oss-sec: Re: CVE requests: Poppler, Quassel, Pyfribidi, Overkill, DocUtils, FireGPG, Wireshark

[Gerald Combs <gerald () wireshark org>]

Vincent Danen wrote:
> * [2010-10-01 13:33:47 -0700] Gerald Combs wrote:
>
> > Vincent Danen wrote:
> > > * [2010-09-29 15:06:31 -0400] Josh Bressers wrote:
> > >
> > > > > 7. Wireshark BER dissector
> > > > > http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html
> > > > This one looks like a stack overflow, the advisory isn't very clear,
> > > > but
> > > > claims there are two possible outcomes. We can always split later if
> > > > needed.
> > > > CVE-2010-3445
> > > Gerald, are you aware of this issue?  Do you have further details
> > > regarding it?  I poked around in bugzilla a bit but couldn't find
> > > anything.
> > >
> > > It claims 1.4.0, but is not clear as to whether or not older versions
> > > are affected.
> > It's been fixed in the trunk (r34111) and is scheduled for inclusion in
> > 1.4.1 and 1.2.12. We're tracking it in bug 5230:
> >
> >  https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230
> >
> > The bug affects all BER dissectors and not just SNMP.
> Great.  Thank you for the information, Gerald.  That is very helpful.
FYI, 1.4.1 and 1.2.12 have been released.