Hi, We had a discussion with Moritz Muehlenhoff from the Security Team and he proposed to include Wireshark bugfix releases in Debian stable updates. The current stable, Lenny contains wireshark 1.0.3 and 1.0.8, the latest version form the 1.0.x branch was already packaged and uploaded to unstable.
What do you think about Moritz's proposal? Joost Yervante Damad, who is the uploader for wireshark supported the approach, and I support it, too. (I packaged the last few wireshark versions, because the official maintainer, Frederic Peters did not have enough time. I'm a Wireshark developer, too.) Best Regards, Balint ---------- Forwarded message ---------- From: Moritz Muehlenhoff <[email protected]> Date: 2009/7/6 Subject: Re: wireshark security bug #533347 To: Bálint Réczey <[email protected]> Másolatot kap: [email protected], Joost Yervante Damad <[email protected]>, [email protected] On Wed, Jul 01, 2009 at 03:36:44PM -0700, Bálint Réczey wrote: > Hi, > > Wireshark 1.0.8 fixes CVE-2009-1829 and contain other changes fixing > crashes and one fix for a memory leak. > > I collected the security related changes in a patch in > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533347 > > I also created a package containing the patch: > http://rbalint.cs.bme.hu/ws-pkg/ > > Since I'm not an official Debian developer, Joost Yervante Damad > offered me to upload the patched version if i get approval from the > Security Team. [Adding Frederic to CC] The advisory page for 1.0.8 mentions only the PCNFSD change as security-relevant: http://www.wireshark.org/security/wnpa-sec-2009-03.html Your patch includes more changes, though. Where did you pick them from? Since the PCNFSD issue by itself does not offer the possibility to inject code, but only a crash triggerable through a malformed PCAP file, I think we should postpone this update and add the patch when new issues emerge. Traditionally we've been treating Wireshark crashes triggerable by network traffic as security issues, since someone could use tshark as a networking monitoring/intrusion detection tool. OTOH, both Wireshark's security record and the mere concept (analysing network traffic in a flaky implementation language like C) make this an impractical approach. I would like to propose to document in a file like README.Debian or README.Debian.security that Wireshark is great tool to analyse traffic patterns, but that crashes cannot be ruled out due to the complex nature of the task. Thus, it should not be deployed in scenarios where used for live network monitoring and live pure crash bugs unfixed. Of course all bugs which could trigger code injection will still be fixed in regular DSAs. Additionally we could talk to the stable release managers to allow the latest Wireshark point updates for each stable point update (since the QA done by upstream is quite good). There are similar exceptions already done for some packages, e.g. PostgreSQL. Cheers, Moritz -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
