Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 156911 - multiple ethereal security issues
Summary: multiple ethereal security issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ethereal
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Radek Vokal
QA Contact:
URL: http://www.ethereal.com/news/item_200...
Whiteboard: impact=important,embargoed=20050503,s...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-05 06:34 UTC by Radek Vokal
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-24 17:27:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:427 normal SHIPPED_LIVE Moderate: ethereal security update 2005-05-24 04:00:00 UTC

Description Radek Vokal 2005-05-05 06:34:10 UTC
An aggressive testing program as well as independent discovery has turned up a
multitude of security issues:

The ANSI A dissector was susceptible to format string vulnerabilities.
Discovered by Bryan Fulton. Versions affected: 0.9.15 to 0.10.10

The GSM MAP dissector could crash. Versions affected: 0.10.0 to 0.10.10

The AIM dissector could cause a crash. Versions affected: 0.9.14 to 0.10.10

The DISTCC dissector was susceptible to a buffer overflow. Discovered by Ilja
van Sprundel Versions affected: 0.9.13 to 0.10.10

The FCELS dissector was susceptible to a buffer overflow. Discovered by Neil
Kettle Versions affected: 0.9.9 to 0.10.10

The SIP dissector was susceptible to a buffer overflow. Discovered by Ejovi
Nuwere. Versions affected: 0.10.0 to 0.10.10

The KINK dissector was susceptible to a null pointer exception, endless looping,
and other problems. Versions affected: 0.10.10

The LMP dissector was susceptible to an endless loop. Versions affected: 0.9.4
to 0.10.10

The Telnet dissector could abort. Versions affected: 0.9.10 to 0.10.10

The TZSP dissector could cause a segmentation fault. Versions affected: 0.10.10
to 0.10.10

The WSP dissector was susceptible to a null pointer exception and assertions.
Versions affected: 0.10.0 to 0.10.10

The 802.3 Slow protocols dissector could throw an assertion. Versions affected:
0.10.10

The BER dissector could throw assertions. Versions affected: 0.10.2 to 0.10.10

The SMB Mailslot dissector was susceptible to a null pointer exception and could
throw assertions. Versions affected: 0.9.0 to 0.10.10

The H.245 dissector was susceptible to a null pointer exception. Versions
affected: 0.10.10

The Bittorrent dissector could cause a segmentation fault. Versions affected:
0.10.8 to 0.10.10

The SMB dissector could cause a segmentation fault and throw assertions.
Versions affected: 0.9.0 to 0.10.10

The Fibre Channel dissector could cause a crash. Versions affected: 0.9.9 to 0.10.10

The DICOM dissector could attempt to allocate large amounts of memory. Versions
affected: 0.10.4 to 0.10.10

The MGCP dissector was susceptible to a null pointer exception, could loop
indefinitely, and segfault. Versions affected: 0.8.14 to 0.10.10

The RSVP dissector could loop indefinitely. Versions affected: 0.9.8 to 0.10.10

The DHCP dissector was susceptible to format string vulnerabilities, and could
abort. Versions affected: 0.10.7 to 0.10.10

The SRVLOC dissector could crash unexpectedly or go into an infinite loop.
Versions affected: 0.9.8 to 0.10.10

The EIGRP dissector could loop indefinitely. Versions affected: 0.8.18 to 0.10.10

The ISIS dissector could overflow a buffer. Versions affected: 0.8.18 to 0.10.10

The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, and X.509
dissectors could overflow buffers. Versions affected: 0.10.4 to 0.10.10

The NDPS dissector could exhaust system memory or cause an assertion, or crash.
Versions affected: 0.9.12 to 0.10.10

The Q.931 dissector could try to free a null pointer and overflow a buffer.
Versions affected: 0.10.10

The IAX2 dissector could throw an assertion. Versions affected: 0.10.1 to 0.10.10

The ICEP dissector could try to free the same memory twice. Versions affected:
0.10.7 to 0.10.10

The MEGACO dissector was susceptible to an infinite loop and a buffer overflow.
Versions affected: 0.9.14 to 0.10.10

The DLSw dissector was susceptible to an infinite loop. Versions affected: 0.9.1
to 0.10.10

The RPC dissector was susceptible to a null pointer exception. Versions
affected: 0.9.2 to 0.10.10

The NCP dissector could overflow a buffer or loop for a large amount of time.
Versions affected: 0.10.5 to 0.10.10

The RADIUS dissector could throw an assertion. Versions affected: 0.10.3 to 0.10.10

The GSM dissector could access an invalid pointer. Versions affected: 0.10.10

The SMB PIPE dissector could throw an assertion. Versions affected: 0.9.0 to 0.10.10

The L2TP dissector was susceptible to an infinite loop. Versions affected:
0.10.9 to 0.10.10

The SMB NETLOGON dissector could dereference a null pointer. Versions affected:
0.9.12 to 0.10.10

The MRDISC dissector could throw an assertion. Versions affected: 0.8.19 to 0.10.10

The ISUP dissector could overflow a buffer or cause a segmentation fault.
Versions affected: 0.8.19 to 0.10.10

The LDAP dissector could crash. Versions affected: 0.10.1 to 0.10.10

The TCAP dissector could overflow a buffer or throw an assertion. Versions
affected: 0.10.8 to 0.10.10

The NTLMSSP dissector could crash. Versions affected: 0.9.7 to 0.10.10

The Presentation dissector could overflow a buffer. Versions affected: 0.10.1 to
0.10.10

Additionally, a number of dissectors could throw an assertion when passing an
invalid protocol tree item length. Versions affected: 0.10.8 to 0.10.10

Comment 1 Josh Bressers 2005-05-05 13:50:56 UTC
These issues also affect RHEL2.1 and RHEL3

Comment 2 Josh Bressers 2005-05-24 17:27:46 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-427.html



Note You need to log in before you can comment on or make changes to this bug.