| Summary: | <net-analyzer/wireshark-2.6.7 - multiple vulnerabilities (CVE-2019-{9208,9209,9214}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | netmon |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.wireshark.org/lists/wireshark-announce/201902/msg00002.html | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
net-analyzer/wireshark-2.6.7
|
Runtime testing required: | No |
| Bug Depends on: | |||
| Bug Blocks: | 668416, 672216, 674980 | ||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=741dce1d4c4d9124b1188c830aead1e22aa99573 commit 741dce1d4c4d9124b1188c830aead1e22aa99573 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-02-27 21:27:20 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-02-27 21:27:57 +0000 net-analyzer/wireshark: Version 2.6.7 Bug: https://bugs.gentoo.org/679004 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/Manifest | 1 + net-analyzer/wireshark/wireshark-2.6.7.ebuild | 240 ++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. I am going to block all the other vulnerabilities with this one, as nothing was fully stabilized for a while now. Lets use this bug to fix all the vulnerabilities. _____________________________ CVE-2019-9209 Detail Current Description In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related dissectors could crash. This was addressed in epan/dissectors/packet-ber.c by preventing a buffer overflow associated with excessive digits in time values. ______________________________ CVE-2019-9208 Detail Current Description In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences. @arches, please stabilize. An automated check of this bug failed - repoman reported dependency errors: ia64 stable amd64 stable arm stable alpha stable ppc64 stable commit 864cd1fa36cbb7459a6bd1d2c3659b41e406391d Author: Jeroen Roovers <jer@gentoo.org> Date: Thu Mar 14 09:54:03 2019 +0100 net-analyzer/wireshark: Stable for AMD64 HPPA x86 too The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69727570d677e87bdd408c90a30c40e3ffb5e10f commit 69727570d677e87bdd408c90a30c40e3ffb5e10f Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-03-18 20:46:49 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-03-18 20:47:15 +0000 net-analyzer/wireshark: Old Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=679004 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/Manifest | 2 - .../files/wireshark-2.6.0-androiddump-wsutil.patch | 26 --- .../wireshark/files/wireshark-2.6.3-docbook.patch | 56 ----- net-analyzer/wireshark/wireshark-2.6.3.ebuild | 243 --------------------- net-analyzer/wireshark/wireshark-2.6.6.ebuild | 240 -------------------- 5 files changed, 567 deletions(-) |
Bug Fixes The following vulnerabilities have been fixed: • wnpa-sec-2019-06[1] ASN.1 BER and related dissectors crash. Bug 15447[2]. CVE-2019-9209[3]. • wnpa-sec-2019-07[4] TCAP dissector crash. Bug 15464[5]. CVE-2019-9208[6]. • wnpa-sec-2019-08[7] RPCAP dissector crash. Bug 15536[8].