1919919 – (CVE-2020-26420) CVE-2020-26420 wireshark: RTPS dissector memory leak (wnpa-sec-2020-18)

Bug 1919919 (CVE-2020-26420) - CVE-2020-26420 wireshark: RTPS dissector memory leak (wnpa-sec-2020-18)

Summary: CVE-2020-26420 wireshark: RTPS dissector memory leak (wnpa-sec-2020-18)

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-26420
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1919921
Blocks:	1919925
TreeView+	depends on / blocked

Reported:	2021-01-25 11:59 UTC by Dhananjay Arunesh
Modified:	2021-09-28 17:04 UTC (History)
CC List:	9 users (show)
Fixed In Version:	wireshark 3.2.9, wireshark 3.4.1
Doc Type:	If docs needed, set a value
Doc Text:	A memory leak was discovered in the RTPS protocol dissector of Wireshark while decoding packets captured in a pcap file or coming from the network. A remote attacker may abuse this flaw by sending specially crafted packets that, when processed, would make Wireshark consume excessive CPU resources resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-02-01 20:41:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2021-01-25 11:59:08 UTC

RTPS dissector memory leak fixed in 3.2.9, 3.4.1

References:
https://www.wireshark.org/security/wnpa-sec-2020-18
https://gitlab.com/wireshark/wireshark/-/issues/16994
https://www.wireshark.org/lists/wireshark-announce/202012/msg00000.html
https://www.wireshark.org/lists/wireshark-announce/202012/msg00001.html

Comment 1 Dhananjay Arunesh 2021-01-25 12:00:14 UTC

Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1919921]

Comment 2 Mauro Matteo Cascella 2021-02-01 15:16:35 UTC

External References:

https://www.wireshark.org/security/wnpa-sec-2020-18

Comment 4 Mauro Matteo Cascella 2021-02-01 16:51:08 UTC

Upstream fix:
https://gitlab.com/wireshark/wireshark/-/commit/33e63d19e5496c151bad69f65cdbc7cba2b4c211

Comment 5 Mauro Matteo Cascella 2021-02-01 17:13:30 UTC

Statement:

This issue does not affect the versions of `wireshark` as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8, as they did not include the vulnerable code which was introduced in a newer version of the package.

Comment 6 Product Security DevOps Team 2021-02-01 20:41:46 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26420

Comment 7 Mauro Matteo Cascella 2021-02-03 14:46:59 UTC

In reply to comment #5:
> This issue does not affect the versions of `wireshark` as shipped with Red
> Hat Enterprise Linux 5, 6, 7, and 8, as they did not include the vulnerable
> code which was introduced in a newer version of the package.

Specifically, it looks like the vulnerable code in rtps_util_add_coherent_set_general_cases_case() and rtps_util_detect_coherent_set_end_empty_data_case() was introduced in version 3.1.1 via the following commit:
https://gitlab.com/wireshark/wireshark/-/commit/d286b819b7681e2ff9a514d066d2b228d6567607

RHEL-8 ships an older version of wireshark (2.6) which is not affected by this flaw.

Note You need to log in before you can comment on or make changes to this bug.