Summary: | Buffer overflow in libnids <= 1.17 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Kerr <LittleThor> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | mr_bones_ |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://marc.theaimsgroup.com/?l=bugtraq&m=106728224210446&w=2 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Robert Kerr
2003-11-04 09:01:45 UTC
libnids-1.18 added to portage. This version adds new functionality. We now compile libnids as a shared object vs just static .a A full revdep-rebuild will need to be preformed on all binarys that had previously linked to the libnids.a in order to get the old exploitable code off your system completely. this presents a problem ... 1.16 and earlier use libnet-1.0 while 1.17 and later use libnet-1.1 ... there are apps out there that still use libnet-1.0 and probably wont change ... i dont know how many out there need this older libnids though ... there are at least one or two ... so here is what i think we should do: package.mask libnids below 1.18 package.mask everything that needs libnids 1.16 or earlier then we are left with a choice ... leave the packages mask indefinitely or try to backport the fix to 1.16 ... <net-libs/libnids-1.18 is now package masked. net-analyzer/dsniff looks like the only package that depends on net-libs/libnids. I'm not going to mask that one.. but as it stands now dsniff can not be built as long as it continues to have the RDEP of ( >=net-libs/libnids-1.16-r1 <net-libs/libnids-1.17 ) please mask dsniff or fix do something about libnids < 1.17 because it makes a broken dep in portage... dsniff is now masked. My vote is for removal of dsniff from portage. GLSA sent should we close it? changing resolution to FIXED |