Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612226 (CVE-2017-6430) - <net-analyzer/ettercap-0.8.2-r1: Out-of-bounds read
Summary: <net-analyzer/ettercap-0.8.2-r1: Out-of-bounds read
Status: RESOLVED FIXED
Alias: CVE-2017-6430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-10 16:34 UTC by Agostino Sarubbo
Modified: 2019-04-20 02:03 UTC (History)
3 users (show)

See Also:
Package list:
net-analyzer/ettercap-0.8.2-r2
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-10 16:34:31 UTC
From ${URL} :

Etterfilter utility of Ettercap have an out-of-bounds read denial-of-service vulnerability when parsing a crafted file. This occurs in the compile_tree function of the ef_compiler.c source file when processing corrupted filters.

References:

http://seclists.org/bugtraq/2017/Mar/24

Upstream bug:

https://github.com/Ettercap/ettercap/issues/782

Upstream patch:

https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2017-03-10 16:35:11 UTC
However the bug is visible via etterfilter but resides in the library.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 14:23:28 UTC
CVE-2017-6430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6430):
  The compile_tree function in ef_compiler.c in the Etterfilter utility in
  Ettercap 0.8.2 and earlier allows remote attackers to cause a denial of
  service (out-of-bounds read) via a crafted filter.
Comment 3 Agostino Sarubbo gentoo-dev 2017-03-20 12:56:06 UTC
(In reply to Agostino Sarubbo from comment #1)
> However the bug is visible via etterfilter but resides in the library.

Please do not consider the above. It was a mistake. The bug is in the etterfilter utility.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-17 01:24:40 UTC
Looks like there was a 0.8.2-4 release including the fix from the 'fix-library' @ 

https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506
Comment 5 Rick Farina (Zero_Chaos) gentoo-dev 2018-02-24 05:07:45 UTC
0.8.2-r1 in the tree, please feel free to clean up when done
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 02:06:08 UTC
@arches, please stabilize.
Comment 7 Agostino Sarubbo gentoo-dev 2019-03-24 10:02:24 UTC
amd64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 20:32:47 UTC
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 20:36:10 UTC
ppc64 stable
Comment 10 Rolf Eike Beer archtester 2019-03-27 19:27:06 UTC
sparc stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2019-03-27 23:21:03 UTC
x86 stable
Comment 12 Thomas Deutschmann gentoo-dev Security 2019-03-27 23:45:57 UTC
x86 stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-30 19:12:34 UTC
arm stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 06:27:38 UTC
GLSA Vote: No

Please continue Stabilization
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:47:18 UTC
alpha stable
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-08 13:40:52 UTC
@maintainer(s), please drop vulnerable.
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-20 02:03:57 UTC
tree is clean