Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 674980 (CVE-2019-5716, CVE-2019-5717, CVE-2019-5718, CVE-2019-5719) - <net-analyzer/wireshark-2.6.6 - multiple vulnerabilities (CVE-2019-{5716,5717,5719})
Summary: <net-analyzer/wireshark-2.6.6 - multiple vulnerabilities (CVE-2019-{5716,5717...
Status: RESOLVED FIXED
Alias: CVE-2019-5716, CVE-2019-5717, CVE-2019-5718, CVE-2019-5719
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.wireshark.org/lists/wires...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2019-9208, CVE-2019-9209
Blocks:
  Show dependency tree
 
Reported: 2019-01-09 11:46 UTC by Jeroen Roovers (RETIRED)
Modified: 2019-03-20 13:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-01-09 11:46:13 UTC
Bug Fixes

   The following vulnerabilities have been fixed:

     • wnpa-sec-2019-01[1] The 6LoWPAN dissector could crash. Bug
       15217[2]. CVE-2019-5716[3].

     • wnpa-sec-2019-02[4] The P_MUL dissector could crash. Bug
       15337[5]. CVE-2019-5717[6].

     • wnpa-sec-2019-03[7] The RTSE dissector and other dissectors could
       crash. Bug 15373[8]. CVE-2019-5718[9].

     • wnpa-sec-2019-04[10] The ISAKMP dissector could crash. Bug
       15374[11]. CVE-2019-5719[12].
Comment 1 Larry the Git Cow gentoo-dev 2019-01-09 12:14:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38dc7a9478ce7f84b9a3553f44187b493b73d405

commit 38dc7a9478ce7f84b9a3553f44187b493b73d405
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-01-09 12:13:35 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-01-09 12:13:59 +0000

    net-analyzer/wireshark: Version 2.6.6
    
    Package-Manager: Portage-2.3.53, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/674980
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/Manifest                    |   1 +
 .../files/wireshark-2.6.6-androiddump-wsutil.patch |  18 ++
 net-analyzer/wireshark/wireshark-2.6.6.ebuild      | 240 +++++++++++++++++++++
 3 files changed, 259 insertions(+)
Comment 2 Frank Krömmelbein 2019-02-16 08:54:09 UTC
Jeroen is version 2.6.6 ready to start stabilization?
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-16 10:28:03 UTC
It's been ready for stabilisation ever since comment #1 appeared.
Comment 4 Larry the Git Cow gentoo-dev 2019-02-23 13:04:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df0cadfdacc609f30541c06334508b8f5fcac872

commit df0cadfdacc609f30541c06334508b8f5fcac872
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-02-23 12:54:11 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-02-23 13:04:13 +0000

    net-analyzer/wireshark: Stable for AMD64 HPPA x86 too.
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    RepoMan-Options: --ignore-arches
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=674980
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/wireshark/wireshark-2.6.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 05:20:39 UTC
CVE-2019-5716 Detail
Current Description
In Wireshark 2.6.0 to 2.6.5, the 6LoWPAN dissector could crash. This was addressed in epan/dissectors/packet-6lowpan.c by avoiding use of a TVB before its creation.

______________________________

CVE-2019-5717 Detail
Current Description
In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the P_MUL dissector could crash. This was addressed in epan/dissectors/packet-p_mul.c by rejecting the invalid sequence number of zero.

______________________________


CVE-2019-5718 Detail
Current Description
In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector and other ASN.1 dissectors could crash. This was addressed in epan/charsets.c by adding a get_t61_string length check.

______________________________

CVE-2019-5719 Detail
Current Description
In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the ISAKMP dissector could crash. This was addressed in epan/dissectors/packet-isakmp.c by properly handling the case of a missing decryption data block.