First published: Tue Jan 08 2013(Updated: )
Wireshark, previously known as Ethereal, is a network protocol analyzer. It<br>is used to capture and browse the traffic running on a computer network.<br>A heap-based buffer overflow flaw was found in the way Wireshark handled<br>Endace ERF (Extensible Record Format) capture files. If Wireshark opened a<br>specially-crafted ERF capture file, it could crash or, possibly, execute<br>arbitrary code as the user running Wireshark. (CVE-2011-4102)<br>Several denial of service flaws were found in Wireshark. Wireshark could<br>crash or stop responding if it read a malformed packet off a network, or<br>opened a malicious dump file. (CVE-2011-1958, CVE-2011-1959, CVE-2011-2175,<br>CVE-2011-2698, CVE-2012-0041, CVE-2012-0042, CVE-2012-0066, CVE-2012-0067,<br>CVE-2012-4285, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291)<br>The CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, and CVE-2011-4102 issues<br>were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response<br>Team.<br>This update also fixes the following bugs:<br><li> When Wireshark starts with the X11 protocol being tunneled through an SSH</li> connection, it automatically prepares its capture filter to omit the SSH<br>packets. If the SSH connection was to a link-local IPv6 address including<br>an interface name (for example ssh -X [ipv6addr]%eth0), Wireshark parsed<br>this address erroneously, constructed an incorrect capture filter and<br>refused to capture packets. The "Invalid capture filter" message was<br>displayed. With this update, parsing of link-local IPv6 addresses is fixed<br>and Wireshark correctly prepares a capture filter to omit SSH packets over<br>a link-local IPv6 connection. (BZ#438473)<br><li> Previously, Wireshark's column editing dialog malformed column names when</li> they were selected. With this update, the dialog is fixed and no longer<br>breaks column names. (BZ#493693)<br><li> Previously, TShark, the console packet analyzer, did not properly analyze</li> the exit code of Dumpcap, Wireshark's packet capturing back end. As a<br>result, TShark returned exit code 0 when Dumpcap failed to parse its<br>command-line arguments. In this update, TShark correctly propagates the<br>Dumpcap exit code and returns a non-zero exit code when Dumpcap fails.<br>(BZ#580510)<br><li> Previously, the TShark "-s" (snapshot length) option worked only for a</li> value greater than 68 bytes. If a lower value was specified, TShark<br>captured just 68 bytes of incoming packets. With this update, the "-s"<br>option is fixed and sizes lower than 68 bytes work as expected. (BZ#580513)<br>This update also adds the following enhancement:<br><li> In this update, support for the "NetDump" protocol was added. (BZ#484999)</li> All users of Wireshark are advised to upgrade to these updated packages,<br>which contain backported patches to correct these issues and add this<br>enhancement. All running instances of Wireshark must be restarted for the<br>update to take effect.<br>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/wireshark | <1.0.15-5.el5 | 1.0.15-5.el5 |
redhat/wireshark | <1.0.15-5.el5 | 1.0.15-5.el5 |
redhat/wireshark-debuginfo | <1.0.15-5.el5 | 1.0.15-5.el5 |
redhat/wireshark-gnome | <1.0.15-5.el5 | 1.0.15-5.el5 |
redhat/wireshark-debuginfo | <1.0.15-5.el5 | 1.0.15-5.el5 |
redhat/wireshark-gnome | <1.0.15-5.el5 | 1.0.15-5.el5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.