[Git][security-tracker-team/security-tracker][master] Did some work on wireshark to check the status of the known vulnerabilities in...

Ola Lundqvist opal at debian.org
Wed Dec 30 22:33:58 GMT 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2c4a132e by Ola Lundqvist at 2020-12-30T23:33:45+01:00
Did some work on wireshark to check the status of the known vulnerabilities in strech. Marked all as postponed with notes on how it can be fixed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -12613,6 +12613,7 @@ CVE-2020-28031 (eramba through c2.8.1 allows HTTP Host header injection with (fo
 CVE-2020-28030 (In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was ...)
 	- wireshark 3.2.8-0.1 (bug #974689)
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - wireshark <postponed> (Minor issue, Can be fixed in next DLA by backporting patch together with earlier fix for invalid parameter)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-15.html
@@ -16624,6 +16625,7 @@ CVE-2020-26576
 CVE-2020-26575 (In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) di ...)
 	- wireshark 3.2.8-0.1 (bug #974688)
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - wireshark <postponed> (Minor issue, can be fixed in next DLA by backporting patch)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/3ff940652962c099b73ae3233322b8697b0d10ab
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887
 	NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/467
@@ -17002,21 +17004,34 @@ CVE-2020-26422 (Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 al
 CVE-2020-26421 (Crash in USB HID protocol dissector and possibly other dissectors in W ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - wireshark <postponed> (Minor issue, can be fixed in next DLA by backporting patch)
+	NOTE: 2.6 track is also vulnerable (at least the patch looks like it can apply) even if only 3.4 track is mentioned.
+	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/d5f2657825e63e4126ebd7d13a59f3c6e8a9e4e1
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16958
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-17.html
 CVE-2020-26420 (Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - wireshark <postponed> (Minor issue, can be by backporting patch, part of the problem do not exist in 2.6.8)
+	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/33e63d19e5496c151bad69f65cdbc7cba2b4c211
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16994
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-18.html
 CVE-2020-26419 (Memory leak in the dissection engine in Wireshark 3.4.0 allows denial  ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - wireshark <postponed> (Minor issue, not even clear whether the vulnerability is there)
+	NOTE: The case that is corrected does not exist in 2.6.8. Maybe the vulnerability can be caused by something else. Not checked. (ola)
+	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/a9fc769d7bb4b491efb61c699d57c9f35269d871
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17032
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-19.html
 CVE-2020-26418 (Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 t ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - wireshark <postponed> (Minor issue, fixing this requires a lot of other fixes)
+	NOTE: The 2.6.8 version is lacking a lot of checks so just backporting this patch is not
+	NOTE: enough to fix the known problems with the kafka dissector. Consider ignoring or backporting
+	NOTE: a much later version.
+	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/f4374967bbf9c12746b8ec3cd54dddada9dd353e
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16739
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-16.html
 CVE-2020-26417 (Information disclosure via GraphQL in GitLab CE/EE 13.1 and later expo ...)


=====================================
data/dla-needed.txt
=====================================
@@ -180,6 +180,10 @@ wireshark
   NOTE: 20201108: buster point release followed by another backport (bunk)
   NOTE: 20201123: NMU for unstable prepared as first step (bunk)
   NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk)
+  NOTE: 20201130: As seen int he bug above the plan is to first update buster and then backport to stretch.
+  NOTE: 20201130: This will fix several CVEs but not all. To fix all an backport of 3.4.2 is needed. (ola)
+  NOTE: 20201230: https://www.wireshark.org/security/ gives good overview of what will be fixed in each upstream version, unfortunately not with the CVE reference (ola)
+  NOTE: 20201230: Note that all issues are postponed so there is no immediate need of a DLA. Should this entry be removed? (ola)
 --
 xcftools
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c4a132ebb6dd0b25e1b645643f855f9379fba16

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c4a132ebb6dd0b25e1b645643f855f9379fba16
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201230/724140d1/attachment.html>

More information about the debian-security-tracker-commits mailing list