Bug 246221 (CVE-2007-3393) - CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic
Summary: CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic
Alias: CVE-2007-3393
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.wireshark.org/bugzilla/sh...
Whiteboard: impact=low,source=cve,reported=200706...
Keywords: Security
Depends On: 247617 247618 247619 247621 247622 247623
TreeView+ depends on / blocked
Reported: 2007-06-29 11:24 UTC by Red Hat Product Security
Modified: 2009-10-23 19:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-25 08:48:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Capture file of BOOTP traffic that crashes Wireshark (577 bytes, application/octet-stream)
2007-06-29 11:24 UTC, Lubomir Kundrak
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0709 normal SHIPPED_LIVE Low: wireshark security and bug fix update 2007-11-15 15:00:47 UTC
Red Hat Product Errata RHSA-2007:0710 normal SHIPPED_LIVE Low: wireshark security update 2007-11-07 16:26:59 UTC
Red Hat Product Errata RHSA-2008:0059 normal SHIPPED_LIVE Moderate: wireshark security update 2008-01-21 09:34:35 UTC

Description Lubomir Kundrak 2007-06-29 11:24:02 UTC
Description of problem:

Wireshark was repored to crash with an evidence of a stack corruption when
when dissecting certain BOOTP/DHCP traffic.

Version-Release number of selected component (if applicable):

Wireshark 0.99.5

Additional info:

This is fixed in upstream revision 21947. I was not able to reproduce the
crash on an x86_64 machine either with or without stack protector turned on.
Will try on i386 later. Most likely this is just overflow by one word, so can
not lead to arbitrary code execution.

Comment 1 Lubomir Kundrak 2007-06-29 11:24:03 UTC
Created attachment 158196 [details]
Capture file of BOOTP traffic that crashes Wireshark

Comment 6 Red Hat Product Security 2008-07-25 08:48:34 UTC
This issue was addressed in:

Red Hat Enterprise Linux:

Comment 7 Red Hat Bugzilla 2009-10-23 19:05:59 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Note You need to log in before you can comment on or make changes to this bug.