Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 105328 - net-analyzer/dsniff-2.3-r5 possibly vulnerable
Summary: net-analyzer/dsniff-2.3-r5 possibly vulnerable
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-08 20:33 UTC by Marcelo Goes (RETIRED)
Modified: 2007-01-06 17:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcelo Goes (RETIRED) gentoo-dev 2005-09-08 20:33:33 UTC 
Hello,

This kludgy ebuild hardcodes its own version of sys-libs/db, apparently
unnecessarily. Anyway, the problem is that it installs an unpatched 3.2.9
version of db (see files folder of sys-libs/db for patches) and I am not sure
whether this presents a security issue or not.

For example, from patch.3.2.9.1:

+               case DB_LV_NONEXISTENT:
+                       /* Should never happen. */
+                       DB_ASSERT(0);
+                       break;

I just committed a dsniff-2.3-r6.ebuild that fixes the db issue. Please, let me
know if this is a real issue or not.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 12:01:49 UTC 
taviso/tigger/solar/vapier please advise.
Comment 2 SpanKY gentoo-dev 2005-10-06 16:10:42 UTC 
err, dsniff-2.3-r6 already fixes this

  09 Sep 2005; Marcelo Goes <vanquirius@gentoo.org> +dsniff-2.3-r6.ebuild:
  Made ebuild DEPEND on ~sys-libs/db-3.2.9 instead of building its own copy.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 22:27:33 UTC 
I am just unaware wether db had any pre GLSA security issues.
Comment 4 SpanKY gentoo-dev 2005-10-06 22:33:01 UTC 
oh right duh, Marcelo reported this bug :)

considering i dont think we've seen any security reports against sys-libs/db, i
say we just mark this as a WORKSFORME:THANKSMARCELO
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 22:35:30 UTC 
THANKSMARCELO
Comment 6 Marcelo Goes (RETIRED) gentoo-dev 2005-10-07 06:12:34 UTC 
LOL :-)

Cheers