Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2005:193-2 - Updated ethereal packages fix multiple vulnerabilities
From: Mandriva Security Team <security () mandriva com>
Date: Mon, 31 Oct 2005 21:08:18 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                       MDKSA-2005:193-2
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : ethereal
 Date    : October 31, 2005
 Affected: 10.2, 2006.0
 _______________________________________________________________________
 
 Problem Description:
 
 Ethereal 0.10.13 is now available fixing a number of security
 vulnerabilities in various dissectors:
 
 - the ISAKMP dissector could exhaust system memory
 - the FC-FCS dissector could exhaust system memory
 - the RSVP dissector could exhaust system memory
 - the ISIS LSP dissector could exhaust system memory
 - the IrDA dissector could crash
 - the SLIMP3 dissector could overflow a buffer
 - the BER dissector was susceptible to an infinite loop
 - the SCSI dissector could dereference a null pointer and crash
 - the sFlow dissector could dereference a null pointer and crash
 - the RTnet dissector could dereference a null pointer and crash
 - the SigComp UDVM could go into an infinite loop or crash
 - the X11 dissector could attempt to divide by zero
 - if SMB transaction payload reassembly is enabled the SMB dissector
   could crash (by default this is disabled)
 - if the "Dissect unknown RPC program numbers" option was enabled, the
   ONC RPC dissector might be able to exhaust system memory (by default
   this is disabled)
 - the AgentX dissector could overflow a buffer
 - the WSP dissector could free an invalid pointer
 - iDEFENSE discovered a buffer overflow in the SRVLOC dissector
 
 The new version of Ethereal is provided and corrects all of these
 issues.
 
 An infinite loop in the IRC dissector was also discovered and fixed
 after the 0.10.13 release.  The updated packages include the fix.

 Update:

 A permissions problem on the /usr/share/ethereal/dtds directory caused
 errors when ethereal started as a non-root user.  This update corrects
 the problem.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3241
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3242
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3243
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3244
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3245
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3246
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3247
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3248
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3249
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3184
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3313
 http://www.ethereal.com/appnotes/enpa-sa-00021.html
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 242a0761cc373bf9a5c545da94f583ac  10.2/RPMS/ethereal-0.10.13-0.4.102mdk.i586.rpm
 8a608136690c110505042ef388995ba3  10.2/RPMS/ethereal-tools-0.10.13-0.4.102mdk.i586.rpm
 946e341e5d0dc3d053cadeda9333f946  10.2/RPMS/libethereal0-0.10.13-0.4.102mdk.i586.rpm
 95d542de3760ee3fe7f18127f5be1734  10.2/RPMS/tethereal-0.10.13-0.4.102mdk.i586.rpm
 42f33af6df5039844fac8a8865727410  10.2/SRPMS/ethereal-0.10.13-0.4.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 02d741cd40bfb763014bae36d7bef2d2  x86_64/10.2/RPMS/ethereal-0.10.13-0.4.102mdk.x86_64.rpm
 530f9d1b04222b25cbba628ba1ee8acf  x86_64/10.2/RPMS/ethereal-tools-0.10.13-0.4.102mdk.x86_64.rpm
 62b2faf4e28f8bbc7c43599c222e8a59  x86_64/10.2/RPMS/lib64ethereal0-0.10.13-0.4.102mdk.x86_64.rpm
 e762c1da45444e1809ff4bf53ff7956e  x86_64/10.2/RPMS/tethereal-0.10.13-0.4.102mdk.x86_64.rpm
 42f33af6df5039844fac8a8865727410  x86_64/10.2/SRPMS/ethereal-0.10.13-0.4.102mdk.src.rpm

 Mandriva Linux 2006.0:
 8af1ff6957eeec4c57ed84456bebc8d4  2006.0/RPMS/ethereal-0.10.13-0.4.20060mdk.i586.rpm
 2bf9761f316fb2e7bfb7c39df531d5aa  2006.0/RPMS/ethereal-tools-0.10.13-0.4.20060mdk.i586.rpm
 91119b61ac8feb221a535f582d0c6999  2006.0/RPMS/libethereal0-0.10.13-0.4.20060mdk.i586.rpm
 88304b8d2de663615b8892ab542daac3  2006.0/RPMS/tethereal-0.10.13-0.4.20060mdk.i586.rpm
 84306710661cb50171dd48932fb63dd2  2006.0/SRPMS/ethereal-0.10.13-0.4.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 6bc65409819276ecb849a987b811695d  x86_64/2006.0/RPMS/ethereal-0.10.13-0.4.20060mdk.x86_64.rpm
 8957ed6a15a8b520a742e7f9a331c9a0  x86_64/2006.0/RPMS/ethereal-tools-0.10.13-0.4.20060mdk.x86_64.rpm
 5043efdbd709b847a4820b6bda56e117  x86_64/2006.0/RPMS/lib64ethereal0-0.10.13-0.4.20060mdk.x86_64.rpm
 fb339751b4d1c13314de3492a7f1d363  x86_64/2006.0/RPMS/tethereal-0.10.13-0.4.20060mdk.x86_64.rpm
 84306710661cb50171dd48932fb63dd2  x86_64/2006.0/SRPMS/ethereal-0.10.13-0.4.20060mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDZuoymqjQ0CJFipgRAsqOAJ41sPsWmCS/JKBzkv+b542BEtWYOwCdH5iE
GE4y/fRelVL1m45Z70hkWIg=
=xpyU
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • MDKSA-2005:193-2 - Updated ethereal packages fix multiple vulnerabilities Mandriva Security Team (Nov 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault