Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 32724 - Buffer overflow in libnids <= 1.17
Summary: Buffer overflow in libnids <= 1.17
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2003-11-04 09:01 UTC by Robert Kerr
Modified: 2003-11-29 18:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Kerr 2003-11-04 09:01:45 UTC
See URL for more details

Reproducible: Always
Steps to Reproduce:
Comment 1 solar (RETIRED) gentoo-dev 2003-11-04 10:26:16 UTC
libnids-1.18 added to portage.

This version adds new functionality. 
We now compile libnids as a shared object vs just static .a

A full revdep-rebuild will need to be preformed on all binarys that had previously
linked to the libnids.a in order to get the old exploitable code off your
system completely.
Comment 2 SpanKY gentoo-dev 2003-11-04 16:48:41 UTC
this presents a problem ...

1.16 and earlier use libnet-1.0 while 1.17 and later use libnet-1.1 ... there
are apps out there that still use libnet-1.0 and probably wont change ...
i dont know how many out there need this older libnids though ... there are
at least one or two ...

so here is what i think we should do:
package.mask libnids below 1.18
package.mask everything that needs libnids 1.16 or earlier

then we are left with a choice ... leave the packages mask indefinitely or
try to backport the fix to 1.16 ...
Comment 3 solar (RETIRED) gentoo-dev 2003-11-05 16:23:56 UTC
<net-libs/libnids-1.18 is now package masked.

net-analyzer/dsniff looks like the only package that depends on net-libs/libnids.
I'm not going to mask that one.. but as it stands now dsniff can not be built
as long as it continues to have the RDEP of ( >=net-libs/libnids-1.16-r1
<net-libs/libnids-1.17 )
Comment 4 Olivier Crete (RETIRED) gentoo-dev 2003-11-06 04:32:04 UTC
please mask dsniff or fix do something about libnids < 1.17 because it makes
a broken dep in portage...
Comment 5 solar (RETIRED) gentoo-dev 2003-11-06 12:55:00 UTC
dsniff is now masked. My vote is for removal of dsniff from portage.
Comment 6 Andrea Barisani (RETIRED) gentoo-dev 2003-11-24 10:26:56 UTC
GLSA sent should we close it?
Comment 7 solar (RETIRED) gentoo-dev 2003-11-29 18:03:11 UTC
changing resolution to FIXED