Security update for wireshark SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:4307-1 Final 1 1 2018-12-29T10:18:01Z current 2018-12-29T10:18:01Z 2018-12-29T10:18:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for wireshark This update for wireshark fixes the following issues: Update to Wireshark 2.4.11 (bsc#1117740). Security issues fixed: - CVE-2018-19625: The Wireshark dissection engine could crash (wnpa-sec-2018-51) - CVE-2018-19626: The DCOM dissector could crash (wnpa-sec-2018-52) - CVE-2018-19623: The LBMPDM dissector could crash (wnpa-sec-2018-53) - CVE-2018-19622: The MMSE dissector could go into an infinite loop (wnpa-sec-2018-54) - CVE-2018-19627: The IxVeriWave file parser could crash (wnpa-sec-2018-55) - CVE-2018-19624: The PVFS dissector could crash (wnpa-sec-2018-56) Further bug fixes and updated protocol support as listed in: - https://www.wireshark.org/docs/relnotes/wireshark-2.4.11.html This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html E-Mail link for openSUSE-SU-2018:4307-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 libwireshark9-2.4.11-lp150.2.16.1 libwiretap7-2.4.11-lp150.2.16.1 libwscodecs1-2.4.11-lp150.2.16.1 libwsutil8-2.4.11-lp150.2.16.1 wireshark-2.4.11-lp150.2.16.1 wireshark-devel-2.4.11-lp150.2.16.1 wireshark-ui-qt-2.4.11-lp150.2.16.1 libwireshark9-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 libwiretap7-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 libwscodecs1-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 libwsutil8-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 wireshark-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 wireshark-devel-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 wireshark-ui-qt-2.4.11-lp150.2.16.1 as a component of openSUSE Leap 15.0 In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the MMSE dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-mmse.c by preventing length overflows. CVE-2018-19622 openSUSE Leap 15.0:libwireshark9-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwiretap7-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwscodecs1-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwsutil8-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-devel-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-ui-qt-2.4.11-lp150.2.16.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html https://www.suse.com/security/cve/CVE-2018-19622.html CVE-2018-19622 https://bugzilla.suse.com/1117740 SUSE Bug 1117740 In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the LBMPDM dissector could crash. In addition, a remote attacker could write arbitrary data to any memory locations before the packet-scoped memory. This was addressed in epan/dissectors/packet-lbmpdm.c by disallowing certain negative values. CVE-2018-19623 openSUSE Leap 15.0:libwireshark9-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwiretap7-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwscodecs1-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwsutil8-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-devel-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-ui-qt-2.4.11-lp150.2.16.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html https://www.suse.com/security/cve/CVE-2018-19623.html CVE-2018-19623 https://bugzilla.suse.com/1117740 SUSE Bug 1117740 In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the PVFS dissector could crash. This was addressed in epan/dissectors/packet-pvfs2.c by preventing a NULL pointer dereference. CVE-2018-19624 openSUSE Leap 15.0:libwireshark9-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwiretap7-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwscodecs1-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwsutil8-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-devel-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-ui-qt-2.4.11-lp150.2.16.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html https://www.suse.com/security/cve/CVE-2018-19624.html CVE-2018-19624 https://bugzilla.suse.com/1117740 SUSE Bug 1117740 In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in epan/tvbuff_composite.c by preventing a heap-based buffer over-read. CVE-2018-19625 openSUSE Leap 15.0:libwireshark9-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwiretap7-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwscodecs1-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwsutil8-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-devel-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-ui-qt-2.4.11-lp150.2.16.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html https://www.suse.com/security/cve/CVE-2018-19625.html CVE-2018-19625 https://bugzilla.suse.com/1117740 SUSE Bug 1117740 In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the DCOM dissector could crash. This was addressed in epan/dissectors/packet-dcom.c by adding '\0' termination. CVE-2018-19626 openSUSE Leap 15.0:libwireshark9-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwiretap7-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwscodecs1-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwsutil8-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-devel-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-ui-qt-2.4.11-lp150.2.16.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html https://www.suse.com/security/cve/CVE-2018-19626.html CVE-2018-19626 https://bugzilla.suse.com/1117740 SUSE Bug 1117740 In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by adjusting a buffer boundary. CVE-2018-19627 openSUSE Leap 15.0:libwireshark9-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwiretap7-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwscodecs1-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:libwsutil8-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-devel-2.4.11-lp150.2.16.1 openSUSE Leap 15.0:wireshark-ui-qt-2.4.11-lp150.2.16.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00077.html https://www.suse.com/security/cve/CVE-2018-19627.html CVE-2018-19627 https://bugzilla.suse.com/1117740 SUSE Bug 1117740