernhard Wiedemann 2013-08-23 07:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (831718) was mentioned in
https://build.opensuse.org/request/show/196054 Evergreen:11.2 / wireshark
Comment 10 Andreas Stieger 2013-08-23 12:38:33 UTC 
updates released, closing
Comment 11 Bernhard Wiedemann 2013-08-26 06:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (831718) was mentioned in
https://build.opensuse.org/request/show/196334 Evergreen:11.2 / wireshark
Comment 12 Alexander Bergmann 2013-09-10 07:44:36 UTC 
Reopened. Still missing SLE11 updates.
Comment 13 Swamp Workflow Management 2013-09-10 08:39:18 UTC 
The SWAMPID for this issue is 54386.
This issue was rated as moderate.
Please submit fixed packages until 2013-09-24.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 14 Andreas Stieger 2013-09-10 09:28:42 UTC 
(In reply to comment #12)
> Reopened. Still missing SLE11 updates.

That's odd:

(In reply to comment #7)
> Updated SLE-11 to 1.8.9. sr#28177

Assigned back to Chun.
Comment 15 Alexander Bergmann 2013-09-11 08:42:54 UTC 
Okay, what I actually meant was: "SLE11 is not released yet."

This incident should be finished shortly.
Comment 16 Swamp Workflow Management 2013-09-12 08:04:22 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 17 Alexander Bergmann 2013-09-12 09:15:16 UTC 
wireshark 1.8.9 was released today. Closing bug.
Comment 18 Swamp Workflow Management 2013-09-13 15:54:41 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 19 Swamp Workflow Management 2013-09-13 16:15:00 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)