sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory. Upstream patch: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6 References: https://github.com/the-tcpdump-group/libpcap/blob/libpcap-1.9/CHANGES
Created libpcap tracking bugs for this issue: Affects: fedora-all [bug 1760624]
Statement: A Low Impact has been given to this flaw even though the CVSSv3 is 7.5, because libpcap library is mainly used as part of debugging tools like wireshark or tcpdump, where an impact to the Availability is not considered security relevant in a reasonable scenario.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4547 https://access.redhat.com/errata/RHSA-2020:4547
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-15165