Re: [DEBIAN-LTS] ettercap package
On Wed, 24 Dec 2014, Nguyen Cong wrote:
> I have done rebuild the ettercap package using quilt patch.
> Could you please give me some comments.
Here they are.
> diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
> --- ettercap-0.7.3/debian/changelog
> +++ ettercap-0.7.3/debian/changelog
> @@ -1,3 +1,11 @@
> +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
> + * Non-maintainer upload.
> + * Fix CVE-2014-9380 and CVE-2014-9381 using patch file from
> + Gianfranco Costamagna in Bug#773416 Mes#20
> + -- Nguyen Cong <email@example.com> Tue, 23 Dec 2014 09:44:32 +0700
Please have a look at the changelog of Gianfranco and acknowledge the
origin of the patch as coming from their true author.
> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
> @@ -3,0 +4 @@
Why is there no context shown here?
> --- ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch
> +++ ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch
Why are there changes to this patch file? You should strive to modify the
strict minimum. And AFAIK this patch doesn't have to be updated. It is
> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
> @@ -0,0 +1,30 @@
> +From: Gianfranco Costamagna <firstname.lastname@example.org>
> +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
> +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
> +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1
> +allows remote attackers to cause a denial of service (out-of-bounds
> +read) via a packet containing only a CVS_LOGIN signature.
> +See Debian Bug #773416 Message #20
FYI, we like to document new patches with meta-information
that respect this format:
Besides those details, it looks ok.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/