MDKSA-2005:193 - Updated ethereal packages fix multiple vulnerabilities
Posted on: 10/26/2005 06:12 AM

The Mandriva Security Team published a new security update: MDKSA-2005:193 - Updated ethereal packages fix multiple vulnerabilities for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2005:193
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ethereal
Date : October 25, 2005
Affected: 10.2, 2006.0
_______________________________________________________________________

Problem Description:

Ethereal 0.10.13 is now available fixing a number of security
vulnerabilities in various dissectors:

- the ISAKMP dissector could exhaust system memory
- the FC-FCS dissector could exhaust system memory
- the RSVP dissector could exhaust system memory
- the ISIS LSP dissector could exhaust system memory
- the IrDA dissector could crash
- the SLIMP3 dissector could overflow a buffer
- the BER dissector was susceptible to an infinite loop
- the SCSI dissector could dereference a null pointer and crash
- the sFlow dissector could dereference a null pointer and crash
- the RTnet dissector could dereference a null pointer and crash
- the SigComp UDVM could go into an infinite loop or crash
- the X11 dissector could attempt to divide by zero
- if SMB transaction payload reassembly is enabled the SMB dissector
could crash (by default this is disabled)
- if the "Dissect unknown RPC program numbers" option was enabled, the
ONC RPC dissector might be able to exhaust system memory (by default
this is disabled)
- the AgentX dissector could overflow a buffer
- the WSP dissector could free an invalid pointer
- iDEFENSE discovered a buffer overflow in the SRVLOC dissector

The new version of Ethereal is provided and corrects all of these
issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3241
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3242
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3243
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3244
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3245
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3246
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3247
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3248
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3249
http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2005-3184
http://www.ethereal.com/appnotes/enpa-sa-00021.html
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
a4a8fdc8455a04fa59403c109e66ed89 10.2/RPMS/ethereal-0.10.13-0.1.102mdk.i586.rpm
a54511a764592c5fddcb98a9fa8663c9 10.2/RPMS/ethereal-tools-0.10.13-0.1.102mdk.i586.rpm
6a53e0f7a132d6520f224c67b0dc5dc2 10.2/RPMS/libethereal0-0.10.13-0.1.102mdk.i586.rpm
be7bb0c3ac28f631c97f07d55bfc8c71 10.2/RPMS/tethereal-0.10.13-0.1.102mdk.i586.rpm
a0877c50091971fc9f23806ed92221da 10.2/SRPMS/ethereal-0.10.13-0.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
a4905e8eb45acaa645577a4bc4900cce x86_64/10.2/RPMS/ethereal-0.10.13-0.1.102mdk.x86_64.rpm
245aceadf58166897585d29a92996102 x86_64/10.2/RPMS/ethereal-tools-0.10.13-0.1.102mdk.x86_64.rpm
9672947d1adf409c73d325178fc74525 x86_64/10.2/RPMS/lib64ethereal0-0.10.13-0.1.102mdk.x86_64.rpm
58676aa8bf6385adef7ea6c0d5772fc3 x86_64/10.2/RPMS/tethereal-0.10.13-0.1.102mdk.x86_64.rpm
a0877c50091971fc9f23806ed92221da x86_64/10.2/SRPMS/ethereal-0.10.13-0.1.102mdk.src.rpm

Mandriva Linux 2006.0:
afa7f414f160baab8255f107c4b68167 2006.0/RPMS/ethereal-0.10.13-0.1.20060mdk.i586.rpm
d15d1610353763aca11df0c74b418a04 2006.0/RPMS/ethereal-tools-0.10.13-0.1.20060mdk.i586.rpm
4725840f84343c5c003eaa9f976f8831 2006.0/RPMS/libethereal0-0.10.13-0.1.20060mdk.i586.rpm
65eb0205ba9778b11ba17bcb6c28bd5e 2006.0/RPMS/tethereal-0.10.13-0.1.20060mdk.i586.rpm
7925fa1d545fecc56843dee7cc825d8f 2006.0/SRPMS/ethereal-0.10.13-0.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
99ad384eff6229342322d257c4c93e62 x86_64/2006.0/RPMS/ethereal-0.10.13-0.1.20060mdk.x86_64.rpm
91c8e78eb70a6106abd9f799157c3c52 x86_64/2006.0/RPMS/ethereal-tools-0.10.13-0.1.20060mdk.x86_64.rpm
75ac237556cc2bf5c8bc341f2fb50e13 x86_64/2006.0/RPMS/lib64ethereal0-0.10.13-0.1.20060mdk.x86_64.rpm
71e3810bc682239b3681fc6828fb64db x86_64/2006.0/RPMS/tethereal-0.10.13-0.1.20060mdk.x86_64.rpm
7925fa1d545fecc56843dee7cc825d8f x86_64/2006.0/SRPMS/ethereal-0.10.13-0.1.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDXvD/mqjQ0CJFipgRAlJuAJkBeyFgs/RoQ61zIxgPx7Dw1KUDtQCgj9hw
5smrLJ4SixkD5uRVecbKZPQ=
=THcB
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/_mdksa_2005193__updated_ethereal_packages_fix_multiple_vulnerabilities.html)