See URL for details. Currently downloading .16.
Works for me. What to do with other platforms than x86?
Name: Security problems in Ethereal 0.9.15
Date: November 3, 2003
Potential security issues have been discovered in the following protocol
* An improperly formatted GTP MSISDN string could cause a buffer overflow.
* A malformed ISAKMP or MEGACO packet could make Ethereal or Tethereal
* The SOCKS dissector was susceptible to a heap overlfow.
It may be possible to make Ethereal crash or run arbitrary code by injecting
a purposefully malformed packet onto the wire, or by convincing someone to
read a malformed packet trace file.
Upgrade to 0.9.16.
If you are running a version prior to 0.9.16 and you cannot upgrade, you
can disable the GTP, ISAKMP, MEGACO, and SOCKS protocol dissectors by selecting
Edit->Protocols... and deselecting them from the list.
While bumping a local copy to test if this would be an easy fixed I noticed
a few problems.
[ebuild U ] net-analyzer/ethereal-0.9.16 [0.9.14] -gtk -ipv6 +snmp +ssl
ipv6 always gets enabled for some odd reason.
build dies with it failing looking for gtk headers.
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I/usr/include/rpm -mcpu=i686
-O3 -pipe -Dlinux -I/usr/include/rpm -I. -I/usr/include -DINET6 "-D_U_=__attribute__((unused))"
-Wall -W -mcpu=i686 -O3 -pipe -fPIC -fstack-protector -fomit-frame-pointer
-I/usr/include/glib-1.2 -I/usr/lib/glib/include -I/usr/include/rpm -mcpu=i686
-O3 -pipe -Dlinux -I/usr/include/rpm -I. -I/usr/include -c packet-asn1.c
-MT packet-asn1.lo -MD -MP -MF .deps/packet-asn1.TPlo -fPIC -DPIC -o packet-asn1.lo
packet-asn1.c:90:21: gtk/gtk.h: No such file or directory
Ethereal is one of those interesting packages that seems to be (un)maintained
by a large number of people with no single person in semi charge of it.
This is not really acceptable anymore as this package has had to have 2 security
bumps in the past and this will make it the 3rd version bump based on a need
for a security update.
grep '<'[A-Z,a-z,0-9]*[A-Z,a-z,0-9]@gentoo.org'>' ChangeLog | cut -d '<'
-f 2 | cut -d '>' -f 1 | sort | uniq
shows 15 uniq people have had something to do with it at some time or another,
with firstname.lastname@example.org being the dev who has the most ChangeLog entrys.
So the question is who will make ethereal a maintained package, including
a metadata.xml? phosphan? others?
Having a closer look at the documentation and the configure script I get
the impression that gtk support ist _not_ optional. See also http://www.ethereal.com/download.html#requirements
" GTK+ and GLib, available from the GTK+ site. Version 1.2 or a later 1.2.x
release are needed; Ethereal is not guaranteed to compile with 2.x releases
of GTK+ or GLib, and there's a good chance that it will not compile. "
Oh, forget my last comment. There's still tethereal.
Update: found the ipv6 problem, it was just enabled if the USE flag was set
but not disabled if not. Similar problem for snmp libs. Currently trying
to compile without GUI, seems the asn1 plugin has to be disabled.
Created attachment 20284 [details, diff]
Patch for .15 ebuild for .16
This is my suggestion for the .16 ebuild. Please test.
About maintainership: I don't want to take personal maintainership for any
packages since I'll be
- extremely unreliable in november
- absent during january
- absolutely-can't-predict-what after that
Compiles fine, starts, works for me, Patrick
x86 / +gtk -ipv6 -snmp +ssl +gtk2
Put .16 into portage now, still ~ARCH for everything. Please do some further
testing and don't forget the GLSA for this one. Leaving the bug open.
works here as
net-analyzer/ethereal-0.9.16 +gtk -ipv6 +snmp +ssl -gtk2
GLSA sent, I'm closing it.