84547 – net-analyzer/ethereal 0.10.10 fixes security vulnerabilities

Bug 84547 - net-analyzer/ethereal 0.10.10 fixes security vulnerabilities

Summary: net-analyzer/ethereal 0.10.10 fixes security vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1? [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-03-08 13:35 UTC by Thierry Carrez (RETIRED)
Modified:	2006-03-23 19:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
ethereal-0.10.10.ebuild (ethereal-0.10.10.ebuild,2.45 KB, text/plain) 2005-03-11 10:36 UTC, Aaron Walker (RETIRED)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-03-08 13:35:21 UTC

Ethereal 0.10.10 is scheduled to be released on Thursday, March 10. It addresses the following security issues:

  The Etheric dissector was susceptible to a buffer overflow.
  Versions affected: 0.10.7 to 0.10.9
  Fixed in revision: 13176

  The GPRS-LLC dissector could crash if the "ignore cipher bit" option was enabled.
  Versions affected: 0.10.7 to 0.10.9
  Fixed in revisions: 13386 (further improvements in 13549 and 13571)

  The 3GPP2 A11 dissector was susceptible to a buffer overflow.
  Versions affected: 0.10.3 to 0.10.9
  Fixed in revision: 1357

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-03-08 13:39:06 UTC

Ccing eldad and dragonheart as recent version bumpers.
This is still confidential, official release of 0.10.10 is Thursday at 3:00PM CST (21:00 UTC).
Will one of you be around to check and commit the new version then ?

Comment 2 Luke Macken (RETIRED) gentoo-dev

2005-03-08 16:51:12 UTC

public @ http://www.securityfocus.com/archive/1/392659

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-09 00:10:25 UTC

eldad is away until april -> uncc'ing.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-09 22:20:34 UTC

CVE ids assigned:

CAN-2005-0704 Etheric
CAN-2005-0705 GPRS-LLC
CAN-2005-0699 3GPP2 A11

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-10 22:23:07 UTC

Another issue popped up so the release date is changed to: March 11 17:00 GMT.

The IAPP dissector is vulnerable to a buffer overflow.
Versions affected: 0.9.1 to 0.9.9

Comment 6 Aaron Walker (RETIRED) gentoo-dev

2005-03-11 10:35:35 UTC

Daniel, I've stayed up long enough waiting... gotta get some sleep.

Good news is I've done all the work for ya (working from a svn snapshot of the 0.10.10 branch from about an hour or two ago).  The only patch in the previous ebuild is no longer required.

Modified ebuild is attached.

Comment 7 Aaron Walker (RETIRED) gentoo-dev

2005-03-11 10:36:14 UTC

Created attachment 53190 [details]
ethereal-0.10.10.ebuild

Comment 8 Aaron Walker (RETIRED) gentoo-dev

2005-03-11 10:41:34 UTC

*sigh* nevermind.  Got the announcement in my mailbox right after I pressed "Commit".

Going to build with the official tarball and make sure everything is still ok.

Comment 9 Aaron Walker (RETIRED) gentoo-dev

2005-03-11 11:08:43 UTC

In CVS, stable on x86.  Will the CC'd archs please mark stable?

Comment 10 Jan Brinkmann (RETIRED) gentoo-dev

2005-03-11 12:08:44 UTC

stable on amd64

Comment 11 Bryan Østergaard (RETIRED) gentoo-dev

2005-03-11 20:17:54 UTC

Stable on alpha.

Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-03-12 00:26:18 UTC

Stable on ppc.

Comment 13 Markus Rothe (RETIRED) gentoo-dev

2005-03-12 04:04:04 UTC

stable on ppc64

Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev

2005-03-12 05:34:13 UTC

sparc done.

Comment 15 Luke Macken (RETIRED) gentoo-dev

2005-03-12 09:00:10 UTC

GLSA 200503-16

ia64, please mark stable to benefit from GLSA.