Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0601 to the following vulnerability: Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0601 http://www.wireshark.org/security/wnpa-sec-2009-01.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3150 http://www.securityfocus.com/bid/33690 http://www.frsirt.com/english/advisories/2009/0370
This issue does NOT affect the version of the wireshark package, as shipped with Red Hat Enterprise Linux 2.1. This issue affects the versions of the wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the wireshark package, as shipped with Fedora releases of 9, 10 and devel.
This is not a security issue. When Wireshark is run directly (i.e. not via userhelper), the user running it has a full control over the environment variables passed to Wireshark. Their values are not influenced by the data read from the network, of from the network communication capture file. By setting some malicious value, user can only harm himself by causing Wireshark not to perform expected operations. When Wireshark is run using userhelper with root privileges, user can not influence value of HOME environment variable. Process' environment is re-set by userhelper.