Red Hat Bugzilla – Bug 1272016
CVE-2015-7830 wireshark: Pcapng file parser crash
Last modified: 2015-11-24 07:24:57 EST
A vulnerability was found in wireshark causing the pcapng parser to crash while copying an interface filter. Attacker could crash wireshark by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Created wireshark tracking bugs for this issue:
Affects: fedora-all [bug 1272020]
So, the root cause is using the address of an pointer instead of the pointer itself. This can lead to a stack-based memory corruption because the memcpy() copies into the stack space, where the pointer is located. Stack corruptions are problematic, since it may be possible to overwrite a return address or something similar. Since it doesn't overwrite the pointer directly but with an offset of 38h, it may be possible to align the stack in a way that would allow to overwrite something without disrupting, for example, stack canaries. The length of the memcpy() is controllable, too ... so bottom line, I wouldn't rule out code execution.
This issue affects the versions of wireshark as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.