from secunia security advisory at $URL: Description: 1) NULL pointer dereference errors when reading certain packet information can be exploited to cause a crash. 2) An error within the RLC dissector can be exploited to cause a buffer overflow via a specially crafted RLC packet capture file. Successful exploitation of this vulnerability may allow execution of arbitrary code. NOTE: A weakness within the file parser, which can lead to a crash when handling capture files has also been reported. The vulnerabilities are reported in versions 1.4.0 through 1.4.10 and 1.6.0 through 1.6.4. Solution: Update to version 1.4.11 or 1.6.5.
Wireshark failed to properly check record sizes for many packet capture file formats. It may be possible to make Wireshark crash by convincing someone to read a malformed packet trace file. This is corrected in upstream 1.4.11 and 1.6.5. This issue was found with the following file formats: 5Views: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666 Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40165 i4b: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667 Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40166 netmon: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669 Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40168 Reference: http://www.wireshark.org/security/wnpa-sec-2012-01.html http://thread.gmane.org/gmane.comp.security.oss.general/6656/focus=6755 ----- RedHat and Debian have assigned CVE-2012-0066 to this.
More from RedHat and Debian: CVE-2012-0067: An integer overflow flaw leading to denial of service (application crash) was found in the way wireshark parsed files in the IPTrace capture format. It may be possible to make Wireshark crash by convincing someone to read a malformed IPTrace packet capture file. This is corrected in upstream 1.4.11 and 1.6.5. Reference: http://www.wireshark.org/security/wnpa-sec-2012-01.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668 Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40167 ----- CVE-2012-0068: A heap-based buffer underflow issue was found in way wireshark parsed LANalyzer packet capture files. It may be possible to make Wireshark crash or possibly execute arbitrary code (with the persmisisons of the user running wireshark) by convincing someone to read a malformed IPTrace packet capture file. This is corrected in upstream 1.4.11 and 1.6.5. Reference: http://www.wireshark.org/security/wnpa-sec-2012-01.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670 Patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=40169
CVE-2012-0068 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0068): The lanalyzer_read function in wiretap/lanalyzer.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a Novell catpure file containing a record that is too small. CVE-2012-0067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0067): wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in an AIX iptrace file. CVE-2012-0066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0066): Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in a (1) Accellent 5Views (aka .5vw) file, (2) I4B trace file, or (3) NETMON 2 capture file. CVE-2012-0043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0043): Buffer overflow in the reassemble_message function in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a series of fragmented RLC packets. CVE-2012-0042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0042): Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet, related to epan/to_str.c. CVE-2012-0041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0041): The dissect_packet function in epan/packet.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in a capture file, as demonstrated by an airopeek file.
Stabilization completed via bug 410871. GLSA request filed.
This issue was resolved and addressed in GLSA 201308-05 at http://security.gentoo.org/glsa/glsa-201308-05.xml by GLSA coordinator Sergey Popov (pinkbyte).