Bug 1919919 (CVE-2020-26420)

Summary: CVE-2020-26420 wireshark: RTPS dissector memory leak (wnpa-sec-2020-18)
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alekcejk, denis, huzaifas, lemenkov, mruprich, msehnout, peter, rvokal, sergey.avseyev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wireshark 3.2.9, wireshark 3.4.1 Doc Type: If docs needed, set a value
Doc Text:
A memory leak was discovered in the RTPS protocol dissector of Wireshark while decoding packets captured in a pcap file or coming from the network. A remote attacker may abuse this flaw by sending specially crafted packets that, when processed, would make Wireshark consume excessive CPU resources resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-01 20:41:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1919921    
Bug Blocks: 1919925    

Description Dhananjay Arunesh 2021-01-25 11:59:08 UTC 
RTPS dissector memory leak fixed in 3.2.9, 3.4.1

References:
https://www.wireshark.org/security/wnpa-sec-2020-18
https://gitlab.com/wireshark/wireshark/-/issues/16994
https://www.wireshark.org/lists/wireshark-announce/202012/msg00000.html
https://www.wireshark.org/lists/wireshark-announce/202012/msg00001.html
Comment 1 Dhananjay Arunesh 2021-01-25 12:00:14 UTC 
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1919921]
Comment 2 Mauro Matteo Cascella 2021-02-01 15:16:35 UTC 
External References:

https://www.wireshark.org/security/wnpa-sec-2020-18
Comment 4 Mauro Matteo Cascella 2021-02-01 16:51:08 UTC 
Upstream fix:
https://gitlab.com/wireshark/wireshark/-/commit/33e63d19e5496c151bad69f65cdbc7cba2b4c211
Comment 5 Mauro Matteo Cascella 2021-02-01 17:13:30 UTC 
Statement:

This issue does not affect the versions of `wireshark` as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8, as they did not include the vulnerable code which was introduced in a newer version of the package.
Comment 6 Product Security DevOps Team 2021-02-01 20:41:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26420
Comment 7 Mauro Matteo Cascella 2021-02-03 14:46:59 UTC 
In reply to comment #5:
> This issue does not affect the versions of `wireshark` as shipped with Red
> Hat Enterprise Linux 5, 6, 7, and 8, as they did not include the vulnerable
> code which was introduced in a newer version of the package.

Specifically, it looks like the vulnerable code in rtps_util_add_coherent_set_general_cases_case() and rtps_util_detect_coherent_set_end_empty_data_case() was introduced in version 3.1.1 via the following commit:
https://gitlab.com/wireshark/wireshark/-/commit/d286b819b7681e2ff9a514d066d2b228d6567607

RHEL-8 ships an older version of wireshark (2.6) which is not affected by this flaw.