Arch Linux alert ASA-202102-3 (wireshark-cli)
| From: | Remi Gacogne via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202102-3] wireshark-cli: denial of service | |
| Date: | Fri, 12 Feb 2021 07:59:39 +0100 | |
| Message-ID: | <34980a3c-3bc7-53ef-b661-7120ba080ca8@archlinux.org> | |
| Cc: | Remi Gacogne <rgacogne@archlinux.org> |
Arch Linux Security Advisory ASA-202102-3 ========================================= Severity: Low Date : 2021-02-06 CVE-ID : CVE-2021-22173 CVE-2021-22174 Package : wireshark-cli Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1510 Summary ======= The package wireshark-cli before version 3.4.3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 3.4.3-1. # pacman -Syu "wireshark-cli>=3.4.3-1" The problems have been fixed upstream in version 3.4.3. Workaround ========== None. Description =========== - CVE-2021-22173 (denial of service) A memory leak leading to denial of service has been found in Wireshark before 3.4.3, in the USB HID dissector. It can be triggered by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. - CVE-2021-22174 (denial of service) A denial of service has been found in Wireshark before 3.4.3, in the USB HID dissector. It can be triggered by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Impact ====== An attacker might be able to cause a denial of service by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. References ========== https://www.wireshark.org/security/wnpa-sec-2021-01 https://www.wireshark.org/security/wnpa-sec-2021-02 https://gitlab.com/wireshark/wireshark/-/issues/17124 https://gitlab.com/wireshark/wireshark/-/merge_requests/1812 https://gitlab.com/wireshark/wireshark/-/issues/17165 https://gitlab.com/wireshark/wireshark/-/merge_requests/1849 https://security.archlinux.org/CVE-2021-22173 https://security.archlinux.org/CVE-2021-22174