The following vulnerabilities have been fixed.
- wnpa-sec-2015-01
The WCCP dissector could crash. (Bug 10720, Bug 10806) CVE-2015-0559,
CVE-2015-0560
- wnpa-sec-2015-02
The LPP dissector could crash. (Bug 10773) CVE-2015-0561
- wnpa-sec-2015-03
The DEC DNA Routing Protocol dissector could crash. (Bug 10724) CVE-2015-0562
- wnpa-sec-2015-04
The SMTP dissector could crash. (Bug 10823) CVE-2015-0563
- wnpa-sec-2015-05
Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam
Rathaus. CVE-2015-0564
See more at https://www.wireshark.org/docs/relnotes/wireshark-1.12.3.html
In addition to our existing GTK version.
* Only install desktop file if building a GUI version.
* The Qt build appends "-qt" to the
wireshark binary name. Undo it so the desktop file works.
* The 'wireshark' attribute still refers to the GTK version, for
backwards compatibility.
There are no references to g_memmove in the source anymore, so remove
the now unneeded (and failing!) sed fixup.
Sourceforge no longer has wireshark sources, the page tells users to
download from www.wireshark.org instead. So do that.
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.
As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.
With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:
environment.systemPackages = [ pkgs.wireshark ];
security.setuidOwners = [
{ program = "dumpcap";
owner = "root";
group = "wireshark";
setuid = true;
setgid = false;
permissions = "u+rx,g+x";
}
];
users.extraGroups.wireshark.gid = 500;
(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
This makes running wireshark (or more specifically, dumpcap) as root a
bit more secure. From <wireshark-1.11.2>/doc/README.packaging:
The "--with-libcap" option is only useful when dumpcap is installed
setuid. If it is enabled dumpcap will try to drop any setuid privileges
it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
capabilities. It is enabled by default, if the Linux capabilities
library (on which it depends) is found.