Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645098 (CVE-2018-5334, CVE-2018-5335, CVE-2018-5336) - <net-analyzer/wireshark-2.4.4 - multiple vulnerabilities (CVE-2018-{5334,5335,5336})
Summary: <net-analyzer/wireshark-2.4.4 - multiple vulnerabilities (CVE-2018-{5334,5335...
Status: RESOLVED FIXED
Alias: CVE-2018-5334, CVE-2018-5335, CVE-2018-5336
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.wireshark.org/lists/wires...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-20 10:45 UTC by Jeroen Roovers (RETIRED)
Modified: 2018-06-11 15:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2018-01-20 10:45:20 UTC 
The following vulnerabilities have been fixed:
     * [1]wnpa-sec-2018-01
       Multiple dissectors could crash. ([2]Bug 14253) [3]CVE-2018-5336
     * [4]wnpa-sec-2018-03
       The IxVeriWave file parser could crash. ([5]Bug 14297)
       [6]CVE-2018-5334
     * [7]wnpa-sec-2018-04
       The WCP dissector could crash. ([8]Bug 14251) [9]CVE-2018-5335
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2018-01-25 16:03:08 UTC 
CVE-2018-5336 (https://nvd.nist.gov/vuln/detail/CVE-2018-5336):
  In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP,
  and GDB dissectors could crash. This was addressed in epan/tvbparse.c by
  limiting the recursion depth.

CVE-2018-5335 (https://nvd.nist.gov/vuln/detail/CVE-2018-5335):
  In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could
  crash. This was addressed in epan/dissectors/packet-wcp.c by validating the
  available buffer length.

CVE-2018-5334 (https://nvd.nist.gov/vuln/detail/CVE-2018-5334):
  In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser
  could crash. This was addressed in wiretap/vwr.c by correcting the signature
  timestamp bounds checks.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-25 16:04:32 UTC 
@ Maintainer(s): Can we already stabilize =net-analyzer/wireshark-2.4.4?
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-03-25 18:54:37 UTC 
2.4.4 contains the fix, but targeting 2.4.5.

@arches, please stabilize.
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-25 21:58:50 UTC 
ia64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-28 20:08:45 UTC 
ppc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-30 17:28:42 UTC 
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2018-04-08 10:50:20 UTC 
arm stable, all arches done.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:01:56 UTC 
no vulnerable ebuilds left.

GLSA Vote: No