Bug 115030

Summary:

net-analyzer/ethereal OSPF Protocol Vulnerability (CVE-2005-3651)

Product:

Gentoo Security

Reporter:

Chris White (RETIRED) <chriswhite>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

major

CC:

netmon

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B1? [glsa] jaervosz

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
ethereal-0.10.13-packet-ospf.diff	none

Description Chris White (RETIRED) gentoo-dev

2005-12-09 14:58:17 UTC

http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities

Patch:

http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/packet-
ospf.c?rev=16507&view=markup

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-10 05:24:01 UTC

Netmon please advise and bump as necessary.

Comment 2 Marcelo Goes (RETIRED) gentoo-dev

2005-12-10 06:42:23 UTC

Created attachment 74428 [details, diff]
ethereal-0.10.13-packet-ospf.diff

Anyone care to review this patch?

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-12-11 09:56:54 UTC

Patch comes from upstream, I guess it's OK...

Comment 4 Marcelo Goes (RETIRED) gentoo-dev

2005-12-11 10:44:26 UTC

Okies, ethereal-0.10.13-r2 has the patch.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-11 13:26:44 UTC

Arches please test and mark stable.

Comment 6 Jason Wever (RETIRED) gentoo-dev

2005-12-11 13:37:46 UTC

Patch fails to apply as it had a CVS tag in it that got munged when committed

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-11 13:45:44 UTC

Back to ebuild.

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2005-12-11 13:55:39 UTC

weeve: commit it with "cvs add -ko" (I guess you found out already yourself...)

Comment 9 Jason Wever (RETIRED) gentoo-dev

2005-12-11 13:58:59 UTC

No I haven't.  You'll want to direct that comment at vanquirius as he was the
commit culprit.

Comment 10 Marcelo Goes (RETIRED) gentoo-dev

2005-12-11 14:18:01 UTC

Ok, new version of the patch is in cvs.
Sorry for the trouble.

Comment 11 Jason Wever (RETIRED) gentoo-dev

2005-12-11 19:24:43 UTC

Builds here on sparc.  Are there any sample packet captures to test this issue?

Comment 12 Joshua Jackson (RETIRED) gentoo-dev

2005-12-11 19:45:21 UTC

stable on x86

Comment 13 Markus Rothe (RETIRED) gentoo-dev

2005-12-12 01:49:30 UTC

stable on ppc64

Comment 14 Thierry Carrez (RETIRED) gentoo-dev

2005-12-12 03:37:21 UTC

Jason: no test capture, sorry.

Comment 15 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-12-12 12:32:10 UTC

Stable on ppc.

Comment 16 Daniel Gryniewicz (RETIRED) gentoo-dev

2005-12-12 12:46:58 UTC

amd64 done.

Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev

2005-12-13 10:56:50 UTC

sparc stable.

Comment 18 Bryan Østergaard (RETIRED) gentoo-dev

2005-12-13 12:20:12 UTC

Stable on alpha + ia64.

Comment 19 Thierry Carrez (RETIRED) gentoo-dev

2005-12-14 10:13:07 UTC

GLSA 200512-06