625474 – (CVE-2017-9616, CVE-2017-9617, CVE-2017-9766) <net-analyzer/wireshark-2.2.7: Multiple Vulnerabilities (CVE-2017-{9616,9617,9766})

Bug 625474 (CVE-2017-9616, CVE-2017-9617, CVE-2017-9766) - <net-analyzer/wireshark-2.2.7: Multiple Vulnerabilities (CVE-2017-{9616,9617,9766})

Summary: <net-analyzer/wireshark-2.2.7: Multiple Vulnerabilities (CVE-2017-{9616,9617,...

Status:	RESOLVED FIXED

Alias:	CVE-2017-9616, CVE-2017-9617, CVE-2017-9766

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.wireshark.org/lists/wires...
Whiteboard:	B3 [noglsa cve]
Keywords:

Duplicates (1):	634700 (view as bug list)
Depends on:	CVE-2017-13765, CVE-2017-13766, CVE-2017-13767 635686
Blocks:
	Show dependency tree

Reported:	2017-07-17 22:12 UTC by Volkan
Modified:	2018-04-22 02:12 UTC (History)
CC List:	2 users (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1464048 635686
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkan 2017-07-17 22:12:50 UTC

CVE-2017-9617
https://bugzilla.redhat.com/show_bug.cgi?id=1464050

In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion
(uncontrolled recursion) in the dissect_daap_one_tag function in
epan/dissectors/packet-daap.c in the DAAP dissector.

Upstream issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799

----------------------------------------------------------------------------------
CVE-2017-9616
https://bugzilla.redhat.com/show_bug.cgi?id=1464048

In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion
(uncontrolled recursion) in the dissect_mp4_box function in
epan/dissectors/file-mp4.c.

Upstream issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777

Comment 1 Volkan 2017-07-17 22:15:49 UTC

CVE-2017-9766
https://bugzilla.redhat.com/show_bug.cgi?id=1464051

In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows
attackers to cause a denial of service (stack exhaustion) in the
dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c.

Upstream issue:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811

Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-19 00:27:02 UTC

*** Bug 634700 has been marked as a duplicate of this bug. ***

Comment 3 Michael Boyle 2018-04-22 02:11:12 UTC

There will be no GLSA. The tree is clean.

Michael Boyle
Gentoo Security Padawan