Steffen Joeris
2008-Sep-05 03:31 UTC
[Secure-testing-team] Bug#497878: wireshark: several security issues
Package: wireshark Severity: grave Tags: security Justification: user security hole Hi, The following CVE ids have been issued against wireshark. Name: CVE-2008-3146 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3146 Reference: SUSE:SUSE-SR:2008:017 Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html Reference: CONFIRM:http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2675 Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2008-05.html Multiple buffer overflows in packet_ncp2222.inc in Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted NCP packet that causes an invalid pointer to be used. =====================================================Name: CVE-2008-3932 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3932 Reference: CONFIRM:http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2675 Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2008-05.html Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (hang) via a crafted NCP packet that triggers an infinite loop. =====================================================Name: CVE-2008-3933 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3933 Reference: MISC:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2682 Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2649 Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2008-05.html Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function. =====================================================Name: CVE-2008-3934 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3934 Reference: CONFIRM:http://www.wireshark.org/security/wnpa-sec-2008-05.html Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. Please mention the CVE ids in your changelog entry, when you fix these issues. Cheers Steffen