CVE-2020-25866

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-25866
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25866.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-25866
Downstream
Related
Published
2020-10-06T15:15:15Z
Modified
2025-09-16T07:12:15.558705Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Wireshark 3.2.0 to 3.2.6 and 3.0.0 to 3.0.13, the BLIP protocol dissector has a NULL pointer dereference because a buffer was sized for compressed (not uncompressed) messages. This was addressed in epan/dissectors/packet-blip.c by allowing reasonable compression ratios and rejecting ZIP bombs.

References

Affected packages

Debian:11 / wireshark

Package

Name
wireshark
Purl
pkg:deb/debian/wireshark?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / wireshark

Package

Name
wireshark
Purl
pkg:deb/debian/wireshark?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / wireshark

Package

Name
wireshark
Purl
pkg:deb/debian/wireshark?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / wireshark

Package

Name
wireshark
Purl
pkg:deb/debian/wireshark?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/wireshark/wireshark

Affected ranges

Type
GIT
Repo
https://github.com/wireshark/wireshark
Events
Introduced
e0ed4cfa3d72110257da54c26ad3a28d282ef454
Last affected
4f9257fb8ccce92b519d87c4cc905107ae09b5e9
Introduced
937e33de60bcfcd6f68e7250e5e6914ae1d1e1e4
Last affected
643e3b0f718685b3fa7008a0c5c4707daf63ca99
Type
GIT
Repo
https://gitlab.com/wireshark/wireshark
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4a948427100b6c109f4ec7b4361f0d2aec5e5c3f

Affected versions

Other

backups/ethereal@18706
ethereal-0-3-15
start

ethereal-0.*

ethereal-0.3.15

v1.*

v1.11.0
v1.11.0-rc1
v1.11.1
v1.11.1-rc1
v1.11.2
v1.11.2-rc1
v1.11.3
v1.11.3-rc1
v1.11.4-rc1
v1.99.0
v1.99.0-rc1
v1.99.1
v1.99.10rc0
v1.99.1rc0
v1.99.2
v1.99.2rc0
v1.99.3
v1.99.3rc0
v1.99.4
v1.99.4rc0
v1.99.5
v1.99.5rc0
v1.99.6
v1.99.6rc0
v1.99.7
v1.99.7rc0
v1.99.8
v1.99.8rc0
v1.99.9
v1.99.9rc0

v2.*

v2.1.0
v2.1.0rc0
v2.1.1
v2.1.1rc0
v2.1.2rc0
v2.3.0rc0
v2.5.0
v2.5.0rc0
v2.5.1
v2.5.1rc0
v2.5.2rc0
v2.9.0
v2.9.0rc0
v2.9.1rc0

v3.*

v3.0.0
v3.0.1
v3.0.10
v3.0.10rc0
v3.0.11
v3.0.11rc0
v3.0.12
v3.0.12rc0
v3.0.13
v3.0.13rc0
v3.0.1rc0
v3.0.2
v3.0.2rc0
v3.0.3
v3.0.3rc0
v3.0.4
v3.0.4rc0
v3.0.5
v3.0.5rc0
v3.0.6
v3.0.6rc0
v3.0.7
v3.0.7rc0
v3.0.8
v3.0.8rc0
v3.0.9
v3.0.9rc0
v3.1.0
v3.1.0rc0
v3.1.1
v3.1.1rc0
v3.1.2rc0
v3.2.0
v3.2.1
v3.2.1rc0
v3.2.2
v3.2.2rc0
v3.2.3
v3.2.3rc0
v3.2.4
v3.2.4rc0
v3.2.5
v3.2.5rc0
v3.2.6
v3.2.6rc0
v3.3.0
v3.3.0rc0
v3.3.1rc0

wireshark-1.*

wireshark-1.11.3
wireshark-1.99.0
wireshark-1.99.1
wireshark-1.99.2
wireshark-1.99.3
wireshark-1.99.4
wireshark-1.99.5
wireshark-1.99.6
wireshark-1.99.7
wireshark-1.99.8
wireshark-1.99.9

wireshark-2.*

wireshark-2.1.0
wireshark-2.1.1
wireshark-2.5.0

wireshark-3.*

wireshark-3.0.0
wireshark-3.0.1
wireshark-3.0.10
wireshark-3.0.11
wireshark-3.0.12
wireshark-3.0.13
wireshark-3.0.2
wireshark-3.0.3
wireshark-3.0.4
wireshark-3.0.5
wireshark-3.0.6
wireshark-3.0.7
wireshark-3.0.8
wireshark-3.0.9
wireshark-3.2.0
wireshark-3.2.1
wireshark-3.2.2
wireshark-3.2.3
wireshark-3.2.4
wireshark-3.2.5
wireshark-3.2.6

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "50767432719429089269085565985219058360",
                "length": 2688.0
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://gitlab.com/wireshark/wireshark@4a948427100b6c109f4ec7b4361f0d2aec5e5c3f",
            "signature_type": "Function",
            "id": "CVE-2020-25866-6d7caca0",
            "target": {
                "file": "epan/dissectors/packet-blip.c",
                "function": "dissect_blip"
            }
        },
        {
            "digest": {
                "function_hash": "268296834440097921298733415759126661212",
                "length": 1196.0
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://gitlab.com/wireshark/wireshark@4a948427100b6c109f4ec7b4361f0d2aec5e5c3f",
            "signature_type": "Function",
            "id": "CVE-2020-25866-d45c5b3a",
            "target": {
                "file": "epan/dissectors/packet-blip.c",
                "function": "proto_register_blip"
            }
        },
        {
            "digest": {
                "function_hash": "42428474322532422323406658849635530022",
                "length": 1562.0
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://gitlab.com/wireshark/wireshark@4a948427100b6c109f4ec7b4361f0d2aec5e5c3f",
            "signature_type": "Function",
            "id": "CVE-2020-25866-e0730287",
            "target": {
                "file": "epan/dissectors/packet-blip.c",
                "function": "decompress"
            }
        },
        {
            "digest": {
                "line_hashes": [
                    "231457119782423097333262304500154648398",
                    "89707701405970446106737834544274489479",
                    "274676446702317858184502607527688661770",
                    "337578530301425042605140723422781108003",
                    "94270442880728988200009589483509167415",
                    "178805019552179363728417786297999176910",
                    "141179626053474188331333582282551237191",
                    "173662981700678896840995837528331157958",
                    "138865619586795132684424639683189601976",
                    "11409611191344910515700795087640139094",
                    "69403195685994832883061886230825378885",
                    "156169860743477273915472800076120104623",
                    "219849491493513207790323818439742142417",
                    "217619904693307142962313629875135737357",
                    "220507903264787080702728961496908670126",
                    "288734326509726903113638476353719696280",
                    "338645410577665506361249544897178690953",
                    "246243351203548783920782033625470625781",
                    "312827323945583003851165254904168456073",
                    "79124695978977975742086628468048930995",
                    "129966154597360376161359042400484365535",
                    "337814961127370497648602450795257808090",
                    "264593872128017672958892377630930713499",
                    "225384111189463512053282973047586970171",
                    "298328022781465683426207643580473013128",
                    "222498695639466119968985341776331145842",
                    "5258528728846765490103478394797607639",
                    "157864466071517715094408824354109862092",
                    "198706397180825595129833564267555127296",
                    "187945434406417299043972500396001750019",
                    "245917967541114044285854780689720692369",
                    "129139874255337244397020427169016443104",
                    "303837371817841022052009243233175484174",
                    "231253519525035169736506241100866568645",
                    "112280967652357638204251721830276350076",
                    "97705935832910385079550075393087972167",
                    "54242014055567220435595311401597839849",
                    "61652051922311053830617595675091861012",
                    "280783539453326904475295633664487916954",
                    "339029896080718069150213807283488039738",
                    "275162149469989840664912027080591862430",
                    "247604329250242980944896267779919178825",
                    "16922500419353384526777500377016845748",
                    "273449636033521873992977931240903533351",
                    "146184341328269494100402385897399319311",
                    "235465535319092533954239357630078909252",
                    "164007606531855467976705553104737919030",
                    "229443684837100040059706810170914048851",
                    "249026293906492013133583737765376652956",
                    "175784415987065442405939710850742459347",
                    "339213355812176497329530268947986373699",
                    "110434030997506308039328143936538235679",
                    "335885824609442790771265416856535758410",
                    "133203111439316661891632654739431583440",
                    "74953611039542921136912933797430118141",
                    "66163840181607102810944825991811349474",
                    "58335138591692172721868565455874389353",
                    "312249855791953285742445620400052571293",
                    "335207649842226901599958081547601902324",
                    "176577026867923329879246743708407510234",
                    "317666205066760220936030707917884679241",
                    "70668999515487871116543842711024289387",
                    "118565453488412994374376180823953580187",
                    "299298808156616498882355689917957613079",
                    "123305081807432685163292179136898042950",
                    "245567782253499801858648075034994699004",
                    "172690816749583166372552546122236805258",
                    "71771581555261610473040994606186039608",
                    "264859136071381484652905082343372744337",
                    "224270308238106393922943091147874349011",
                    "310625589340992854528458711367792294202",
                    "85285683301875423606130055052046892594",
                    "251575269308664433899076241932240896432",
                    "209654633313750596411844604946507588238",
                    "293742803157249601550859528809642875875",
                    "7186441650223184905616272768598167097",
                    "320823090335538244163181310700144883913",
                    "175129984810074778014160343598628675264",
                    "158877268051467993223529823655647335829",
                    "133869816249295877612192588152323300205"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://gitlab.com/wireshark/wireshark@4a948427100b6c109f4ec7b4361f0d2aec5e5c3f",
            "signature_type": "Line",
            "id": "CVE-2020-25866-f8f7af86",
            "target": {
                "file": "epan/dissectors/packet-blip.c"
            }
        }
    ]
}