[Security] April 3 2015 - 6 New CVEs affect Wireshark
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wireshark (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Confirmed
|
Medium
|
Unassigned | ||
Utopic |
Fix Released
|
Medium
|
Steve Beattie |
Bug Description
There are 6 new CVEs which impact Wireshark in Utopic. (Three of these also affect Trusty)
------
CVE-2015-2187: (Utopic)
The dissect_
CVE-2015-2188: (Trusty, Utopic)
epan/dissectors
CVE-2015-2189: (Trusty, Utopic)
Off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid Interface Statistics Block (ISB) interface ID in a crafted packet.
CVE-2015-2190: (Utopic)
epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly handle integer data types greater than 32 bits in size, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet that is improperly handled by the LLDP dissector.
CVE-2015-2191: (Trusty, Utopic)
Integer overflow in the dissect_tnef function in epan/dissectors
CVE-2015-2192: (Utopic)
Integer overflow in the dissect_
------
Vivid is not affected by these CVEs as the archive autosync pulled in a version from Debian that has patches from Wireshark 1.12.4 which fix the problem.
Trusty and Utopic are affected.
Importance set to medium because the majority of these CVEs have a "medium" severity in the Ubuntu CVE tracker.
Changed in wireshark (Ubuntu Utopic): | |
status: | Confirmed → In Progress |
assignee: | nobody → Steve Beattie (sbeattie) |
Marking Fix Released against the devel release as this is already fixed there.