Bug 246221 (CVE-2007-3393)

Summary: CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1416
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 08:48:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 247617, 247618, 247619, 247621, 247622, 247623    
Bug Blocks:    
Attachments:
Description Flags
Capture file of BOOTP traffic that crashes Wireshark none

Description Lubomir Kundrak 2007-06-29 11:24:02 UTC 
Description of problem:

Wireshark was repored to crash with an evidence of a stack corruption when
when dissecting certain BOOTP/DHCP traffic.

Version-Release number of selected component (if applicable):

Wireshark 0.99.5

Additional info:

This is fixed in upstream revision 21947. I was not able to reproduce the
crash on an x86_64 machine either with or without stack protector turned on.
Will try on i386 later. Most likely this is just overflow by one word, so can
not lead to arbitrary code execution.
Comment 1 Lubomir Kundrak 2007-06-29 11:24:03 UTC 
Created attachment 158196 [details]
Capture file of BOOTP traffic that crashes Wireshark
Comment 6 Red Hat Product Security 2008-07-25 08:48:34 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0710.html
  http://rhn.redhat.com/errata/RHSA-2007-0709.html
  http://rhn.redhat.com/errata/RHSA-2008-0059.html
Comment 7 Red Hat Bugzilla 2009-10-23 19:05:59 UTC 
Reporter changed to security-response-team by request of Jay Turner.