Arch Linux Security Advisory ASA-202007-2

Severity: Low
Date : 2020-07-18
CVE-ID : CVE-2020-15466
Package : wireshark-cli
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1198

Summary

The package wireshark-cli before version 3.2.5-1 is vulnerable to
denial of service.

Resolution

Upgrade to 3.2.5-1.

pacman -Syu “wireshark-cli>=3.2.5-1”

The problem has been fixed upstream in version 3.2.5.

Workaround

None.

Description

An infinite loop has been found in the GVCP dissector of Wireshark
before 3.2.5. It may be possible to make Wireshark consume excessive
CPU resources by injecting a malformed packet onto the wire or by
convincing someone to read a malformed packet trace file.

Impact

A remote attacker is able use specially crafted packets to perform a
denial of service attack.

References

https://www.wireshark.org/security/wnpa-sec-2020-09
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029
https://code.wireshark.org/review/#/c/37618/
https://security.archlinux.org/CVE-2020-15466