Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760800 (CVE-2020-26422)

Summary: <net-analyzer/wireshark-3.4.2: QUIC dissector crash (CVE-2020-26422)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bman, sam, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.wireshark.org/security/wnpa-sec-2020-20
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 759541    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-20 02:59:31 UTC
Description
The QUIC dissector could crash.

Impact
It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Comment 1 Larry the Git Cow gentoo-dev 2020-12-20 04:34:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd9e905c82b1eddf42123ed911c6c19e42d2876c

commit dd9e905c82b1eddf42123ed911c6c19e42d2876c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-12-20 04:34:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-20 04:34:10 +0000

    net-analyzer/wireshark: bump to 3.4.2
    
    Bug: https://bugs.gentoo.org/760800
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/wireshark/Manifest               |   1 +
 net-analyzer/wireshark/wireshark-3.4.2.ebuild | 259 ++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-20 12:33:26 UTC
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-20 14:09:47 UTC
arm done
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-20 16:31:36 UTC
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 00:09:35 UTC
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 22:46:48 UTC
ppc64 done

all arches done
Comment 7 Larry the Git Cow gentoo-dev 2020-12-23 22:59:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=181b6a478073f4f88bc41a164fe76516990a4bbd

commit 181b6a478073f4f88bc41a164fe76516990a4bbd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-12-23 22:59:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-23 22:59:34 +0000

    net-analyzer/wireshark: security cleanup
    
    Bug: https://bugs.gentoo.org/760800
    Package-Manager: Portage-3.0.12-prefix, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/wireshark/Manifest               |   2 -
 net-analyzer/wireshark/wireshark-3.4.0.ebuild | 259 --------------------------
 net-analyzer/wireshark/wireshark-3.4.1.ebuild | 259 --------------------------
 3 files changed, 520 deletions(-)
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-01-22 16:11:44 UTC
This issue was resolved and addressed in
 GLSA 202101-12 at https://security.gentoo.org/glsa/202101-12
by GLSA coordinator Aaron Bauman (b-man).