Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 557522

Summary: <net-analyzer/wireshark-1.12.7: Multiple vulnerabilities (CVE-2015-{6241,6249})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.wireshark.org/lists/wireshark-announce/201508/msg00000.html
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2015-08-14 04:29:43 UTC
What's New

  Bug Fixes

   The following vulnerabilities have been fixed.
     * [1]wnpa-sec-2015-21
       Protocol tree crash. ([2]Bug 11309)
     * [3]wnpa-sec-2015-22
       Memory manager crash. ([4]Bug 11373)
     * [5]wnpa-sec-2015-23
       Dissector table crash. ([6]Bug 11381)
     * [7]wnpa-sec-2015-24
       ZigBee crash. ([8]Bug 11389)
     * [9]wnpa-sec-2015-25
       GSM RLC/MAC infinite loop. ([10]Bug 11358)
     * [11]wnpa-sec-2015-26
       WaveAgent crash. ([12]Bug 11358)
     * [13]wnpa-sec-2015-27
       OpenFlow infinite loop. ([14]Bug 11358)
     * [15]wnpa-sec-2015-28
       Ptvcursor crash. ([16]Bug 11358)
     * [17]wnpa-sec-2015-29
       WCCP crash. ([18]Bug 11358)
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-14 11:32:16 UTC
Arch teams, please test and mark stable:
=net-analyzer/wireshark-1.12.7
Targeted stable KEYWORDS : alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-14 22:20:30 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-15 09:31:21 UTC
Stable for PPC64.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-08-15 12:40:00 UTC
Added to an existing GLSA Request. We will be ready to release once stabilized.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-16 12:13:56 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-16 14:38:33 UTC
Stable on alpha.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-16 17:49:06 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-08-26 07:30:38 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-06 07:47:18 UTC
Two to go.
Comment 10 Agostino Sarubbo gentoo-dev 2015-09-06 08:34:23 UTC
sparc stable
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-09-13 13:36:07 UTC
CVE's added.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-09-13 13:36:44 UTC
CVE-2015-6249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6249):
  The dissect_wccp2r1_address_table_info function in
  epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x
  before 1.12.7 does not prevent the conflicting use of a table for both IPv4
  and IPv6 addresses, which allows remote attackers to cause a denial of
  service (application crash) via a crafted packet.

CVE-2015-6241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6241):
  The proto_tree_add_bytes_item function in epan/proto.c in the protocol-tree
  implementation in Wireshark 1.12.x before 1.12.7 does not properly terminate
  a data structure after a failure to locate a number within a string, which
  allows remote attackers to cause a denial of service (application crash) via
  a crafted packet.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-09-26 04:14:23 UTC
Ping on x86 stabilization, GLSA ready to be released as soon as stabilization complete.
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-27 15:49:45 UTC
x86 stable
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:11:13 UTC
This issue was resolved and addressed in
 GLSA 201510-03 at https://security.gentoo.org/glsa/201510-03
by GLSA coordinator Kristian Fiskerstrand (K_F).