Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78559 - net-analyzer/ethereal multiple issues
Summary: net-analyzer/ethereal multiple issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.ethereal.com/news/item_200...
Whiteboard: A1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-18 12:15 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-03-23 19:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ethereal-0.10.9.ebuild (ethereal-0.10.9.ebuild,2.21 KB, text/plain)
2005-01-19 06:08 UTC, Sune Kloppenborg Jeppesen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 12:15:30 UTC
ETA on the official release of 0.10.9 is Wednesday, January 19 at 3:00
PM CST (21:00 UTC).  Notification will be made via the ethereal-announce
mailing list and the web site.

Details and CAN follow:

All different flaw types looking at the patches, therefore one cve name 
per issue:

> Ethereal 0.10.9 is scheduled to be released tomorrow (January 18).  It
> will address the following issues:
>
>  The COPS dissector could go into an infinite loop.
>  Versions affected: 0.10.6 - 0.10.8
>  Fixed in revision: 13075

CAN-2005-0006

>  The DLSw dissector could cause an assertion, making Ethereal exit
>  prematurely.
>  Versions affected: 0.10.6 - 0.10.8
>  Fixed in revision: 13012

CAN-2005-0007

>  The DNP dissector could cause memory corruption.
>  Versions affected: 0.10.5 - 0.10.8
>  Fixed in revision: 13083

CAN-2005-0008

>  The Gnutella dissector could cuase an assertion, making Ethereal exit
>  prematurely.
>  Versions affected: 0.10.6 - 0.10.8
>  Fixed in revision: 13032

CAN-2005-0009

>  The MMSE dissector could free statically-allocated memory.
>  Versions affected: 0.10.4 - 0.10.8
>  Fixed in revision: 12801

CAN-2005-0010

>  The X11 dissector is vulnerable to a string buffer overflow.
>  Versions affected: 0.8.10 - 0.10.8
>  Fixed in revision: 13057

CAN-2005-0084
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 12:20:31 UTC
Eldad please be ready to bump when the official announcement is made. 
Comment 2 Luke Macken (RETIRED) gentoo-dev 2005-01-18 13:29:19 UTC
GLSA drafted.  Security, please review.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 13:36:02 UTC
Eldad pointed at dragonheart.
Comment 4 Daniel Black (RETIRED) gentoo-dev 2005-01-18 23:21:32 UTC
2100 isn't going to be a problem for me. I'm going to start work late. Not much going on so no need for any contingency that may or may not have been made.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 06:08:51 UTC
Created attachment 48945 [details]
ethereal-0.10.9.ebuild

this works on the prerelease. Change SRC_URI and remove S= for final release.

bad fonts running ethereal - remove ~/.gtkrc
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 06:14:53 UTC
Note that this is still not public so NOTHING can go into CVS and the ebuild is currently based on a prerelease.

Please test the attached ebuild and report back success/failure.

Calling individual testers:
sparc -> weeve@gentoo.org
alpha -> kloeri@gentoo.org
amd64 -> blubb@gentoo.org
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 13:19:57 UTC
Release postponed 24 hours = prerelease is not final. Uncalling arch testers.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-20 14:31:47 UTC
This is now public. Netmon please commit a fixed ebuild and call alpha, sparc and amd64.
Comment 9 solar (RETIRED) gentoo-dev 2005-01-20 15:46:58 UTC
ethereal-0.10.9 is in the tree. tested on x86 with USE="-*" 

KEYWORDS="~x86 ~sparc ~ppc ~alpha ~amd64 ~ia64 ~ppc64"
Comment 10 Luke Macken (RETIRED) gentoo-dev 2005-01-20 15:50:41 UTC
arch's please mark stable.
Comment 11 Henrik Brix Andersen 2005-01-20 15:53:53 UTC
Does this affect net-wireless/kismet as well? It used the ethereal wiretap library...
Comment 12 solar (RETIRED) gentoo-dev 2005-01-20 15:56:33 UTC
stable on x86
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-20 17:12:02 UTC
stable on sparc, ppc, amd64.
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-20 18:56:31 UTC
Stable on alpha.
Comment 15 Luke Macken (RETIRED) gentoo-dev 2005-01-20 19:14:25 UTC
GLSA 200501-27 (phew!)

ia64, ppc64, please mark stable to benefit from GLSA.

Regarding Henrik's Comment #11 :: Bug #78892 has been opened with the Audit team to verify this.

Thanks archs for your quick responses ;)
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2005-01-21 03:14:28 UTC
stable on ppc64