Re: Security issue resolution in 1.0.x series

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi Matty,

The 1.0 branch is considered 'retired'. Only because it's the last branch to 
support GTK1 it has not been 'abandoned'. That means that we'll do what's needed 
to keep it working, but nothing more.

If repairs are made in trunk, which are applicable for the stable (now 1.2) 
branch, we'll backport these (see 
http://wiki.wireshark.org/Development/RoadMap). If the repairs are addressing 
build errors, crashes or other severe issues also present in the 1.0 branch, 
these are backported to the 1.0 branch too.

There is no specific effort being made to address all errors in the 1.0 branch, 
simply due to lack of resources (people developing for GTK1, spare time to do it 
in, unsolved GLIB/GTK1 problems, etc).

Thanks,
Jaap

Matty Ronald wrote:
> Hi All,
> I'm currently using Wireshark-1.0.9.  I just read the
> http://www.wireshark.org/security/wnpa-sec-2009-04.html
> My query is that will we see bugs and issues addresed in
> wnpa-sec-2009-04 be corrected in any future release of 1.0.x series?
>
> Please let me know if there are any plans in future to fix following
> vulnerabilities in 1.0.x series as i'm not keen on using gtk+2 support
> which is mandatory in 1.2.x version.
>
> The AFS dissector could crash. (Bug 3564) Versions affected: 0.9.2 to 1.2.0
> The Infiniband dissector could crash on some platforms. Versions
> affected: 1.0.6 to 1.2.0
> The RADIUS dissector could crash. (Bug 3578)
> Versions affected: 0.10.13 to 1.0.9, 1.2.0
>
> My question is that will we see bugs and issues seen in 1.0.9 and
> 1.2.x series be fixed in any future release of 1.0.x series?
>
> I also see that 1.0.11 is being planned to be released.So will it
> contain the fix for all the current open bugs/security issues ?
>
> Is it possible to fix this issues in 1.0.x series itself?
>
> I just read that Some vulnerabilities have been reported in Wireshark,
> which can be exploited by malicious people to cause a DoS (Denial of
> Service) or potentially compromise a user's system.
>
> 1) A boundary error in the Daintree SNA file parser can be exploited
> to cause a buffer overflow via a specially crafted capture file.
>
> Successful exploitation may allow execution of arbitrary code.
>
> 2) An error in the IPMI dissector on Windows can be exploited to cause a crash.
>
> The vulnerabilities are reported in versions 1.2.0 through 1.2.4.
>
> 3) An error in the SMB and SMB2 dissectors can be exploited to cause a crash.
>
> The vulnerability is reported in versions 0.9.0 through 1.2.4.
>
> So will all these issues/bugs be addressed in V1.0.11 ?
>
> Or does V1.0.10 address these issues?
>
> Thanks in advance. Any response to above mail will be highly appreciated.
>
> Regards,
> Matty

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe