Peter Wu

**Name of the Vulnerable Software and Affected Versions** curl versions 7.54.1 through 7.60.0 **Description** The issue is related to a heap-based buffer overflow in the `Curl smtp escape eob()` function when curl transmits data over SMTP with certain settings, such as a nonstandard `--limit-rate` argument or `CURLOPT BUFFERSIZE` value. This occurs because the size of the temporary scratch area allocated on the heap is mistakenly set to `2 * sizeof(download buffer)` instead of `2 * sizeof(upload buffer)`. The upload and download buffer sizes are identically sized by default, but since version 7.54.1, curl can resize the download buffer into a smaller buffer. If the download buffer size is set to a value smaller than 10923, the `Curl smtp escape eob()` function might overflow the scratch buffer when sending contents of sufficient size. **Recommendations** For curl versions 7.54.1 through 7.60.0, consider disabling the use of the `--limit-rate` argument or `CURLOPT BUFFERSIZE` value to minimize the risk of exploitation until a patch is available. Avoid using reduced read buffer sizes when sending data over SMTP to prevent potential buffer overflows. As a temporary workaround, consider setting the download buffer size to a value larger than 10923 to prevent the `Curl smtp escape eob()` function from overflowing the scratch buffer.

**Name of the Vulnerable Software and Affected Versions** Wireshark version 2.6.0 **Description** The issue concerns a potential crash in the IEEE 802.11 protocol dissector due to a buffer overflow during FTE processing in Dot11DecryptTDLSDeriveKey. **Recommendations** For Wireshark version 2.6.0, update to a version where the issue has been addressed by changes in epan/crypt/dot11decrypt.c to avoid the buffer overflow.

**Name of the Vulnerable Software and Affected Versions** Wireshark version 2.6.0 **Description** The issue concerns a crash in the RTCP dissector due to a buffer overflow for packet status chunks. This was addressed by modifying the `packet-rtcp.c` file in the `epan/dissectors` directory. **Recommendations** For Wireshark version 2.6.0, update the `packet-rtcp.c` file in the `epan/dissectors` directory to avoid a buffer overflow for packet status chunks.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.15 Wireshark versions 2.4.0 through 2.4.7 Wireshark versions 2.6.0 through 2.6.1 **Description** The issue concerns a potential crash in the ASN.1 BER dissector. This crash could occur due to length values exceeding the maximum signed integer. The problem was resolved by modifying the `epan/dissectors/packet-ber.c` file to prevent such overflows. **Recommendations** For Wireshark versions 2.2.0 through 2.2.15, update to a version where the fix has been applied. For Wireshark versions 2.4.0 through 2.4.7, update to a version where the fix has been applied. For Wireshark versions 2.6.0 through 2.6.1, update to a version where the fix has been applied.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.4.0 through 2.4.7 Wireshark versions 2.6.0 through 2.6.1 **Description** The IEEE 802.11 protocol dissector could crash due to a buffer over-read issue. This issue was addressed through bounds checking in the epan/crypt/airpdcap.c file. **Recommendations** For Wireshark versions 2.4.0 through 2.4.7, update to a version that includes the bounds checking fix in epan/crypt/airpdcap.c. For Wireshark versions 2.6.0 through 2.6.1, update to a version that includes the bounds checking fix in epan/crypt/airpdcap.c.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.15 Wireshark versions 2.4.0 through 2.4.7 Wireshark versions 2.6.0 through 2.6.1 **Description** The BGP protocol dissector in Wireshark could enter a large loop due to invalid Path Attribute lengths. This issue was resolved by adding validation for these lengths in the dissector code. **Recommendations** For Wireshark versions 2.2.0 through 2.2.15, update to a version that includes the fix for the BGP protocol dissector. For Wireshark versions 2.4.0 through 2.4.7, update to a version that includes the fix for the BGP protocol dissector. For Wireshark versions 2.6.0 through 2.6.1, update to a version that includes the fix for the BGP protocol dissector.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.15 Wireshark versions 2.4.0 through 2.4.7 Wireshark versions 2.6.0 through 2.6.1 **Description** The issue allows attackers to cause a crash of the ISMP dissector. This was resolved by validating the IPX address length in epan/dissectors/packet-ismp.c to prevent a buffer over-read. **Recommendations** For Wireshark versions 2.2.0 through 2.2.15, update the epan/dissectors/packet-ismp.c file to include the IPX address length validation. For Wireshark versions 2.4.0 through 2.4.7, update the epan/dissectors/packet-ismp.c file to include the IPX address length validation. For Wireshark versions 2.6.0 through 2.6.1, update the epan/dissectors/packet-ismp.c file to include the IPX address length validation.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.14 Wireshark versions 2.4.0 through 2.4.6 Wireshark version 2.6.0 **Description** The DNS dissector could crash due to a NULL pointer dereference for an empty name in an SRV record. **Recommendations** For Wireshark versions 2.2.0 through 2.2.14, update to a version that includes the fix in epan/dissectors/packet-dns.c to avoid the NULL pointer dereference. For Wireshark versions 2.4.0 through 2.4.6, update to a version that includes the fix in epan/dissectors/packet-dns.c to avoid the NULL pointer dereference. For Wireshark version 2.6.0, update to a version that includes the fix in epan/dissectors/packet-dns.c to avoid the NULL pointer dereference.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.14 Wireshark versions 2.4.0 through 2.4.6 Wireshark version 2.6.0 **Description** The issue concerns excessive memory consumption by the LTP dissector and other dissectors in Wireshark. This was resolved by rejecting negative lengths in epan/tvbuff.c. **Recommendations** For Wireshark versions 2.2.0 through 2.2.14, update to a version that includes the fix in epan/tvbuff.c to prevent excessive memory consumption. For Wireshark versions 2.4.0 through 2.4.6, update to a version that includes the fix in epan/tvbuff.c to prevent excessive memory consumption. For Wireshark version 2.6.0, update to a version that includes the fix in epan/tvbuff.c to prevent excessive memory consumption.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.14 Wireshark versions 2.4.0 through 2.4.6 Wireshark version 2.6.0 **Description** The issue is related to the Q.931 dissector, which could crash due to a use-after-free error after processing a malformed packet. This error occurred because certain cleanup processes were prevented. **Recommendations** For Wireshark versions 2.2.0 through 2.2.14, update to a version that includes the fix in epan/dissectors/packet-q931.c to avoid the use-after-free error. For Wireshark versions 2.4.0 through 2.4.6, update to a version that includes the fix in epan/dissectors/packet-q931.c to avoid the use-after-free error. For Wireshark version 2.6.0, update to a version that includes the fix in epan/dissectors/packet-q931.c to avoid the use-after-free error.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.15 Wireshark versions 2.4.0 through 2.4.7 Wireshark versions 2.6.0 through 2.6.1 **Description** The issue concerns dissectors that support zlib decompression, which could crash due to a buffer over-read when encountering negative lengths. This was addressed by rejecting negative lengths. **Recommendations** For Wireshark versions 2.2.0 through 2.2.15, update to a version that includes the fix in epan/tvbuff zlib.c. For Wireshark versions 2.4.0 through 2.4.7, update to a version that includes the fix in epan/tvbuff zlib.c. For Wireshark versions 2.6.0 through 2.6.1, update to a version that includes the fix in epan/tvbuff zlib.c.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.13 Wireshark versions 2.4.0 through 2.4.5 **Description** The issue is related to a heap-based buffer overflow in the ADB dissector, which could cause a crash. The problem was addressed by checking for a length inconsistency. **Recommendations** For Wireshark versions 2.2.0 through 2.2.13, update to a version that includes the fix in epan/dissectors/packet-adb.c. For Wireshark versions 2.4.0 through 2.4.5, update to a version that includes the fix in epan/dissectors/packet-adb.c.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.12 Wireshark versions 2.4.0 through 2.4.4 **Description** The SIGCOMP protocol dissector could crash due to invalid operand offsets. This issue was addressed by validating operand offsets in the `epan/dissectors/packet-sigcomp.c` file. **Recommendations** For Wireshark versions 2.2.0 through 2.2.12, update to a version where the SIGCOMP protocol dissector has been fixed by validating operand offsets. For Wireshark versions 2.4.0 through 2.4.4, update to a version where the SIGCOMP protocol dissector has been fixed by validating operand offsets.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.0.0 through 2.0.12 Wireshark versions 2.2.0 through 2.2.6 **Description** The issue arises from the MSNIP dissector misusing a NULL pointer, which can be exploited. This was resolved by validating an IPv4 address in the epan/dissectors/packet-msnip.c file. **Recommendations** For Wireshark versions 2.0.0 through 2.0.12, update to a version where the MSNIP dissector properly validates IPv4 addresses to prevent the misuse of a NULL pointer. For Wireshark versions 2.2.0 through 2.2.6, update to a version where the MSNIP dissector properly validates IPv4 addresses to prevent the misuse of a NULL pointer.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.0.0 through 2.0.12 Wireshark versions 2.2.0 through 2.2.6 **Description** The issue concerns a potential crash in the RGMP dissector, which was resolved by validating an IPv4 address in the epan/dissectors/packet-rgmp.c file. **Recommendations** For Wireshark versions 2.0.0 through 2.0.12, update to a version that includes the fix for the RGMP dissector crash. For Wireshark versions 2.2.0 through 2.2.6, update to a version that includes the fix for the RGMP dissector crash.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 2.2.0 through 2.2.6 **Description** The issue concerns a buffer overflow in the DOF dissector. It could read past the end of a buffer due to an invalid size value. The problem was resolved by validating the size value in the dissector code. **Recommendations** For Wireshark versions 2.2.0 through 2.2.6, update the epan/dissectors/packet-dof.c file to include size validation to prevent the buffer overflow issue.

**Name of the Vulnerable Software and Affected Versions** pcsc-lite versions prior to 1.8.20 **Description** The issue allows remote attackers to cause a denial of service (crash) through a command that uses `cardsList` after the handle has been released through the `SCardReleaseContext` function. This is a result of a use-after-free vulnerability. **Recommendations** For versions prior to 1.8.20, update to version 1.8.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the `cardsList` command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 1.12.x through 1.12.4 **Description** The issue is related to the WebSocket dissector in Wireshark, where a recursive algorithm is used. This allows remote attackers to cause a denial of service by consuming CPU resources via a crafted packet. **Recommendations** For Wireshark versions 1.12.x through 1.12.4, update to version 1.12.5 or later to resolve the issue.