Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 625474 (CVE-2017-9616, CVE-2017-9617, CVE-2017-9766)

Summary: <net-analyzer/wireshark-2.2.7: Multiple Vulnerabilities (CVE-2017-{9616,9617,9766})
Product: Gentoo Security Reporter: Volkan <vBugZilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: glsamaker, netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.wireshark.org/lists/wireshark-announce/201707/msg00000.html
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1464048
https://bugs.gentoo.org/show_bug.cgi?id=635686
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 629370, 635686    
Bug Blocks:    

Description Volkan 2017-07-17 22:12:50 UTC 
CVE-2017-9617
https://bugzilla.redhat.com/show_bug.cgi?id=1464050

In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion
(uncontrolled recursion) in the dissect_daap_one_tag function in
epan/dissectors/packet-daap.c in the DAAP dissector.

Upstream issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799

----------------------------------------------------------------------------------
CVE-2017-9616
https://bugzilla.redhat.com/show_bug.cgi?id=1464048

In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion
(uncontrolled recursion) in the dissect_mp4_box function in
epan/dissectors/file-mp4.c.

Upstream issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777
Comment 1 Volkan 2017-07-17 22:15:49 UTC 
CVE-2017-9766
https://bugzilla.redhat.com/show_bug.cgi?id=1464051

In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows
attackers to cause a denial of service (stack exhaustion) in the
dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c.

Upstream issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-19 00:27:02 UTC 
*** Bug 634700 has been marked as a duplicate of this bug. ***
Comment 3 Michael Boyle 2018-04-22 02:11:12 UTC 
There will be no GLSA. The tree is clean.

Michael Boyle
Gentoo Security Padawan