Bug 1272016 - (CVE-2015-7830) CVE-2015-7830 wireshark: Pcapng file parser crash
CVE-2015-7830 wireshark: Pcapng file parser crash
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1272020
Blocks: 1272019
  Show dependency treegraph
Reported: 2015-10-15 05:45 EDT by Adam Mariš
Modified: 2015-11-24 07:24 EST (History)
6 users (show)

See Also:
Fixed In Version: wireshark 1.12.8
Doc Type: Bug Fix
Doc Text:
It was discovered that Wireshark did not properly parse PCAP Next Generation Dump File Format (PCAPNG) files. By tricking an unsuspecting user into opening specially crafted PCAPNG files, An attacker could exploit this flaw to cause a crash or, possibly, execute arbitrary code with the privileges of the user opening the file.
Story Points: ---
Clone Of:
Last Closed: 2015-10-26 12:46:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-10-15 05:45:18 EDT
A vulnerability was found in wireshark causing the pcapng parser to crash while copying an interface filter. Attacker could crash wireshark by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Upstream patch:


External reference:

Comment 1 Adam Mariš 2015-10-15 05:51:11 EDT
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1272020]
Comment 2 Stefan Cornelius 2015-10-26 12:04:02 EDT
So, the root cause is using the address of an pointer instead of the pointer itself. This can lead to a stack-based memory corruption because the memcpy() copies into the stack space, where the pointer is located. Stack corruptions are problematic, since it may be possible to overwrite a return address or something similar. Since it doesn't overwrite the pointer directly but with an offset of 38h, it may be possible to align the stack in a way that would allow to overwrite something without disrupting, for example, stack canaries. The length of the memcpy() is controllable, too ... so bottom line, I wouldn't rule out code execution.
Comment 4 Kurt Seifried 2015-11-02 14:53:51 EST

This issue affects the versions of wireshark as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.