Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 672216 (CVE-2018-19622, CVE-2018-19623, CVE-2018-19624, CVE-2018-19625, CVE-2018-19626, CVE-2018-19627, CVE-2018-19628)

Summary: <net-analyzer/wireshark-2.6.5: multiple vulnerabilities
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.wireshark.org/docs/relnotes/wireshark-2.6.5.html
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 679004    
Bug Blocks:    

Description Jeroen Roovers (RETIRED) gentoo-dev 2018-11-29 05:52:29 UTC 
Bug Fixes
The following vulnerabilities have been fixed:

wnpa-sec-2018-51 The Wireshark dissection engine could crash. Bug 14466. CVE-2018-19625.

wnpa-sec-2018-52 The DCOM dissector could crash. Bug 15130. CVE-2018-19626.

wnpa-sec-2018-53 The LBMPDM dissector could crash. Bug 15132. CVE-2018-19623.

wnpa-sec-2018-54 The MMSE dissector could go into an infinite loop. Bug 15250. CVE-2018-19622.

wnpa-sec-2018-55 The IxVeriWave file parser could crash. Bug 15279. CVE-2018-19627.

wnpa-sec-2018-56 The PVFS dissector could crash. Bug 15280. CVE-2018-19624.

wnpa-sec-2018-57 The ZigBee ZCL dissector could crash. Bug 15281. CVE-2018-19628.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2018-11-29 22:31:16 UTC 
Pls stop changing the obvious vectors and doing your users a disservice. We know which versions are vulnerable because I told everyone in the 
Summary. Now you make me tell users again.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2018-11-29 22:33:02 UTC 
So basically, if rewriting history is your thing, security team, then you're on the wrong path.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-11-30 02:28:25 UTC 
(In reply to Jeroen Roovers from comment #2)
> So basically, if rewriting history is your thing, security team, then you're
> on the wrong path.

The ebuild was not in the tree at the time I changed the summary. This is the policy of the security team to not have a version without the ebuild in the tree. 

So, next time change the bug after the ebuild has been pushed.