Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 609646 (CVE-2017-6014)

Summary: <net-analyzer/wireshark-2.2.5: Memory exhaustion via crafted STANAG 4607 capture file
Product: Gentoo Security Reporter: ncl
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: All   
URL: https://www.wireshark.org/lists/wireshark-announce/201703/msg00000.html
Whiteboard: B3 [glsa cve]
Package list:
=net-analyzer/wireshark-2.2.5
Runtime testing required: ---

Description ncl 2017-02-17 15:47:58 UTC
In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from will not advance, causing continuous attempts to read the same zero length packet. This will quickly exhaust all system memory.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6014
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13416
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-04 12:12:40 UTC
Arch teams, please test and mark stable:
=net-analyzer/wireshark-2.2.5
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-05 12:35:42 UTC
Stable for HPPA PPC64.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-03-06 15:51:40 UTC
Stable on alpha.
Comment 4 Markus Meier gentoo-dev 2017-03-08 05:57:15 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-10 09:10:23 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-10 11:00:50 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-03-10 12:53:44 UTC
sparc stable
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-03-10 21:20:57 UTC
ppc stable.
Comment 9 Agostino Sarubbo gentoo-dev 2017-03-11 17:18:20 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-16 07:29:26 UTC
(In reply to Michael Weber from comment #8)
> ppc stable.

That didn't actually happen.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-03-24 05:23:04 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 19:50:25 UTC
This issue was resolved and addressed in
 GLSA 201706-12 at https://security.gentoo.org/glsa/201706-12
by GLSA coordinator Kristian Fiskerstrand (K_F).