Debians sikkerhedsbulletin

DSA-324-1 ethereal -- flere sårbarheder

Rapporteret den:

18. jun 2003

Berørte pakker:

Sårbar:

Referencer i sikkerhedsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 7878, BugTraq-id 7880, BugTraq-id 7881, BugTraq-id 7883.
I Mitres CVE-ordbog: CVE-2003-0428, CVE-2003-0429, CVE-2003-0431, CVE-2003-0432.

Yderligere oplysninger:

Flere af pakkedissekatorerne i ethereal indeholder strenghåndteringsfejl, der kunne udnyttes ved hjælp af ondsindet fremstillede pakker med det formål, at få ethereal til at anvende store mængder hukommelse, gå ned eller udføre vilkårlig kode.

Disse sårbarhed blev annonceret i følgende sikkerhedsbulletin vedrørende Ethereal:

http://www.ethereal.com/appnotes/enpa-sa-00010.html

Ethereal 0.9.4 i Debian 3.0 (woody) er påvirket af de fleste problemer beskrevet i bulletinen, blandt andre:

DCERPC-dissekatoren prøvede at allokere for meget hukommelse, når den prøvede at dekode en NDR-streng.
Dårlige IPv4- eller IPv6-præfikslængder kunne medføre et overløb i OSI-dissekatoren.
Rutinen tvb_get_nstringz0() håndterede på forkert vis en bufferstørrelse på nul.
Dissekatorerne af BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP og ISIS håndterede strenge på forkert vis.

Følgende problemer påvirker ikke denne version:

Dissekatoren SPNEGO kunne gå ned med en "segfault" ved tolkning af en ugyldig ASN.1-værdi.
RMI-dissekatoren håndterede strenge på forkert vis.

- da disse moduler ikke findes.

I den stabile distribution (woody) er disse problemer rettet i version 0.9.4-1woody5.

I den gamle stabile distribution (potato) vil disse problem blive rettet i forbindelse med et bulletin der udsendes senere.

I den ustabile distribution (sid) er disse problemer rettet i version 0.9.13-1.

Vi anbefaler at du opdaterer din ethereal-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5.dsc; http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5.diff.gz; http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_alpha.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_alpha.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_alpha.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_arm.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_arm.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_arm.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_i386.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_i386.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_i386.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_ia64.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_ia64.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_ia64.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_hppa.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_hppa.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_hppa.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_m68k.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_m68k.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_m68k.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_mips.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_mips.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_mips.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_s390.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_s390.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_s390.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody5_sparc.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody5_sparc.deb; http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody5_sparc.deb; http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody5_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.