Bug 53399 - net-analyzer/aimsniff symlink attack
Bug#: 53399 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: gte481z@mail.gatech.edu
Component: Security
URL:  http://www.aimsniff.com/forum/viewtopic.php?t=509
Summary: net-analyzer/aimsniff symlink attack
Keywords:  
Status Whiteboard: B3 [glsa? masked]
Opened: 2004-06-09 05:54 0000
Description:   Opened: 2004-06-09 05:54 0000 
The aimsniff ebuild, version 0.9, contains a security vulnerability. 
Currently, it downloads and installs version 0.9b of aimsniff.  This hole,
documented by the aimsniff author in a post to the aimsniff forums at:

http://www.aimsniff.com/forum/viewtopic.php?t=509

Can be fixed by updating the ebuild to download and install version 0.9d of
aimsniff.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Thierry Carrez (RETIRED) 2004-06-09 06:01:30 0000 ------- 
Undisclosed security problem...
ebuild should be updated to use 0.9d.

------- Comment #2 From John Davis (zhen) (RETIRED) 2004-06-09 08:49:22 0000 ------- 
working on it ...

------- Comment #3 From solar 2004-06-09 08:52:26 0000 ------- 
I think this software should be remove from portage all together.
Whats next 'emerge rootkit'

------- Comment #4 From John Lyon 2004-06-09 08:59:06 0000 ------- 
modified the current ebuild and left it on the internet here:

http://www.prism.gatech.edu/~gte481z/aimsniff.html

can not test it now as I am at work.  Will submit an ebuild file and test results when I get back from work tonight.  Anyone who wishes to test the ebuild at that link is welcome.

------- Comment #5 From John Lyon 2004-06-09 09:02:50 0000 ------- 
Why remove it from portage?  Aimsniff has legitmate uses such as monitoring
employees on company computers to make sure they are not abusing their
companies internet use policy or finiancial institutions who are required to
log all communication transactions.  It's just a passive network packet
sniffer.  Really just a pretty version of tcpdump or ethereal, and not nearly
as dangerous as ettercap (also in portage), speaking of "emerge rootkit".

------- Comment #6 From solar 2004-06-09 10:18:07 0000 ------- 
fair enough.

------- Comment #7 From John Lyon 2004-06-09 17:19:48 0000 ------- 
Ebuild sorta seems to work.  I don't have mysql or apache installed on my box
at home to really to test it though.  Someone else will need to take it up from
here.  I'm leaving the ebuild modifications I made up on the net at the address
above.

------- Comment #8 From John Davis (zhen) (RETIRED) 2004-06-10 07:06:02 0000 ------- 
sorry i haven't gotten around to this yet. We lost power all last night and
this morning due to storms. I will see if I can get to it today.

------- Comment #9 From John Lyon 2004-06-14 10:29:41 0000 ------- 
New Ebuild to plug this whole submitted to bugzilla as bug #53905

------- Comment #10 From Seemant Kulleen (RETIRED) 2004-06-14 10:56:19 0000 ------- 
*** Bug 53905 has been marked as a duplicate of this bug. ***

------- Comment #11 From John Davis (zhen) (RETIRED) 2004-06-14 14:29:05 0000 ------- 
i'm not going to be able to get to this because my releng responsibilities are
taking up my time. bug-wranglers?

------- Comment #12 From Thierry Carrez (RETIRED) 2004-06-17 12:50:00 0000 ------- 
Vulnerability description available at :
http://www.osvdb.org/displayvuln.php?osvdb_id=6381

We need to find someone to bump or validate the provided ebuild.

------- Comment #13 From Kurt Lieber 2004-06-23 12:06:46 0000 ------- 
posted a request[1] on gentoo-dev for a dev to take over maintainership of this
package.  Nobody responded.  Masking for now.

[1] http://article.gmane.org/gmane.linux.gentoo.devel/19008/

------- Comment #14 From Ian Leitch (RETIRED) 2004-06-23 13:18:10 0000 ------- 
Even though I'd never use such a package, I hate seeing packages masked due to
lack of maintainership. I'll take care of the bump, looks like the ebuild could
use some love.

------- Comment #15 From Thierry Carrez (RETIRED) 2004-06-24 01:45:50 0000 ------- 
port001 : you're welcome :)
Package has been masked in the meantime, updating status whiteboard.

------- Comment #16 From Ian Leitch (RETIRED) 2004-06-27 13:52:33 0000 ------- 
Bumped ebuild in CVS. Converted the ebuild to use webapp also.

------- Comment #17 From Thierry Carrez (RETIRED) 2004-06-28 02:00:43 0000 ------- 
PPC : please test and mark the 0.9-r1 ebuild "~ppc" so that we can unmask it.

------- Comment #18 From David Holm (RETIRED) 2004-06-28 02:18:40 0000 ------- 
It has been marked. Since 0.9 was ~ppc you could have keyworded it yourselves,
unless there was a specific reason to remove the keyword.

------- Comment #19 From Thierry Carrez (RETIRED) 2004-06-28 02:55:18 0000 ------- 
dholm: would've done it if I had commit access :)
klieber: I think you can unmask the package.

This is ready for a GLSA vote.

------- Comment #20 From Kurt Lieber 2004-06-28 08:11:01 0000 ------- 
unmasking from package.mask. closing without GLSA since this is a ~masked
ebuild.