Summary: | Security problems in Ethereal 0.9.15 | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Patrick Kursawe (RETIRED) <phosphan> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | critical | CC: | bcowan, carlo | ||||
Priority: | High | Keywords: | SECURITY | ||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.ethereal.com/appnotes/enpa-sa-00011.html | ||||||
Whiteboard: | |||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Patrick Kursawe (RETIRED)
2003-11-04 01:08:43 UTC
Works for me. What to do with other platforms than x86? SUMMARY Name: Security problems in Ethereal 0.9.15 Docid: enpa-sa-00011 Date: November 3, 2003 Severity: High DETAILS Description: Potential security issues have been discovered in the following protocol dissectors: * An improperly formatted GTP MSISDN string could cause a buffer overflow. * A malformed ISAKMP or MEGACO packet could make Ethereal or Tethereal crash. * The SOCKS dissector was susceptible to a heap overlfow. Impact: It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. Resolution: Upgrade to 0.9.16. If you are running a version prior to 0.9.16 and you cannot upgrade, you can disable the GTP, ISAKMP, MEGACO, and SOCKS protocol dissectors by selecting Edit->Protocols... and deselecting them from the list. While bumping a local copy to test if this would be an easy fixed I noticed a few problems. [ebuild U ] net-analyzer/ethereal-0.9.16 [0.9.14] -gtk -ipv6 +snmp +ssl -gtk2 ipv6 always gets enabled for some odd reason. build dies with it failing looking for gtk headers. gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I/usr/include/rpm -mcpu=i686 -O3 -pipe -Dlinux -I/usr/include/rpm -I. -I/usr/include -DINET6 "-D_U_=__attribute__((unused))" -Wall -W -mcpu=i686 -O3 -pipe -fPIC -fstack-protector -fomit-frame-pointer -I/usr/include/glib-1.2 -I/usr/lib/glib/include -I/usr/include/rpm -mcpu=i686 -O3 -pipe -Dlinux -I/usr/include/rpm -I. -I/usr/include -c packet-asn1.c -MT packet-asn1.lo -MD -MP -MF .deps/packet-asn1.TPlo -fPIC -DPIC -o packet-asn1.lo packet-asn1.c:90:21: gtk/gtk.h: No such file or directory ------------------------------------------------------------------------------ Ethereal is one of those interesting packages that seems to be (un)maintained by a large number of people with no single person in semi charge of it. This is not really acceptable anymore as this package has had to have 2 security bumps in the past and this will make it the 3rd version bump based on a need for a security update. A simple grep '<'[A-Z,a-z,0-9]*[A-Z,a-z,0-9]@gentoo.org'>' ChangeLog | cut -d '<' -f 2 | cut -d '>' -f 1 | sort | uniq ; # shows 15 uniq people have had something to do with it at some time or another, with bcowan@gentoo.org being the dev who has the most ChangeLog entrys. So the question is who will make ethereal a maintained package, including a metadata.xml? phosphan? others? Having a closer look at the documentation and the configure script I get the impression that gtk support ist _not_ optional. See also http://www.ethereal.com/download.html#requirements " GTK+ and GLib, available from the GTK+ site. Version 1.2 or a later 1.2.x release are needed; Ethereal is not guaranteed to compile with 2.x releases of GTK+ or GLib, and there's a good chance that it will not compile. " Oh, forget my last comment. There's still tethereal. Update: found the ipv6 problem, it was just enabled if the USE flag was set but not disabled if not. Similar problem for snmp libs. Currently trying to compile without GUI, seems the asn1 plugin has to be disabled. Created attachment 20284 [details, diff]
Patch for .15 ebuild for .16
This is my suggestion for the .16 ebuild. Please test.
About maintainership: I don't want to take personal maintainership for any
new
packages since I'll be
- extremely unreliable in november
- absent during january
- absolutely-can't-predict-what after that
Hello? Testers? Compiles fine, starts, works for me, Patrick x86 / +gtk -ipv6 -snmp +ssl +gtk2 Put .16 into portage now, still ~ARCH for everything. Please do some further testing and don't forget the GLSA for this one. Leaving the bug open. works here as net-analyzer/ethereal-0.9.16 +gtk -ipv6 +snmp +ssl -gtk2 GLSA sent, I'm closing it. |