SB2013121601 - Gentoo update for Wireshark 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2013121601

SB2013121601 - Gentoo update for Wireshark

Published: December 16, 2013 Updated: September 25, 2016

Security Bulletin ID SB2013121601
Severity
Medium
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2013-5717)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does not properly maintain a certain free list, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that is not properly handled by the wmem_block_alloc function in epan/wmem/wmem_allocator_block.c.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-5718)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not restrict the dch_id value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.


3) Resource management error (CVE-ID: CVE-2013-5719)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.


4) Buffer overflow (CVE-ID: CVE-2013-5720)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.


5) Input validation error (CVE-ID: CVE-2013-5721)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not properly determine when to enter a certain loop, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.


6) Input validation error (CVE-ID: CVE-2013-5722)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.


7) Input validation error (CVE-ID: CVE-2013-6336)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The ieee802154_map_rec function in epan/dissectors/packet-ieee802154.c in the IEEE 802.15.4 dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 uses an incorrect pointer chain, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.


8) Input validation error (CVE-ID: CVE-2013-6337)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Unspecified vulnerability in the NBAP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet.


9) Input validation error (CVE-ID: CVE-2013-6338)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The dissect_sip_common function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.


10) Input validation error (CVE-ID: CVE-2013-6339)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The dissect_openwire_type function in epan/dissectors/packet-openwire.c in the OpenWire dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 allows remote attackers to cause a denial of service (loop) via a crafted packet.


11) Input validation error (CVE-ID: CVE-2013-6340)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

epan/dissectors/packet-tcp.c in the TCP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 does not properly determine the amount of remaining data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.


Remediation

Install update from vendor's website.

References