Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 759541 (CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421) - <net-analyzer/wireshark-3.4.1: Multiple vulnerabilities (CVE-2020-{26418,26419,26420,26421})
Summary: <net-analyzer/wireshark-3.4.1: Multiple vulnerabilities (CVE-2020-{26418,2641...
Status: RESOLVED FIXED
Alias: CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: CVE-2020-26422
Blocks:
  Show dependency tree
 
Reported: 2020-12-12 03:26 UTC by Sam James
Modified: 2021-01-22 16:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-12-12 03:26:14 UTC
* CVE-2020-26421

Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file.

URL: https://www.wireshark.org/security/wnpa-sec-2020-17.html

* CVE-2020-26419

Memory leak in the dissection engine in Wireshark 3.4.0 allows denial of service via packet injection or crafted capture file.

URL: https://www.wireshark.org/security/wnpa-sec-2020-19.html

* CVE-2020-26418

Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file.

URL: https://www.wireshark.org/security/wnpa-sec-2020-16.html
Comment 1 Larry the Git Cow gentoo-dev 2020-12-15 03:37:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcfcf95c3cba1fc240793c5fc5ae479513587943

commit dcfcf95c3cba1fc240793c5fc5ae479513587943
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-12-15 03:37:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-15 03:37:05 +0000

    net-analyzer/wireshark: bump to 3.4.1
    
    Bug: https://bugs.gentoo.org/759541
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/wireshark/Manifest               |   1 +
 net-analyzer/wireshark/wireshark-3.4.1.ebuild | 259 ++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-12-15 03:39:06 UTC
* CVE-2020-26420

Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file.

URL: https://gitlab.com/wireshark/wireshark/-/issues/16994
Comment 3 Sam James archtester gentoo-dev Security 2020-12-16 13:44:07 UTC
amd64 done
Comment 4 Sam James archtester gentoo-dev Security 2020-12-17 10:17:58 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2020-12-18 14:22:12 UTC
arm done
Comment 6 NATTkA bot gentoo-dev 2020-12-20 03:00:53 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2020-12-23 23:00:59 UTC
Unable to check for sanity:

> no match for package: net-analyzer/wireshark-3.4.1
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-01-22 16:11:41 UTC
This issue was resolved and addressed in
 GLSA 202101-12 at https://security.gentoo.org/glsa/202101-12
by GLSA coordinator Aaron Bauman (b-man).