[gentoo-announce] [ GLSA 200406-01 ] Ethereal: Multiple security problems - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200406-01 ] Ethereal: Multiple security problems
Date:	Fri, 04 Jun 2004 19:31:48
Message-Id:	`40C0CDF3.4080003@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200406-01

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: Ethereal: Multiple security problems

12

      Date: June 04, 2004

13

      Bugs: #51022

14

        ID: 200406-01

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities including one buffer overflow exist in

22

Ethereal, which may allow an attacker to run arbitrary code or crash

23

the program.

24

25

Background

26

==========

27

28

Ethereal is a feature rich network protocol analyzer.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package                /   Vulnerable   /              Unaffected

35

    -------------------------------------------------------------------

36

  1  net-analyzer/ethereal       <= 0.10.3                   >= 0.10.4

37

38

Description

39

===========

40

41

There are multiple vulnerabilities in versions of Ethereal earlier than

42

0.10.4, including:

43

44

* A buffer overflow in the MMSE dissector.

45

46

* Under specific conditions a SIP packet could make Ethereal crash.

47

48

* The AIM dissector could throw an assertion, causing Ethereal to

49

  crash.

50

51

* The SPNEGO dissector could dereference a null pointer, causing a

52

  crash.

53

54

Impact

55

======

56

57

An attacker could use these vulnerabilities to crash Ethereal or even

58

execute arbitrary code with the permissions of the user running

59

Ethereal, which could be the root user.

60

61

Workaround

62

==========

63

64

For a temporary workaround you can disable all affected protocol

65

dissectors by selecting Analyze->Enabled Protocols... and deselecting

66

them from the list. However, it is strongly recommended to upgrade to

67

the latest stable release.

68

69

Resolution

70

==========

71

72

All Ethereal users should upgrade to the latest stable version:

73

74

    # emerge sync

75

76

    # emerge -pv ">=net-analyzer/ethereal-0.10.4"

77

    # emerge ">=net-analyzer/ethereal-0.10.4"

78

79

References

80

==========

81

82

  [ 1 ] Ethereal enpa-sa-00014

83

        http://www.ethereal.com/appnotes/enpa-sa-00014.html

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

     http://security.gentoo.org/glsa/glsa-200406-01.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

http://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2004 Gentoo Technologies, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/1.0

112

113

-----BEGIN PGP SIGNATURE-----

114

Version: GnuPG v1.2.4 (GNU/Linux)

115

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

116

117

iD8DBQFAwM3zvcL1obalX08RAhWVAJ9e+BRSYi4AZA3Us7+0ib59Qyrk4gCcCdtJ

118

LqivdVf6W1IyR49JPaAOoMc=

119

=P4XV

120

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200406-01
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: Ethereal: Multiple security problems
12	Date: June 04, 2004
13	Bugs: #51022
14	ID: 200406-01
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities including one buffer overflow exist in
22	Ethereal, which may allow an attacker to run arbitrary code or crash
23	the program.
24
25	Background
26	==========
27
28	Ethereal is a feature rich network protocol analyzer.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-analyzer/ethereal <= 0.10.3 >= 0.10.4
37
38	Description
39	===========
40
41	There are multiple vulnerabilities in versions of Ethereal earlier than
42	0.10.4, including:
43
44	* A buffer overflow in the MMSE dissector.
45
46	* Under specific conditions a SIP packet could make Ethereal crash.
47
48	* The AIM dissector could throw an assertion, causing Ethereal to
49	crash.
50
51	* The SPNEGO dissector could dereference a null pointer, causing a
52	crash.
53
54	Impact
55	======
56
57	An attacker could use these vulnerabilities to crash Ethereal or even
58	execute arbitrary code with the permissions of the user running
59	Ethereal, which could be the root user.
60
61	Workaround
62	==========
63
64	For a temporary workaround you can disable all affected protocol
65	dissectors by selecting Analyze->Enabled Protocols... and deselecting
66	them from the list. However, it is strongly recommended to upgrade to
67	the latest stable release.
68
69	Resolution
70	==========
71
72	All Ethereal users should upgrade to the latest stable version:
73
74	# emerge sync
75
76	# emerge -pv ">=net-analyzer/ethereal-0.10.4"
77	# emerge ">=net-analyzer/ethereal-0.10.4"
78
79	References
80	==========
81
82	[ 1 ] Ethereal enpa-sa-00014
83	http://www.ethereal.com/appnotes/enpa-sa-00014.html
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-200406-01.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	http://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2004 Gentoo Technologies, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/1.0
112
113	-----BEGIN PGP SIGNATURE-----
114	Version: GnuPG v1.2.4 (GNU/Linux)
115	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
116
117	iD8DBQFAwM3zvcL1obalX08RAhWVAJ9e+BRSYi4AZA3Us7+0ib59Qyrk4gCcCdtJ
118	LqivdVf6W1IyR49JPaAOoMc=
119	=P4XV
120	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce