Bug 1044509 (CVE-2013-7113)

Summary: CVE-2013-7113 wireshark: BSSGP dissector could crash (wnpa-sec-2013-67)
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: huzaifas, jkurik, lemenkov, pfrields, phatina, rvokal
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: wireshark 1.10.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-18 18:56:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1044512, 1044662    
Bug Blocks: 1044516    

Description Ratul Gupta 2013-12-18 13:22:15 UTC
Wireshark recently made an announcement on their website about new version launched, which also included some security fixes:
Wireshark 1.10.4: http://www.wireshark.org/lists/wireshark-announce/201312/msg00000.html

Quoted from their website for CVE-2013-7113:
  The BSSGP dissector could crash. Discovered by Laurent Butti. (Bug 9488: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9488)
  Versions affected: 1.10.0 to 1.10.3


Comment 1 Ratul Gupta 2013-12-18 13:24:28 UTC
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1044512]

Comment 2 Peter Lemenkov 2013-12-18 14:37:54 UTC
Fix was backported to 1.10.3 already.

Comment 3 Vincent Danen 2013-12-18 18:15:12 UTC
(In reply to Peter Lemenkov from comment #2)
> Fix was backported to 1.10.3

That's fantastic news but doesn't mean you can close the bug.  Please leave it open.  This affects more than Fedora (if Fedora is fixed, feel free to note that in the _Fedora_ bug, not this one).


Comment 4 Vincent Danen 2013-12-18 18:54:01 UTC
External References:


Comment 5 Vincent Danen 2013-12-18 18:55:12 UTC
This only affects wireshark 1.10.x, so Red Hat Enterprise Linux 6 is not affected.

Comment 6 Vincent Danen 2013-12-18 18:56:34 UTC

Not vulnerable. This issue did not affect the versions of wireshark as shipped
with Red Hat Enterprise Linux 5 and 6.

Comment 8 Huzaifa S. Sidhpurwala 2013-12-19 08:07:47 UTC
Upstream patch: