Bug 1163581 (CVE-2014-8714)

Summary: CVE-2014-8714 wireshark: TN5250 infinite loop (wnpa-sec-2014-23)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: huzaifas, jrusnack, lemenkov, phatina, rvokal, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: wireshark 1.12.2, wireshark 1.10.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 04:43:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1163585, 1208005, 1245763    
Bug Blocks: 1163586, 1210268    

Description Murray McAllister 2014-11-13 04:25:55 UTC
An infinite loop issue was discovered in Wireshark's TN5250 dissector. It may be possible to make Wireshark consume an excessive amount of CPU by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

This is reported to affect Wireshark versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in versions 1.12.2 and 1.10.11.


The version of Wireshark in Red Hat Enterprise Linux 5 and 6 is older than 1.10.x, and may not be affected. The version of Wireshark in Red Hat Enterprise Linux 7 is affected.

External References:


Comment 1 Murray McAllister 2014-11-13 04:32:15 UTC
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1163585]

Comment 2 Siddharth Sharma 2014-11-14 12:36:09 UTC
upstream fix

Patch1: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=patch;h=d7174c0fcb19dd31526117298133f7a9767e848e

Comment 3 Fedora Update System 2014-12-04 06:22:07 UTC
wireshark-1.10.11-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Siddharth Sharma 2015-01-14 18:26:56 UTC

In the code of Wireshark's TN5250 dissector 

If value of length becomes 0 

        while ((offset - start) < sf_length) {
          length = tvb_get_guint8(tvb,offset);
          offset += length; // offset = offset + 0 ;

then the value of offset does not increase, which can lead to infinite loop, causing consumption of CPU and memory.

Comment 8 errata-xmlrpc 2015-07-22 07:23:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1460 https://rhn.redhat.com/errata/RHSA-2015-1460.html

Comment 12 errata-xmlrpc 2015-11-19 12:36:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2393 https://rhn.redhat.com/errata/RHSA-2015-2393.html

Comment 13 Huzaifa S. Sidhpurwala 2015-11-20 04:43:10 UTC

This issue did not affect the version of wireshark as shipped with Red Hat Enterprise Linux 5