Bug 848738 (CVE-2013-6337)

Summary: VUL-0: CVE-2013-6337: wireshark: security updates to 1.8.11 and 1.10.3
Product: [openSUSE] openSUSE 12.3 Reporter: Andreas Stieger <Andreas.Stieger>
Component: NetworkAssignee: Chunyan Liu <cyliu>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, Andreas.Stieger, cyliu, security-team, vpereira
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp1:54918 maint:released:sle11-sp3:54920
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 839607    
Bug Blocks: 855980    
Deadline: 2013-11-18   

Description Andreas Stieger 2013-11-01 21:24:59 UTC 
Via http://www.wireshark.org/docs/relnotes/wireshark-1.10.3.html

The following vulnerabilities have been fixed.

    wnpa-sec-2013-61

    The IEEE 802.15.4 dissector could crash. (Bug 9139)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6336

    wnpa-sec-2013-62

    The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6337

    wnpa-sec-2013-63

    The SIP dissector could crash. (Bug 9228)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6338

    wnpa-sec-2013-64

    The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6339

    wnpa-sec-2013-65

    The TCP dissector could crash. (Bug 9263)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6340




http://www.wireshark.org/docs/relnotes/wireshark-1.8.11.html

The following vulnerabilities have been fixed.

    wnpa-sec-2013-61

    The IEEE 802.15.4 dissector could crash. (Bug 9139)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6336

    wnpa-sec-2013-62

    The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6337

    wnpa-sec-2013-63

    The SIP dissector could crash. (Bug 9228)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6338

    wnpa-sec-2013-64

    The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6339

    wnpa-sec-2013-65

    The TCP dissector could crash. (Bug 9263)

    Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10

    CVE-2013-6340
Comment 1 Bernhard Wiedemann 2013-11-01 23:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (848738) was mentioned in
https://build.opensuse.org/request/show/205585 Factory / wireshark
Comment 2 Andreas Stieger 2013-11-01 23:17:59 UTC 
Maintenance request for openSUSE 12.2, 12.3 and 13.1:
https://build.opensuse.org/request/show/205585
Comment 3 Andreas Stieger 2013-11-01 23:19:04 UTC 
(In reply to comment #2)
> Maintenance request for openSUSE 12.2, 12.3 and 13.1:

https://build.opensuse.org/request/show/205587
Comment 4 Andreas Stieger 2013-11-04 08:20:55 UTC 
(In reply to comment #3)
> (In reply to comment #2)
> > Maintenance request for openSUSE 12.2, 12.3 and 13.1:
> 
> https://build.opensuse.org/request/show/205587

1.10.3 was copied to 13.1. maintenance request for 12.2 and 12.3 only:
https://build.opensuse.org/request/show/205665
Comment 5 Victor Pereira 2013-11-04 13:05:59 UTC 
are we, SLE, affected as well?
Comment 6 Andreas Stieger 2013-11-04 13:21:38 UTC 
(In reply to comment #5)
> are we, SLE, affected as well?

SLE-11 yes, last update there should be 1.8.10 or so, see Bug 839607
SLE-10 1.6.16 .. 1.6.x is discontinued upstream. Upstream makes no statement about whether discontinued releases are affected. Since all of the items above show from "from 1.8.0" that may very well be the case. Maybe update to 1.8.x as openSUSE did?
SLE-9 1.0.16 ancient....
Comment 7 Swamp Workflow Management 2013-11-04 14:30:00 UTC 
The SWAMPID for this issue is 54917.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 Chunyan Liu 2013-11-05 02:49:17 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > are we, SLE, affected as well?
> 
> SLE-11 yes, last update there should be 1.8.10 or so, see Bug 839607
I'll update SLE-11.

> SLE-10 1.6.16 .. 1.6.x is discontinued upstream. Upstream makes no statement
> about whether discontinued releases are affected. Since all of the items above
> show from "from 1.8.0" that may very well be the case. Maybe update to 1.8.x as
> openSUSE did?
As mentioned in Bug#792005:
wireshark-1.8.x requires gtk+ >= 2.12 and glib >= 2.14, but SLE-10 only has gtk+ 2.8 and glib 2.8, update to 1.8.x failed. So, for a long time, SLE-10 only updates to 1.6.x.
Comment 10 Bernhard Wiedemann 2013-11-09 23:00:38 UTC 
This is an autogenerated message for OBS integration:
This bug (848738) was mentioned in
https://build.opensuse.org/request/show/206406 Evergreen:11.2:Test / wireshark
Comment 11 Swamp Workflow Management 2013-11-14 15:04:39 UTC 
openSUSE-SU-2013:1671-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 848738
CVE References: CVE-2013-6336,CVE-2013-6337,CVE-2013-6338,CVE-2013-6339,CVE-2013-6340
Sources used:
openSUSE 12.3 (src):    wireshark-1.8.11-1.24.1
openSUSE 12.2 (src):    wireshark-1.8.11-1.43.1
Comment 12 Swamp Workflow Management 2013-11-14 19:04:24 UTC 
openSUSE-SU-2013:1675-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 848738
CVE References: CVE-2013-6336,CVE-2013-6337,CVE-2013-6338,CVE-2013-6339,CVE-2013-6340
Sources used:
openSUSE 11.4 (src):    wireshark-1.8.11-61.1
Comment 13 Bernhard Wiedemann 2013-11-15 07:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (848738) was mentioned in
https://build.opensuse.org/request/show/206968 Evergreen:11.2 / wireshark
Comment 14 Andreas Stieger 2013-11-24 19:40:39 UTC 
Updates already released for openSUSE.
SLE status unknown. cc security team to be picked up for SLE if required.
Assigning to assignee of dependent bug 839607
Comment 15 Swamp Workflow Management 2013-11-28 14:04:26 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 16 Swamp Workflow Management 2013-11-28 15:57:04 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 17 Swamp Workflow Management 2013-11-28 16:09:55 UTC 
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 18 Andreas Stieger 2013-12-06 19:57:09 UTC 
I guess that's all updates?