Ubuntu
wireshark package

Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow

Bug #517171 reported by Dan Dart
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wireshark (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Won't Fix
Medium
Unassigned
Karmic
Won't Fix
Medium
Unassigned

Bug Description

Binary package hint: wireshark

I managed to crash my Wireshark instance using this:

Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow

I downloaded the file from this url:
http://www.exploit-db.com/exploits/11288

It successfully crashed my Wireshark instance, spewing these messages:

*** stack smashing detected ***: wireshark terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x10a4ed8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0x10a4e90]
/usr/lib/wireshark/libwireshark.so.0[0xb69bb3c4]
/usr/lib/wireshark/libwireshark.so.0[0xb63aecb4]
[0x42424242]
======= Memory map: ========
00110000-00111000 r-xp 00000000 00:00 0 [vdso]
00111000-001a3000 r-xp 00000000 08:01 101750 /usr/lib/libgdk-x11-2.0.so.0.1800.3
001a3000-001a5000 r--p 00092000 08:01 101750 /usr/lib/libgdk-x11-2.0.so.0.1800.3
001a5000-001a6000 rw-p 00094000 08:01 101750 /usr/lib/libgdk-x11-2.0.so.0.1800.3
001a6000-001a9000 r-xp 00000000 08:01 21241 /usr/lib/libgmodule-2.0.so.0.2200.3
001a9000-001aa000 r--p 00002000 08:01 21241 /usr/lib/libgmodule-2.0.so.0.2200.3
001aa000-001ab000 rw-p 00003000 08:01 21241 /usr/lib/libgmodule-2.0.so.0.2200.3
001ab000-001af000 r-xp 00000000 08:01 21242 /usr/lib/libgthread-2.0.so.0.2200.3
001af000-001b0000 r--p 00003000 08:01 21242 /usr/lib/libgthread-2.0.so.0.2200.3
001b0000-001b1000 rw-p 00004000 08:01 21242 /usr/lib/libgthread-2.0.so.0.2200.3
001b1000-001b8000 r-xp 00000000 08:01 10713 /lib/tls/i686/cmov/librt-2.10.1.so
001b8000-001b9000 r--p 00006000 08:01 10713 /lib/tls/i686/cmov/librt-2.10.1.so
001b9000-001ba000 rw-p 00007000 08:01 10713 /lib/tls/i686/cmov/librt-2.10.1.so
001ba000-001bc000 r-xp 00000000 08:01 1336 /lib/libcom_err.so.2.1
001bc000-001bd000 r--p 00001000 08:01 1336 /lib/libcom_err.so.2.1
001bd000-001be000 rw-p 00002000 08:01 1336 /lib/libcom_err.so.2.1
001bf000-00348000 r-xp 00000000 08:01 128372 /usr/bin/wireshark
00348000-0034c000 r--p 00188000 08:01 128372 /usr/bin/wireshark
0034c000-0035e000 rw-p 0018c000 08:01 128372 /usr/bin/wireshark
0035e000-00376000 rw-p 00000000 00:00 0
00376000-00382000 r-xp 00000000 08:01 128337 /usr/lib/libcares.so.2.0.0
00382000-00383000 r--p 0000b000 08:01 128337 /usr/lib/libcares.so.2.0.0
00383000-00384000 rw-p 0000c000 08:01 128337 /usr/lib/libcares.so.2.0.0
00384000-00386000 r-xp 00000000 08:01 1434 /lib/tls/i686/cmov/libdl-2.10.1.so
00386000-00387000 r--p 00001000 08:01 1434 /lib/tls/i686/cmov/libdl-2.10.1.so
00387000-00388000 rw-p 00002000 08:01 1434 /lib/tls/i686/cmov/libdl-2.10.1.so
00388000-0038a000 r-xp 00000000 08:01 7448 /usr/lib/libXcomposite.so.1.0.0
0038a000-0038b000 r--p 00001000 08:01 7448 /usr/lib/libXcomposite.so.1.0.0
0038b000-0038c000 rw-p 00002000 08:01 7448 /usr/lib/libXcomposite.so.1.0.0
0038c000-0038e000 r-xp 00000000 08:01 7452 /usr/lib/libXdamage.so.1.1.0
0038e000-0038f000 rw-p 00001000 08:01 7452 /usr/lib/libXdamage.so.1.1.0
0038f000-00393000 r-xp 00000000 08:01 7458 /usr/lib/libXfixes.so.3.1.0
00393000-00394000 r--p 00003000 08:01 7458 /usr/lib/libXfixes.so.3.1.0
00394000-00395000 rw-p 00004000 08:01 7458 /usr/lib/libXfixes.so.3.1.0
00396000-003d4000 r-xp 00000000 08:01 192090 /usr/lib/wireshark/libwiretap.so.0.0.1
003d4000-003d5000 r--p 0003d000 08:01 192090 /usr/lib/wireshark/libwiretap.so.0.0.1
003d5000-003d6000 rw-p 0003e000 08:01 192090 /usr/lib/wireshark/libwiretap.so.0.0.1
003d6000-003f6000 rw-p 00000000 00:00 0
003f6000-0041a000 r-xp 00000000 08:01 1447 /lib/tls/i686/cmov/libm-2.10.1.so
0041a000-0041b000 r--p 00023000 08:01 1447 /lib/tls/i686/cmov/libm-2.10.1.so
0041b000-0041c000 rw-p 00024000 08:01 1447 /lib/tls/i686/cmov/libm-2.10.1.so
0041c000-00430000 r-xp 00000000 08:01 1457 /lib/libz.so.1.2.3.3
00430000-00431000 r--p 00013000 08:01 1457 /lib/libz.so.1.2.3.3
00431000-00432000 rw-p 00014000 08:01 1457 /lib/libz.so.1.2.3.3
00432000-00434000 r-xp 00000000 08:01 7466 /usr/lib/libXinerama.so.1.0.0
00434000-00435000 rw-p 00001000 08:01 7466 /usr/lib/libXinerama.so.1.0.0
00436000-0045d000 r-xp 00000000 08:01 8216 /usr/lib/libpangoft2-1.0.so.0.2600.0
0045d000-0045e000 r--p 00027000 08:01 8216 /usr/lib/libpangoft2-1.0.so.0.2600.0
0045e000-0045f000 rw-p 00028000 08:01 8216 /usr/lib/libpangoft2-1.0.so.0.2600.0
0045f000-004f2000 r-xp 00000000 08:01 21243 /usr/lib/libgio-2.0.so.0.2200.3
004f2000-004f3000 r--p 00092000 08:01 21243 /usr/lib/libgio-2.0.so.0.2200.3
004f3000-004f4000 rw-p 00093000 08:01 21243 /usr/lib/libgio-2.0.so.0.2200.3
004f4000-004f5000 rw-p 00000000 00:00 0
004f7000-00512000 r-xp 00000000 08:01 5492 /lib/ld-2.10.1.so
00512000-00513000 r--p 0001a000 08:01 5492 /lib/ld-2.10.1.so
00513000-00514000 rw-p 0001b000 08:01 5492 /lib/ld-2.10.1.so
00514000-008cc000 r-xp 00000000 08:01 101490 /usr/lib/libgtk-x11-2.0.so.0.1800.3
008cc000-008cd000 ---p 003b8000 08:01 101490 /usr/lib/libgtk-x11-2.0.so.0.1800.3
008cd000-008d1000 r--p 003b8000 08:01 101490 /usr/lib/libgtk-x11-2.0.so.0.1800.3
008d1000-008d3000 rw-p 003bc000 08:01 101490 /usr/lib/libgtk-x11-2.0.so.0.1800.3
008d3000-008d5000 rw-p 00000000 00:00 0
008d5000-008f9000 r-xp 00000000 08:01 8262 /usr/lib/libportaudio.so.2.0.0
008f9000-008fa000 r--p 00023000 08:01 8262 /usr/lib/libportaudio.so.2.0.0
008fa000-008fb000 rw-p 00024000 08:01 8262 /usr/lib/libportaudio.so.2.0.0
008fb000-008fe000 r-xp 00000000 08:01 8473 /usr/lib/libxcb-render-util.so.0.0.0
008fe000-008ff000 r--p 00002000 08:01 8473 /usr/lib/libxcb-render-util.so.0.0.0
008ff000-00900000 rw-p 00003000 08:01 8473 /usr/lib/libxcb-render-util.so.0.0.0
00901000-00930000 r-xp 00000000 08:01 1410 /lib/libpcre.so.3.12.1
00930000-00931000 r--p 0002e000 08:01 1410 /lib/libpcre.so.3.12.1
00931000-00932000 rw-p 0002f000 08:01 1410 /lib/libpcre.so.3.12.1
00932000-009b6000 r-xp 00000000 08:01 7576 /usr/lib/libcairo.so.2.10800.8
009b6000-009b8000 r--p 00083000 08:01 7576 /usr/lib/libcairo.so.2.10800.8
009b8000-009b9000 rw-p 00085000 08:01 7576 /usr/lib/libcairo.so.2.10800.8
009b9000-009ce000 r-xp 00000000 08:01 5836 /lib/tls/i686/cmov/libpthread-2.10.1.so
009ce000-009cf000 r--p 00014000 08:01 5836 /lib/tls/i686/cmov/libpthread-2.10.1.so
009cf000-009d0000 rw-p 00015000 08:01 5836 /lib/tls/i686/cmov/libpthread-2.10.1.so
009d0000-009d2000 rw-p 00000000 00:00 0
009d2000-009d4000 r-xp 00000000 08:01 192091 /usr/lib/wireshark/libwsutil.so.0.0.0
009d4000-009d5000 r--p 00001000 08:01 192091 /usr/lib/wireshark/libwsutil.so.0.0.0
009d5000-009d6000 rw-p 00002000 08:01 192091 /usr/lib/wireshark/libwsutil.so.0.0.0
009d6000-00a1c000 r-xp 00000000 08:01 8212 /usr/lib/libpango-1.0.so.0.2600.0
00a1c000-00a1d000 r--p 00045000 08:01 8212 /usr/lib/libpango-1.0.so.0.2600.0
00a1d000-00a1e000 rw-p 00046000 08:01 8212 /usr/lib/libpango-1.0.so.0.2600.0
00a1e000-00a98000 r-xp 00000000 08:01 7749 /usr/lib/libfreetype.so.6.3.20
00a98000-00a9c000 r--p 00079000 08:01 7749 /usr/lib/libfreetype.so.6.3.20
00a9c000-00a9d000 rw-p 0007d000 08:01 7749 /usr/lib/libfreetype.so.6.3.20Aborted

Wireshark version:1.2.2,
Running on Linux 2.6.31-17-generic, with libpcap version 1.0.0, GnuTLS 2.8.3,
Gcrypt 1.4.4.

Ubuntu 9.10 - latest

Please update package to newest 1.2.6.

Checked as security vulnerability because a wireshark session can be disrupted by attackers.

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in wireshark (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Dan Dart (dandart) wrote :

I am still not sure about debdiffs, but I found this, suggesting arbitrary code execution:

http://www.exploit-db.com/exploits/11453

Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

This has been fixed since at least Lucid with 1.2.7

Changed in wireshark (Ubuntu):
status: Confirmed → Fix Released
Changed in wireshark (Ubuntu Hardy):
importance: Undecided → Medium
Changed in wireshark (Ubuntu Karmic):
importance: Undecided → Medium
status: New → Triaged
Changed in wireshark (Ubuntu Hardy):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in wireshark (Ubuntu Karmic):
status: Triaged → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in wireshark (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.