Bug 105328

Summary:	net-analyzer/dsniff-2.3-r5 possibly vulnerable
Product:	Gentoo Security	Reporter:	Marcelo Goes (RETIRED) <vanquirius>
Component:	Auditing	Assignee:	Gentoo Security <security>
Status:	RESOLVED WORKSFORME
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Marcelo Goes (RETIRED) gentoo-dev

2005-09-08 20:33:33 UTC

Hello,

This kludgy ebuild hardcodes its own version of sys-libs/db, apparently
unnecessarily. Anyway, the problem is that it installs an unpatched 3.2.9
version of db (see files folder of sys-libs/db for patches) and I am not sure
whether this presents a security issue or not.

For example, from patch.3.2.9.1:

+               case DB_LV_NONEXISTENT:
+                       /* Should never happen. */
+                       DB_ASSERT(0);
+                       break;

I just committed a dsniff-2.3-r6.ebuild that fixes the db issue. Please, let me
know if this is a real issue or not.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-06 12:01:49 UTC

taviso/tigger/solar/vapier please advise.

Comment 2 SpanKY gentoo-dev

2005-10-06 16:10:42 UTC

err, dsniff-2.3-r6 already fixes this

  09 Sep 2005; Marcelo Goes <vanquirius@gentoo.org> +dsniff-2.3-r6.ebuild:
  Made ebuild DEPEND on ~sys-libs/db-3.2.9 instead of building its own copy.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-06 22:27:33 UTC

I am just unaware wether db had any pre GLSA security issues.

Comment 4 SpanKY gentoo-dev

2005-10-06 22:33:01 UTC

oh right duh, Marcelo reported this bug :)

considering i dont think we've seen any security reports against sys-libs/db, i
say we just mark this as a WORKSFORME:THANKSMARCELO

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-06 22:35:30 UTC

THANKSMARCELO

Comment 6 Marcelo Goes (RETIRED) gentoo-dev

2005-10-07 06:12:34 UTC

LOL :-)

Cheers