Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 84547 - net-analyzer/ethereal 0.10.10 fixes security vulnerabilities
Summary: net-analyzer/ethereal 0.10.10 fixes security vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-08 13:35 UTC by Thierry Carrez (RETIRED)
Modified: 2006-03-23 19:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ethereal-0.10.10.ebuild (ethereal-0.10.10.ebuild,2.45 KB, text/plain)
2005-03-11 10:36 UTC, Aaron Walker (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-03-08 13:35:21 UTC
Ethereal 0.10.10 is scheduled to be released on Thursday, March 10. It addresses the following security issues:

  The Etheric dissector was susceptible to a buffer overflow.
  Versions affected: 0.10.7 to 0.10.9
  Fixed in revision: 13176

  The GPRS-LLC dissector could crash if the "ignore cipher bit" option was enabled.
  Versions affected: 0.10.7 to 0.10.9
  Fixed in revisions: 13386 (further improvements in 13549 and 13571)

  The 3GPP2 A11 dissector was susceptible to a buffer overflow.
  Versions affected: 0.10.3 to 0.10.9
  Fixed in revision: 1357
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-08 13:39:06 UTC
Ccing eldad and dragonheart as recent version bumpers.
This is still confidential, official release of 0.10.10 is Thursday at 3:00PM CST (21:00 UTC).
Will one of you be around to check and commit the new version then ?
Comment 2 Luke Macken (RETIRED) gentoo-dev 2005-03-08 16:51:12 UTC
public @ http://www.securityfocus.com/archive/1/392659
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-09 00:10:25 UTC
eldad is away until april -> uncc'ing.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-09 22:20:34 UTC
CVE ids assigned:

CAN-2005-0704 Etheric
CAN-2005-0705 GPRS-LLC
CAN-2005-0699 3GPP2 A11 
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-10 22:23:07 UTC
Another issue popped up so the release date is changed to: March 11 17:00 GMT.

The IAPP dissector is vulnerable to a buffer overflow.
Versions affected: 0.9.1 to 0.9.9
Comment 6 Aaron Walker (RETIRED) gentoo-dev 2005-03-11 10:35:35 UTC
Daniel, I've stayed up long enough waiting... gotta get some sleep.

Good news is I've done all the work for ya (working from a svn snapshot of the 0.10.10 branch from about an hour or two ago).  The only patch in the previous ebuild is no longer required.

Modified ebuild is attached.
Comment 7 Aaron Walker (RETIRED) gentoo-dev 2005-03-11 10:36:14 UTC
Created attachment 53190 [details]
ethereal-0.10.10.ebuild
Comment 8 Aaron Walker (RETIRED) gentoo-dev 2005-03-11 10:41:34 UTC
*sigh* nevermind.  Got the announcement in my mailbox right after I pressed "Commit".

Going to build with the official tarball and make sure everything is still ok.
Comment 9 Aaron Walker (RETIRED) gentoo-dev 2005-03-11 11:08:43 UTC
In CVS, stable on x86.  Will the CC'd archs please mark stable?
Comment 10 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-11 12:08:44 UTC
stable on amd64
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-11 20:17:54 UTC
Stable on alpha.
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-12 00:26:18 UTC
Stable on ppc.
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2005-03-12 04:04:04 UTC
stable on ppc64
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-12 05:34:13 UTC
sparc done.
Comment 15 Luke Macken (RETIRED) gentoo-dev 2005-03-12 09:00:10 UTC
GLSA 200503-16

ia64, please mark stable to benefit from GLSA.