DescriptionIn Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding length validation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wireshark (PTS)wheezy1.8.2-5wheezy18vulnerable
wheezy (security)1.12.1+g01b65bf-4+deb8u6~deb7u7vulnerable
jessie (security), jessie1.12.1+g01b65bf-4+deb8u11vulnerable
buster, sid2.4.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

When for older releases fixing this entry, make sure to fix apply the
complete patch including;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7
to not open CVE-2017-11410.

Search for package or bug name: Reporting problems