Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589926 (CVE-2016-6503, CVE-2016-6504, CVE-2016-6505, CVE-2016-6506, CVE-2016-6507, CVE-2016-6508, CVE-2016-6509, CVE-2016-6510, CVE-2016-6511, CVE-2016-6512, CVE-2016-6513) - <net-analyzer/wireshark-2.0.5: multiple vulnerabilities
Summary: <net-analyzer/wireshark-2.0.5: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-6503, CVE-2016-6504, CVE-2016-6505, CVE-2016-6506, CVE-2016-6507, CVE-2016-6508, CVE-2016-6509, CVE-2016-6510, CVE-2016-6511, CVE-2016-6512, CVE-2016-6513
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
: 589886 (view as bug list)
Depends on: CVE-2016-7175, CVE-2016-7176, CVE-2016-7177, CVE-2016-7178, CVE-2016-7179, CVE-2016-7180
Blocks:
  Show dependency tree
 
Reported: 2016-07-28 15:27 UTC by Agostino Sarubbo
Modified: 2016-11-11 12:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-28 15:27:19 UTC
From ${URL} :

Wireshark 2.0.5 and 1.12.13 were announced to contain fixes of the usual
dissector crash / endless loop read from wire or capture file type:

https://www.wireshark.org/lists/wireshark-announce/201607/msg00001.html


CORBA IDL dissector crash on 64-bit Windows (wnpa-sec-2016-39)
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed packet
trace file. Affects 2.0.0 to 2.0.4, fixed in 2.0.5
https://www.wireshark.org/security/wnpa-sec-2016-39.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12495

NDS dissector crash (wnpa-sec-2016-40)
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed packet
trace file. Affects 1.12.0 to 1.12.12, fixed in 1.12.13.
https://www.wireshark.org/security/wnpa-sec-2016-40.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12576

PacketBB dissector could divide by zero (wnpa-sec-2016-41)
The PacketBB dissector could divide by zero. It may be possible to make
Wireshark crash by injecting a malformed packet onto the wire or by
convincing someone to read a malformed packet trace file. Affects 2.0.0
to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13.
https://www.wireshark.org/security/wnpa-sec-2016-41.html
\https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12577

wnpa-sec-2016-42
WSP infinite loop (wnpa-sec-2016-42)
The WSP dissector could go into an infinite loop. It may be possible to
make Wireshark consume excessive CPU resources by injecting a malformed
packet onto the wire or by convincing someone to read a malformed packet
trace file. Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12 , fixed in 2.0.5,
1.12.13
https://www.wireshark.org/security/wnpa-sec-2016-42.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12594

MMSE infinite loop (wnpa-sec-2016-43)
The MMSE dissector could go into an infinite loop. It may be possible to
make Wireshark consume excessive CPU resources by injecting a malformed
packet onto the wire or by convincing someone to read a malformed packet
trace file. Affects 1.12.0 to 1.12.12, fixed 1.12.13
https://www.wireshark.org/security/wnpa-sec-2016-43.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12624

RLC long loop (wnpa-sec-2016-44)
The RLC dissector could go into a long loop. It may be possible to make
Wireshark consume excessive CPU resources by injecting a malformed
packet onto the wire or by convincing someone to read a malformed packet
trace file. Affects  2.0.0 to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5,
1.12.13.
https://www.wireshark.org/security/wnpa-sec-2016-44.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12624

LDSS dissector crash (wnpa-sec-2016-45)
The LDSS dissector could crash. It may be possible to make Wireshark
crash by injecting a malformed packet onto the wire or by convincing
someone to read a malformed packet trace file. Affects 2.0.0 to 2.0.4,
1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13.
https://www.wireshark.org/security/wnpa-sec-2016-45.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12662

RLC dissector crash (wnpa-sec-2016-46)
The RLC dissector could crash. It may be possible to make Wireshark
crash by injecting a malformed packet onto the wire or by convincing
someone to read a malformed packet trace file. Affects 2.0.0 to 2.0.4,
1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13.
https://www.wireshark.org/security/wnpa-sec-2016-46.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12664

OpenFlow long loop (wnpa-sec-2016-47)
The OpenFlow dissector (and possibly others) could go into a long loop.
It may be possible to make Wireshark consume excessive CPU resources by
injecting a malformed packet onto the wire or by convincing someone to
read a malformed packet trace file. Affects 2.0.0 to 2.0.4, 1.12.0 to
1.12.12, fixed in 2.0.5, 1.12.13.
https://www.wireshark.org/security/wnpa-sec-2016-47.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12659

MMSE, WAP, WBXML, and WSP infinite loop (wnpa-sec-2016-48)
The MMSE, WAP, WBXML, and WSP dissectors could go into an infinite loop.
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed packet
trace file. Affects 2.0.0 to 2.0.4, fixed in 2.0.5.
https://www.wireshark.org/security/wnpa-sec-2016-48.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12661

WBXML crash (wnpa-sec-2016-49)
The WBXML dissector could crash. It may be possible to make Wireshark
crash by injecting a malformed packet onto the wire or by convincing
someone to read a malformed packet trace file. Affects 2.0.0 to 2.0.4,
fixed in 2.0.5
https://www.wireshark.org/security/wnpa-sec-2016-49.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12663


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-28 18:30:20 UTC
Arch teams, please test and mark stable:
=net-analyzer/wireshark-2.0.5
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-28 18:35:52 UTC
*** Bug 589886 has been marked as a duplicate of this bug. ***
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-28 21:00:13 UTC
Stable for PPC64.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-29 06:20:26 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2016-08-07 10:45:53 UTC
amd64 stable
Comment 6 Markus Meier gentoo-dev 2016-08-10 19:40:42 UTC
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-02 19:21:46 UTC
Stable on alpha.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-09 08:37:31 UTC
Continued in bug #593258.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 12:34:19 UTC
GLSA Vote: No