wireshark-2.2.7

[bdubbs@…]

New point version,

[bdubbs@…]

Bug Fixes

The following vulnerabilities have been fixed:

• [1]wnpa-sec-2017-22 Bazaar dissector infinite loop ([2]Bug 13599) [3]CVE-2017-9352
• [4]wnpa-sec-2017-23 DOF dissector read overflow ([5]Bug 13608) [6]CVE-2017-9348
• [7]wnpa-sec-2017-24 DHCP dissector read overflow ([8]Bug 13609, [9]Bug 13628) [10]CVE-2017-9351
• [11]wnpa-sec-2017-25 SoulSeek dissector infinite loop ([12]Bug 13631) [13]CVE-2017-9346
• [14]wnpa-sec-2017-26 DNS dissector infinite loop ([15]Bug 13633) [16]CVE-2017-9345
• [17]wnpa-sec-2017-27 DICOM dissector infinite loop ([18]Bug 13685) [19]CVE-2017-9349
• [20]wnpa-sec-2017-28 openSAFETY dissector memory exhaustion ([21]Bug 13649) [22]CVE-2017-9350
• [23]wnpa-sec-2017-29 BT L2CAP dissector divide by zero ([24]Bug 13701) [25]CVE-2017-9344

• [26]wnpa-sec-2017-30 MSNIP dissector crash ([27]Bug 13725) [28]CVE-2017-9343

• [29]wnpa-sec-2017-31 ROS dissector crash ([30]Bug 13637) [31]CVE-2017-9347

• [32]wnpa-sec-2017-32 RGMP dissector crash ([33]Bug 13646) [34]CVE-2017-9354

• [35]wnpa-sec-2017-33 IPv6 dissector crash ([36]Bug 13675) [37]CVE-2017-9353

The following bugs have been fixed:

• DICOM dissection error. ([38]Bug 13164)
• Qt: drag & drop of one column header in PacketList moves other columns. ([39]Bug 13183)
• Can not export captured DICOM objects in version 2.2.5. ([40]Bug 13570)
• False complain about bad checksum of ICMP extension header. ([41]Bug 13586)

• LibFuzzer: ISUP dissector bug (isup.number_different_meaning). ([42]Bug 13588)
• Dissector Bug, protocol BT ATT. ([43]Bug 13590)
• Wireshark dispalys RRCConnectionReestablishmentRejectRRCConnectionReestablishmentRejec t in Info column. ([44]Bug 13595)

• [oss-fuzz] UBSAN: shift exponent 105 is too large for 32-bit type int in packet-ositp.c:551:79. ([45]Bug 13606)

• [oss-fuzz] UBSAN: shift exponent -77 is negative in packet-netflow.c:7717:23. ([46]Bug 13607)

• [oss-fuzz] UBSAN: shift exponent 1959 is too large for 32-bit type int in packet-sigcomp.c:2128:28. ([47]Bug 13610)

• [oss-fuzz] UBSAN: shift exponent 63 is too large for 32-bit type guint32 (aka unsigned int) in packet-rtcp.c:917:24. ([48]Bug 13611)

• [oss-fuzz] UBSAN: shift exponent 70 is too large for 64-bit type guint64 (aka unsigned long) in dwarf.c:42:43. ([49]Bug 13616)

• [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type int in packet-xot.c:260:23. ([50]Bug 13618)

• [oss-fuzz] UBSAN: shift exponent -5 is negative in packet-sigcomp.c:1722:36. ([51]Bug 13619)

• [oss-fuzz] UBSAN: index 2049 out of bounds for type char [2049] in packet-quakeworld.c:134:5. ([52]Bug 13624)

• [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type int in packet-netsync.c:467:25. ([53]Bug 13639)

• [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type int in packet-sigcomp.c:3857:24. ([54]Bug 13641)

• [oss-fuzz] ASAN: stack-use-after-return epan/dissectors/packet-ieee80211.c:14341:23 in add_tagged_field. ([55]Bug 13662)
• Welcome screen invalid capture filter wihtout WinPcap installed causes runtime error. ([56]Bug 13672)
• SMB protocol parser does not parse SMB_COM_TRANSACTION2_SECONDARY (0x33) command correctly. ([57]Bug 13690)
• SIP packets with SDP marked as malformed. ([58]Bug 13698)

• [oss-fuzz] UBSAN: index 8 out of bounds for type gboolean const[8] in packet-ieee80211-radiotap.c:1836:12. ([59]Bug 13713)
• Crash on "Show packet bytes..." context menu item click. ([60]Bug 13723)
• DNP3 dissector does not properly decode packed variations with prefixed qualifiers. ([61]Bug 13733)

Updated Protocol Support

Bazaar, BT ATT, BT L2CAP, DHCP, DICOM, DNP3, DNS, DOF, DWARF, ICMP, IEEE 802.11, IPv6, ISUP, LTE RRC, MSNIP, Netflow, Netsync, openSAFETY, OSITP, QUAKEWORLD, Radiotap, RGMP, ROS, RTCP, SIGCOMP, SMB, SoulSeek, and XOT

[bdubbs@…]

Fixed at revision 18809.