53399 2004-06-09 05:54 0000 net-analyzer/aimsniff symlink attack 2004-06-28 08:11:01 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All Linux RESOLVED FIXED http://www.aimsniff.com/forum/viewtopic.php?t=509 B3 [glsa? masked] P2 enhancement --- 1 gte481z@mail.gatech.edu security@gentoo.org port001@gentoo.org zhen@gentoo.org gte481z@mail.gatech.edu 2004-06-09 05:54:51 0000 The aimsniff ebuild, version 0.9, contains a security vulnerability. Currently, it downloads and installs version 0.9b of aimsniff. This hole, documented by the aimsniff author in a post to the aimsniff forums at: http://www.aimsniff.com/forum/viewtopic.php?t=509 Can be fixed by updating the ebuild to download and install version 0.9d of aimsniff. Reproducible: Always Steps to Reproduce: 1. 2. 3. koon@gentoo.org 2004-06-09 06:01:30 0000 Undisclosed security problem... ebuild should be updated to use 0.9d. zhen@gentoo.org 2004-06-09 08:49:22 0000 working on it ... solar@gentoo.org 2004-06-09 08:52:26 0000 I think this software should be remove from portage all together. Whats next 'emerge rootkit' gte481z@mail.gatech.edu 2004-06-09 08:59:06 0000 modified the current ebuild and left it on the internet here: http://www.prism.gatech.edu/~gte481z/aimsniff.html can not test it now as I am at work. Will submit an ebuild file and test results when I get back from work tonight. Anyone who wishes to test the ebuild at that link is welcome. gte481z@mail.gatech.edu 2004-06-09 09:02:50 0000 Why remove it from portage? Aimsniff has legitmate uses such as monitoring employees on company computers to make sure they are not abusing their companies internet use policy or finiancial institutions who are required to log all communication transactions. It's just a passive network packet sniffer. Really just a pretty version of tcpdump or ethereal, and not nearly as dangerous as ettercap (also in portage), speaking of "emerge rootkit". solar@gentoo.org 2004-06-09 10:18:07 0000 fair enough. gte481z@mail.gatech.edu 2004-06-09 17:19:48 0000 Ebuild sorta seems to work. I don't have mysql or apache installed on my box at home to really to test it though. Someone else will need to take it up from here. I'm leaving the ebuild modifications I made up on the net at the address above. zhen@gentoo.org 2004-06-10 07:06:02 0000 sorry i haven't gotten around to this yet. We lost power all last night and this morning due to storms. I will see if I can get to it today. gte481z@mail.gatech.edu 2004-06-14 10:29:41 0000 New Ebuild to plug this whole submitted to bugzilla as bug #53905 seemant@gentoo.org 2004-06-14 10:56:19 0000 *** Bug 53905 has been marked as a duplicate of this bug. *** zhen@gentoo.org 2004-06-14 14:29:05 0000 i'm not going to be able to get to this because my releng responsibilities are taking up my time. bug-wranglers? koon@gentoo.org 2004-06-17 12:50:00 0000 Vulnerability description available at : http://www.osvdb.org/displayvuln.php?osvdb_id=6381 We need to find someone to bump or validate the provided ebuild. klieber@gentoo.org 2004-06-23 12:06:46 0000 posted a request[1] on gentoo-dev for a dev to take over maintainership of this package. Nobody responded. Masking for now. [1] http://article.gmane.org/gmane.linux.gentoo.devel/19008/ port001@gentoo.org 2004-06-23 13:18:10 0000 Even though I'd never use such a package, I hate seeing packages masked due to lack of maintainership. I'll take care of the bump, looks like the ebuild could use some love. koon@gentoo.org 2004-06-24 01:45:50 0000 port001 : you're welcome :) Package has been masked in the meantime, updating status whiteboard. port001@gentoo.org 2004-06-27 13:52:33 0000 Bumped ebuild in CVS. Converted the ebuild to use webapp also. koon@gentoo.org 2004-06-28 02:00:43 0000 PPC : please test and mark the 0.9-r1 ebuild "~ppc" so that we can unmask it. dholm@gentoo.org 2004-06-28 02:18:40 0000 It has been marked. Since 0.9 was ~ppc you could have keyworded it yourselves, unless there was a specific reason to remove the keyword. koon@gentoo.org 2004-06-28 02:55:18 0000 dholm: would've done it if I had commit access :) klieber: I think you can unmask the package. This is ready for a GLSA vote. klieber@gentoo.org 2004-06-28 08:11:01 0000 unmasking from package.mask. closing without GLSA since this is a ~masked ebuild.