Security update for wireshark SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2730-1 Final 1 1 2017-10-16T19:05:26Z current 2017-10-16T19:05:26Z 2017-10-16T19:05:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for wireshark This update for wireshark to version 2.2.10 fixes multiple minor security issues. These vulnerabilities that could be used to trigger dissector crashes or infinite loops by making Wireshark read specially crafted packages from the network or a capture file: * CVE-2017-15192: BT ATT dissector crash * CVE-2017-15193: MBIM dissector crash * CVE-2017-15191: DMP dissector crash The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-10/msg00045.html E-Mail link for openSUSE-SU-2017:2730-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 wireshark-2.2.10-24.1 wireshark-devel-2.2.10-24.1 wireshark-ui-gtk-2.2.10-24.1 wireshark-ui-qt-2.2.10-24.1 wireshark-2.2.10-24.1 as a component of openSUSE Leap 42.2 wireshark-devel-2.2.10-24.1 as a component of openSUSE Leap 42.2 wireshark-ui-gtk-2.2.10-24.1 as a component of openSUSE Leap 42.2 wireshark-ui-qt-2.2.10-24.1 as a component of openSUSE Leap 42.2 wireshark-2.2.10-24.1 as a component of openSUSE Leap 42.3 wireshark-devel-2.2.10-24.1 as a component of openSUSE Leap 42.3 wireshark-ui-gtk-2.2.10-24.1 as a component of openSUSE Leap 42.3 wireshark-ui-qt-2.2.10-24.1 as a component of openSUSE Leap 42.3 In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length. CVE-2017-15191 openSUSE Leap 42.2:wireshark-2.2.10-24.1 openSUSE Leap 42.2:wireshark-devel-2.2.10-24.1 openSUSE Leap 42.2:wireshark-ui-gtk-2.2.10-24.1 openSUSE Leap 42.2:wireshark-ui-qt-2.2.10-24.1 openSUSE Leap 42.3:wireshark-2.2.10-24.1 openSUSE Leap 42.3:wireshark-devel-2.2.10-24.1 openSUSE Leap 42.3:wireshark-ui-gtk-2.2.10-24.1 openSUSE Leap 42.3:wireshark-ui-qt-2.2.10-24.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00045.html https://www.suse.com/security/cve/CVE-2017-15191.html CVE-2017-15191 https://bugzilla.suse.com/1062645 SUSE Bug 1062645 https://bugzilla.suse.com/983671 SUSE Bug 983671 In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level. CVE-2017-15192 openSUSE Leap 42.2:wireshark-2.2.10-24.1 openSUSE Leap 42.2:wireshark-devel-2.2.10-24.1 openSUSE Leap 42.2:wireshark-ui-gtk-2.2.10-24.1 openSUSE Leap 42.2:wireshark-ui-qt-2.2.10-24.1 openSUSE Leap 42.3:wireshark-2.2.10-24.1 openSUSE Leap 42.3:wireshark-devel-2.2.10-24.1 openSUSE Leap 42.3:wireshark-ui-gtk-2.2.10-24.1 openSUSE Leap 42.3:wireshark-ui-qt-2.2.10-24.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00045.html https://www.suse.com/security/cve/CVE-2017-15192.html CVE-2017-15192 https://bugzilla.suse.com/1062645 SUSE Bug 1062645 https://bugzilla.suse.com/983671 SUSE Bug 983671 In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach. CVE-2017-15193 openSUSE Leap 42.2:wireshark-2.2.10-24.1 openSUSE Leap 42.2:wireshark-devel-2.2.10-24.1 openSUSE Leap 42.2:wireshark-ui-gtk-2.2.10-24.1 openSUSE Leap 42.2:wireshark-ui-qt-2.2.10-24.1 openSUSE Leap 42.3:wireshark-2.2.10-24.1 openSUSE Leap 42.3:wireshark-devel-2.2.10-24.1 openSUSE Leap 42.3:wireshark-ui-gtk-2.2.10-24.1 openSUSE Leap 42.3:wireshark-ui-qt-2.2.10-24.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00045.html https://www.suse.com/security/cve/CVE-2017-15193.html CVE-2017-15193 https://bugzilla.suse.com/1062645 SUSE Bug 1062645 https://bugzilla.suse.com/983671 SUSE Bug 983671