A vulnerability was found in wireshark causing the pcapng parser to crash while copying an interface filter. Attacker could crash wireshark by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Upstream patch: https://bugs.wireshark.org/bugzilla/attachment.cgi?id=13807&action=diff External reference: https://www.wireshark.org/security/wnpa-sec-2015-30.html
Created wireshark tracking bugs for this issue: Affects: fedora-all [bug 1272020]
So, the root cause is using the address of an pointer instead of the pointer itself. This can lead to a stack-based memory corruption because the memcpy() copies into the stack space, where the pointer is located. Stack corruptions are problematic, since it may be possible to overwrite a return address or something similar. Since it doesn't overwrite the pointer directly but with an offset of 38h, it may be possible to align the stack in a way that would allow to overwrite something without disrupting, for example, stack canaries. The length of the memcpy() is controllable, too ... so bottom line, I wouldn't rule out code execution.
Statement: This issue affects the versions of wireshark as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.