Skip to navigation

Security Advisory Moderate: wireshark security, bug fix, and enhancement update

Advisory: RHSA-2013:0125-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-01-08
Last updated on: 2013-01-08
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-1958
CVE-2011-1959
CVE-2011-2175
CVE-2011-2698
CVE-2011-4102
CVE-2012-0041
CVE-2012-0042
CVE-2012-0066
CVE-2012-0067
CVE-2012-4285
CVE-2012-4289
CVE-2012-4290
CVE-2012-4291

Details

Updated wireshark packages that fix several security issues, three bugs,
and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Wireshark, previously known as Ethereal, is a network protocol analyzer. It
is used to capture and browse the traffic running on a computer network.

A heap-based buffer overflow flaw was found in the way Wireshark handled
Endace ERF (Extensible Record Format) capture files. If Wireshark opened a
specially-crafted ERF capture file, it could crash or, possibly, execute
arbitrary code as the user running Wireshark. (CVE-2011-4102)

Several denial of service flaws were found in Wireshark. Wireshark could
crash or stop responding if it read a malformed packet off a network, or
opened a malicious dump file. (CVE-2011-1958, CVE-2011-1959, CVE-2011-2175,
CVE-2011-2698, CVE-2012-0041, CVE-2012-0042, CVE-2012-0066, CVE-2012-0067,
CVE-2012-4285, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291)

The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues
were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response
Team.

This update also fixes the following bugs:

* When Wireshark starts with the X11 protocol being tunneled through an SSH
connection, it automatically prepares its capture filter to omit the SSH
packets. If the SSH connection was to a link-local IPv6 address including
an interface name (for example ssh -X [ipv6addr]%eth0), Wireshark parsed
this address erroneously, constructed an incorrect capture filter and
refused to capture packets. The "Invalid capture filter" message was
displayed. With this update, parsing of link-local IPv6 addresses is fixed
and Wireshark correctly prepares a capture filter to omit SSH packets over
a link-local IPv6 connection. (BZ#438473)

* Previously, Wireshark's column editing dialog malformed column names when
they were selected. With this update, the dialog is fixed and no longer
breaks column names. (BZ#493693)

* Previously, TShark, the console packet analyzer, did not properly analyze
the exit code of Dumpcap, Wireshark's packet capturing back end. As a
result, TShark returned exit code 0 when Dumpcap failed to parse its
command-line arguments. In this update, TShark correctly propagates the
Dumpcap exit code and returns a non-zero exit code when Dumpcap fails.
(BZ#580510)

* Previously, the TShark "-s" (snapshot length) option worked only for a
value greater than 68 bytes. If a lower value was specified, TShark
captured just 68 bytes of incoming packets. With this update, the "-s"
option is fixed and sizes lower than 68 bytes work as expected. (BZ#580513)

This update also adds the following enhancement:

* In this update, support for the "NetDump" protocol was added. (BZ#484999)

All users of Wireshark are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add this
enhancement. All running instances of Wireshark must be restarted for the
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
wireshark-1.0.15-5.el5.src.rpm
File outdated by:  RHSA-2014:0341
    MD5: a3a8ccd2b4f1c384243d6d6d8438c031
SHA-256: 019e15ba95458b198d4c3a2cddf35875c179968ac1a24aa614fc9edd42db5d03
 
IA-32:
wireshark-debuginfo-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: 6a4f588d4613696e868188cc40467601
SHA-256: 29d5ae6fb7c44bd942cc36e85684f46b9bfd2a3686c543b1cea3fbe9dbb883f4
wireshark-gnome-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: f60ad457097e288b77671e8b2f9562c4
SHA-256: 7141b8bdea9ee19a8c01c3a43cdd9a4015161f569527579c4e380b4c3e7ac60a
 
x86_64:
wireshark-debuginfo-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: e50cb13ac160ed9faf44b77b2bcabdb8
SHA-256: 2cf3a48eced12000c4833579ab7c15c53c3bfc979eece49421dd7db010347bc7
wireshark-gnome-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: 9d193f03d690714e78c353eec146a6f5
SHA-256: 57b7432e8aa8aa4937ab233a2fb0e953fd219feb9bc798de7495311b4eea69d0
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
wireshark-1.0.15-5.el5.src.rpm
File outdated by:  RHSA-2014:0341
    MD5: a3a8ccd2b4f1c384243d6d6d8438c031
SHA-256: 019e15ba95458b198d4c3a2cddf35875c179968ac1a24aa614fc9edd42db5d03
 
IA-32:
wireshark-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: f2b7864bc174b457d94e3b1b9dc0cdbb
SHA-256: e3241132e0edff6ae5ac0adbdf0d4819a38096c1bf726ed730ac1750c09cf183
wireshark-debuginfo-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: 6a4f588d4613696e868188cc40467601
SHA-256: 29d5ae6fb7c44bd942cc36e85684f46b9bfd2a3686c543b1cea3fbe9dbb883f4
wireshark-gnome-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: f60ad457097e288b77671e8b2f9562c4
SHA-256: 7141b8bdea9ee19a8c01c3a43cdd9a4015161f569527579c4e380b4c3e7ac60a
 
IA-64:
wireshark-1.0.15-5.el5.ia64.rpm
File outdated by:  RHSA-2014:0341
    MD5: 63202b274d6ef92cedd855e70e388472
SHA-256: 4a0320c2365f4f78e57345b39533e886a62c68454c59d005ee17b8ddb6540856
wireshark-debuginfo-1.0.15-5.el5.ia64.rpm
File outdated by:  RHSA-2014:0341
    MD5: fd53cd835d51b0191fe8a500d5103645
SHA-256: 0c324110f93906403ad6fc42be50abacdb01e06634f4d33a36ef0b7f5f1d15cb
wireshark-gnome-1.0.15-5.el5.ia64.rpm
File outdated by:  RHSA-2014:0341
    MD5: 0eab6ea4b0b479fa7b56f0aff4578eb6
SHA-256: abd2c320f171e26c412125c6b8d6950eb075606c4cda6c431de40f6b73efb767
 
PPC:
wireshark-1.0.15-5.el5.ppc.rpm
File outdated by:  RHSA-2014:0341
    MD5: bc61d12f6f71e7c6b6db4838c181606c
SHA-256: 594a8cba7950ef31e5ce63b136e3ed22857c99a2ac240e33f060d74d2167a039
wireshark-debuginfo-1.0.15-5.el5.ppc.rpm
File outdated by:  RHSA-2014:0341
    MD5: c840eafdec51e1ac28f82ae72ca8a568
SHA-256: e45ec44eb89ca049e94b624b2530190df71823b80be4bd2682ae6d6d5d61214d
wireshark-gnome-1.0.15-5.el5.ppc.rpm
File outdated by:  RHSA-2014:0341
    MD5: 5f14bc3d7960580a131d12a59874c810
SHA-256: d45372002e82f66d5beb4ea83c483783b5b901a80c734e9e2f6df10b727a2ce2
 
s390x:
wireshark-1.0.15-5.el5.s390x.rpm
File outdated by:  RHSA-2014:0341
    MD5: b300c61ad7fda2fba384a8d247592f61
SHA-256: edf18779c29e012e3036f17eba0d793bcd49d2e6d73b042596d8d99c884db115
wireshark-debuginfo-1.0.15-5.el5.s390x.rpm
File outdated by:  RHSA-2014:0341
    MD5: b7d4f73f3ae38868331cc795930bcd07
SHA-256: be16b421138e632fed24566df9877c0de792e5e6f169e078ece745d26d3733a0
wireshark-gnome-1.0.15-5.el5.s390x.rpm
File outdated by:  RHSA-2014:0341
    MD5: 22c96ce90d8ab0cfd7e3ab9409675fb0
SHA-256: c6054aae0156c5991be78660f74bfaa093e68d113a277c475ceef87f6cbfdc01
 
x86_64:
wireshark-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: 39a776d8c6f30e4acc1b27a7e6c25d99
SHA-256: a0d39c52d5d34f1e172cd0303d2818042d3933183b51041d862a0f2644a7d941
wireshark-debuginfo-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: e50cb13ac160ed9faf44b77b2bcabdb8
SHA-256: 2cf3a48eced12000c4833579ab7c15c53c3bfc979eece49421dd7db010347bc7
wireshark-gnome-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: 9d193f03d690714e78c353eec146a6f5
SHA-256: 57b7432e8aa8aa4937ab233a2fb0e953fd219feb9bc798de7495311b4eea69d0
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
wireshark-1.0.15-5.el5.src.rpm
File outdated by:  RHSA-2014:0341
    MD5: a3a8ccd2b4f1c384243d6d6d8438c031
SHA-256: 019e15ba95458b198d4c3a2cddf35875c179968ac1a24aa614fc9edd42db5d03
 
IA-32:
wireshark-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: f2b7864bc174b457d94e3b1b9dc0cdbb
SHA-256: e3241132e0edff6ae5ac0adbdf0d4819a38096c1bf726ed730ac1750c09cf183
wireshark-debuginfo-1.0.15-5.el5.i386.rpm
File outdated by:  RHSA-2014:0341
    MD5: 6a4f588d4613696e868188cc40467601
SHA-256: 29d5ae6fb7c44bd942cc36e85684f46b9bfd2a3686c543b1cea3fbe9dbb883f4
 
x86_64:
wireshark-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: 39a776d8c6f30e4acc1b27a7e6c25d99
SHA-256: a0d39c52d5d34f1e172cd0303d2818042d3933183b51041d862a0f2644a7d941
wireshark-debuginfo-1.0.15-5.el5.x86_64.rpm
File outdated by:  RHSA-2014:0341
    MD5: e50cb13ac160ed9faf44b77b2bcabdb8
SHA-256: 2cf3a48eced12000c4833579ab7c15c53c3bfc979eece49421dd7db010347bc7
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

438473 - wireshark via ssh -X on ipv6 link-local address fails to allow capture
484999 - add netdump dissector to wireshark
580510 - tshark returns exit code 0 in case of errors
580513 - tshark snaplen parameter does not work
710039 - CVE-2011-1959 wireshark: Stack-based buffer over-read from tvbuff buffer when reading snoop capture files
710109 - CVE-2011-2175 wireshark: Heap-based buffer over-read in Visual Networks dissector
710184 - CVE-2011-1958 wireshark (64bit): NULL pointer dereference by processing of a corrupted Diameter dictionary file
723215 - CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector
750648 - CVE-2011-4102 wireshark: buffer overflow in the ERF file reader
773726 - CVE-2012-0041 wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01)
773728 - CVE-2012-0042 wireshark: NULL pointer vulnerabilities (wnpa-sec-2012-02)
783360 - CVE-2012-0066 Wireshark: Dos via large buffer allocation request
783363 - CVE-2012-0067 Wireshark: Dos due to integer overflow in IPTrace capture format parser
848541 - CVE-2012-4285 wireshark: crash due to zero division in DCP ETSI dissector (wnpa-sec-2012-13)
848561 - CVE-2012-4289 wireshark: DoS via excessive CPU consumption in AFP dissector (wnpa-sec-2012-17)
848572 - CVE-2012-4291 wireshark: DoS via excessive system resource consumption in CIP dissector (wnpa-sec-2012-20)
848578 - CVE-2012-4290 wireshark: DoS via excessive CPU consumption in CTDB dissector (wnpa-sec-2012-23)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/