Re: [DEBIAN-LTS] ettercap package

To: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>
Cc: Nguyen Cong <nguyencong.1210@gmail.com>, debian-lts@lists.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, 773416@bugs.debian.org
Subject: Re: [DEBIAN-LTS] ettercap package
From: Raphael Hertzog <hertzog@debian.org>
Date: Wed, 24 Dec 2014 13:56:13 +0100
Message-id: <[🔎] 20141224125613.GA20238@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>, Nguyen Cong <nguyencong.1210@gmail.com>, debian-lts@lists.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, 773416@bugs.debian.org
In-reply-to: <[🔎] 549AAC39.8010503@toshiba-tsdv.com>
References: <[🔎] 5499720A.9010908@gmail.com> <[🔎] alpine.DEB.2.02.1412231511220.12570@jupiter.server.alteholz.net> <[🔎] 20141224080140.GB15251@home.ouaza.com> <[🔎] 549AAC39.8010503@toshiba-tsdv.com>

On Wed, 24 Dec 2014, Nguyen Cong wrote:
> I have done rebuild the ettercap package using quilt patch.
> Could you please give me some comments.

Here they are.

> diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
> --- ettercap-0.7.3/debian/changelog
> +++ ettercap-0.7.3/debian/changelog
> @@ -1,3 +1,11 @@
> +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Fix CVE-2014-9380 and CVE-2014-9381 using patch file from
> +    Gianfranco Costamagna in Bug#773416 Mes#20
> +
> + -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 23 Dec 2014 09:44:32 +0700

Please have a look at the changelog of Gianfranco and acknowledge the
origin of the patch as coming from their true author.

> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
> @@ -3,0 +4 @@
> +04_CVE-2014-9380-9381.patch

Why is there no context shown here?

> --- ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch
> +++ ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch

Why are there changes to this patch file? You should strive to modify the
strict minimum. And AFAIK this patch doesn't have to be updated. It is
applying cleanly.

> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
> @@ -0,0 +1,30 @@
> +From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
> +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
> +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
> +
> +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 
> +allows remote attackers to cause a denial of service (out-of-bounds 
> +read) via a packet containing only a CVS_LOGIN signature.
> +
> +See Debian Bug #773416 Message #20

FYI, we like to document new patches with meta-information
that respect this format:
http://dep.debian.net/deps/dep3/

Besides those details, it looks ok.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

References:
- [DEBIAN-LTS] ettercap package
  - From: Nguyen Cong <nguyencong.1210@gmail.com>
- Re: [DEBIAN-LTS] ettercap package
  - From: Thorsten Alteholz <alteholz@debian.org>
- Re: [DEBIAN-LTS] ettercap package
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: [DEBIAN-LTS] ettercap package
  - From: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>

Prev by Date: Re: [DEBIAN-LTS] ettercap package
Next by Date: Re: [DEBIAN-LTS] ettercap package
Previous by thread: Re: [DEBIAN-LTS] ettercap package
Next by thread: Re: [DEBIAN-LTS] ettercap package
Index(es):
- Date
- Thread