Date: Mon, 11 Oct 2010 16:42:27 -0700 From: Gerald Combs <gerald@...eshark.org> To: Vincent Danen <vdanen@...hat.com> CC: oss-security@...ts.openwall.com Subject: Re: CVE requests: Poppler, Quassel, Pyfribidi, Overkill, DocUtils, FireGPG, Wireshark Vincent Danen wrote: > * [2010-10-01 13:33:47 -0700] Gerald Combs wrote: > >> Vincent Danen wrote: >>> * [2010-09-29 15:06:31 -0400] Josh Bressers wrote: >>> >>>>> 7. Wireshark BER dissector >>>>> http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html >>>>> >>>> >>>> This one looks like a stack overflow, the advisory isn't very clear, >>>> but >>>> claims there are two possible outcomes. We can always split later if >>>> needed. >>>> CVE-2010-3445 >>> >>> Gerald, are you aware of this issue? Do you have further details >>> regarding it? I poked around in bugzilla a bit but couldn't find >>> anything. >>> >>> It claims 1.4.0, but is not clear as to whether or not older versions >>> are affected. >> >> It's been fixed in the trunk (r34111) and is scheduled for inclusion in >> 1.4.1 and 1.2.12. We're tracking it in bug 5230: >> >> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230 >> >> The bug affects all BER dissectors and not just SNMP. > > Great. Thank you for the information, Gerald. That is very helpful. FYI, 1.4.1 and 1.2.12 have been released.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ