Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 340897 (CVE-2010-3843) - <net-analyzer/ettercap-0.7.5 : Insecure File Access and Stack Overflow (CVE-2010-{3843,3844})
Summary: <net-analyzer/ettercap-0.7.5 : Insecure File Access and Stack Overflow (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2010-3843
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/+so...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-10-14 00:50 UTC by Tim Sammut (RETIRED)
Modified: 2014-05-17 19:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-14 00:50:03 UTC
From $URL:

The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file. When parsing this file for settings in gtkui_conf_read() (src/interfaces/gtk/ec_gtk_conf.c), an unchecked sscanf() call allows a maliciously placed settings file to overflow a statically-sized buffer on the stack. Stack-smashing protection catches it, but it still should be fixed.

Verify with:
$ perl -e 'print "A"x500' > /tmp/.ettercap_gtk && ettercap -G

Firstly, the settings file should not be globally accessible without checking ownership, which still gets hairy because an attacker could create a symlink or hard link to a victim-controlled file (unless you're using YAMA :p). The best thing would probably be to keep this file in the user's home directory instead.

Secondly, parsing configuration files should be robust against malformed input and not susceptible to trivial buffer overflows.

And CVE assignment from oss-security:

CVE-2010-3843 ettercap GTK insecure temporary file use
CVE-2010-3844 ettercap GTK format string flaw

(note:Not sure why the CVE-2010-3844 is described as a format string vuln, when it's a stack overflow.)
Comment 1 Rick Farina (Zero_Chaos) gentoo-dev 2012-08-19 03:01:20 UTC
ettercap 0.7.4.1 is in the tree and functional, want to stabilize it as part of this security issue or should we close this as ancient and do a normal stabilization?
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-19 12:06:45 UTC
Thanks for the notification.

However, I don't see any indication of these issues being fixed in 0.7.4.1. $URL has a patch which apparently didn't get applied upstream. I can't seem to find a changelog for 0.7.4.1 either. Do you have more information on this?

In contrast though, the changelog for 0.7.4 claims to have fixed "buffer access out-of-bounds issues", "multiple buffer overflows" and "multiple memory leaks". Could you find out if this are the same issues?
Comment 3 Rick Farina (Zero_Chaos) gentoo-dev 2012-08-22 16:36:08 UTC
(In reply to comment #2)
> Thanks for the notification.
> 
> However, I don't see any indication of these issues being fixed in 0.7.4.1.
> $URL has a patch which apparently didn't get applied upstream. I can't seem
> to find a changelog for 0.7.4.1 either. Do you have more information on this?
> 
> In contrast though, the changelog for 0.7.4 claims to have fixed "buffer
> access out-of-bounds issues", "multiple buffer overflows" and "multiple
> memory leaks". Could you find out if this are the same issues?

Upstream claims these were fixed in 0.7.4 (although please don't stabilize that version as it has other issues).

If upstream's say-so isn't good enough I'm happy to take anything you have and beat them over the head with it.

Thanks!
Comment 4 Agostino Sarubbo gentoo-dev 2012-10-11 14:05:38 UTC
This is now really fixed in 0.7.5.

Arches, please test and mark stable:
=net-analyzer/ettercap-0.7.5
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Comment 5 Andreas Schürch gentoo-dev 2012-10-11 14:36:42 UTC
x86 done
Comment 6 Agostino Sarubbo gentoo-dev 2012-10-11 14:46:48 UTC
amd64 stable
Comment 7 Anthony Basile gentoo-dev 2012-10-11 23:08:37 UTC
stable ppc ppc64
Comment 8 Anton Bolshakov 2012-10-11 23:22:22 UTC
>11 Oct 2012; Agostino Sarubbo (ago) ettercap-0.7.5.ebuild:
>Stable for AMD64, wrt bug #430897

Please fix the typo in the bug number
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-12 16:28:13 UTC
Stable for HPPA.
Comment 10 Rick Farina (Zero_Chaos) gentoo-dev 2012-10-12 17:12:15 UTC
(In reply to comment #8)
> >11 Oct 2012; Agostino Sarubbo (ago) ettercap-0.7.5.ebuild:
> >Stable for AMD64, wrt bug #430897
> 
> Please fix the typo in the bug number

fixed
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-10-13 17:00:18 UTC
alpha/arm/sparc stable
Comment 12 Anthony Basile gentoo-dev 2012-10-14 23:47:04 UTC
(In reply to comment #11)
> alpha/arm/sparc stable

Forgot to un-cc those arches :)
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-15 00:56:40 UTC
Thanks, everyone.

New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:30:13 UTC
This issue was resolved and addressed in
 GLSA 201405-12 at http://security.gentoo.org/glsa/glsa-201405-12.xml
by GLSA coordinator Sean Amoss (ackle).