Summary: | <net-analyzer/wireshark-2.4.4 - multiple vulnerabilities (CVE-2018-{5334,5335,5336}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.wireshark.org/lists/wireshark-announce/201801/msg00000.html | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2018-01-20 10:45:20 UTC
CVE-2018-5336 (https://nvd.nist.gov/vuln/detail/CVE-2018-5336): In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash. This was addressed in epan/tvbparse.c by limiting the recursion depth. CVE-2018-5335 (https://nvd.nist.gov/vuln/detail/CVE-2018-5335): In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in epan/dissectors/packet-wcp.c by validating the available buffer length. CVE-2018-5334 (https://nvd.nist.gov/vuln/detail/CVE-2018-5334): In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks. @ Maintainer(s): Can we already stabilize =net-analyzer/wireshark-2.4.4? 2.4.4 contains the fix, but targeting 2.4.5. @arches, please stabilize. ia64 stable ppc stable ppc64 stable arm stable, all arches done. no vulnerable ebuilds left. GLSA Vote: No |