Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 32691 - Security problems in Ethereal 0.9.15
Summary: Security problems in Ethereal 0.9.15
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Keywords: SECURITY
Depends on:
Reported: 2003-11-04 01:08 UTC by Patrick Kursawe (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch for .15 ebuild for .16 (patch-.15-.16,1.21 KB, patch)
2003-11-05 02:31 UTC, Patrick Kursawe (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Kursawe (RETIRED) gentoo-dev 2003-11-04 01:08:43 UTC
See URL for details. Currently downloading .16.
Comment 1 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-04 03:33:35 UTC
Works for me. What to do with other platforms than x86?
Comment 2 solar (RETIRED) gentoo-dev 2003-11-04 11:31:56 UTC
Name: Security problems in Ethereal 0.9.15

Docid: enpa-sa-00011

Date: November 3, 2003

Severity: High


Potential security issues have been discovered in the following protocol

    * An improperly formatted GTP MSISDN string could cause a buffer overflow.
    * A malformed ISAKMP or MEGACO packet could make Ethereal or Tethereal
    * The SOCKS dissector was susceptible to a heap overlfow. 


It may be possible to make Ethereal crash or run arbitrary code by injecting
a purposefully malformed packet onto the wire, or by convincing someone to
read a malformed packet trace file.


Upgrade to 0.9.16.

If you are running a version prior to 0.9.16 and you cannot upgrade, you
can disable the GTP, ISAKMP, MEGACO, and SOCKS protocol dissectors by selecting
Edit->Protocols... and deselecting them from the list. 
Comment 3 solar (RETIRED) gentoo-dev 2003-11-04 12:02:43 UTC
While bumping a local copy to test if this would be an easy fixed I noticed
a few problems.

[ebuild     U ] net-analyzer/ethereal-0.9.16 [0.9.14] -gtk -ipv6 +snmp +ssl

ipv6 always gets enabled for some odd reason.
build dies with it failing looking for gtk headers.

gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I/usr/include/rpm -mcpu=i686
-O3 -pipe -Dlinux -I/usr/include/rpm -I. -I/usr/include -DINET6 "-D_U_=__attribute__((unused))"
-Wall -W -mcpu=i686 -O3 -pipe -fPIC -fstack-protector -fomit-frame-pointer
-I/usr/include/glib-1.2 -I/usr/lib/glib/include -I/usr/include/rpm -mcpu=i686
-O3 -pipe -Dlinux -I/usr/include/rpm -I. -I/usr/include -c packet-asn1.c
-MT packet-asn1.lo -MD -MP -MF .deps/packet-asn1.TPlo  -fPIC -DPIC -o packet-asn1.lo
packet-asn1.c:90:21: gtk/gtk.h: No such file or directory

Ethereal is one of those interesting packages that seems to be (un)maintained
by a large number of people with no single person in semi charge of it. 
This is not really acceptable anymore as this package has had to have 2 security
bumps in the past and this will make it the 3rd version bump based on a need
for a security update.

A simple 
grep '<'[A-Z,a-z,0-9]*[A-Z,a-z,0-9]'>' ChangeLog   | cut -d '<'
-f 2 | cut -d '>' -f 1 | sort | uniq
; # 
shows 15 uniq people have had something to do with it at some time or another,
with being the dev who has the most ChangeLog entrys.

So the question is who will make ethereal a maintained package, including
a metadata.xml? phosphan? others?
Comment 4 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-04 22:47:56 UTC
Having a closer look at the documentation and the configure script I get
the impression that gtk support ist _not_ optional. See also
" GTK+ and GLib, available from the GTK+ site. Version 1.2 or a later 1.2.x
release are needed; Ethereal is not guaranteed to compile with 2.x releases
of GTK+ or GLib, and there's a good chance that it will not compile. "
Comment 5 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-05 00:11:28 UTC
Oh, forget my last comment. There's still tethereal.
Comment 6 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-05 01:06:17 UTC
Update: found the ipv6 problem, it was just enabled if the USE flag was set
but not disabled if not. Similar problem for snmp libs. Currently trying
to compile without GUI, seems the asn1 plugin has to be disabled.
Comment 7 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-05 02:31:29 UTC
Created attachment 20284 [details, diff]
Patch for .15 ebuild for .16

This is my suggestion for the .16 ebuild. Please test.
About maintainership: I don't want to take personal maintainership for any
packages since I'll be
- extremely unreliable in november
- absent during january
- absolutely-can't-predict-what after that
Comment 8 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-10 06:54:14 UTC
Hello? Testers?
Comment 9 Carsten Lohrke (RETIRED) gentoo-dev 2003-11-10 09:46:46 UTC
Compiles fine, starts, works for me, Patrick 

x86 / +gtk -ipv6 -snmp +ssl +gtk2
Comment 10 Patrick Kursawe (RETIRED) gentoo-dev 2003-11-11 00:25:00 UTC
Put .16 into portage now, still ~ARCH for everything. Please do some further
testing and don't forget the GLSA for this one. Leaving the bug open.
Comment 11 solar (RETIRED) gentoo-dev 2003-11-11 08:44:54 UTC
works here as
net-analyzer/ethereal-0.9.16  +gtk -ipv6 +snmp +ssl -gtk2 
Comment 12 Andrea Barisani (RETIRED) gentoo-dev 2003-11-24 10:25:10 UTC
GLSA sent, I'm closing it.