Re: [DEBIAN-LTS] ettercap package

[Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>]

Hello Gianfranco Costamagna and Raphael Hertzog,
Many thanks for your comments, especially Raphael :).
> > I propose something like this instead.
> > (note the patch might not apply at all, I manually changed it) 
Yes. Sorry for my mistake, I changed it. Please tell me if
I had to set the name in changelog to you, Gianfranco Costamagna.

I have re-built it with care. But not sure it's good enough
since I have troubled with DEP3. I ended up with upstream patch style.
> > --- ettercap-0.7.3/debian/patches/series
> > +++ ettercap-0.7.3/debian/patches/series
> > @@ -3,0 +4 @@
> > +04_CVE-2014-9380-9381.patch
> > Why is there no context shown here?
And this one also. I don't really get it.
Could you please review it and give me some comments.

Many thanks and happy holidays :).
Cong
> On 25/12/2014 16:34, Gianfranco Costamagna wrote:
> > Hi *,
> >
> > nope, you seems to be modifying other patches rather than the strict 
> > necessary to fix this bug.
> >
> > Moreover the patch is lacking of a CVE description (actually the 
> > patch is fixing two CVEs, and the
> > description mentions only one)
> >
> > (there is also no need to mention me, I'm not the author of the 
> > patch, neither of the debdiff :) )
> >
> > also the patch "subject" might be not really needed, I leave Raphael 
> > to review the rest :)
> >
> >
> > I propose something like this instead.
> > (note the patch might not apply at all, I manually changed it)
> >
> > diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
> > --- ettercap-0.7.3/debian/changelog
> > +++ ettercap-0.7.3/debian/changelog
> > @@ -1,3 +1,16 @@
> > +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
> > +
> > +  * Non-maintainer upload.
> > +   * Patch a bunch of security vulnerabilities (closes: #773416)
> > +     - CVE-2014-9380 (Buffer over-read)
> > +     - CVE-2014-9381 (Signedness error)
> > +     See:
> > + 
> > https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
> > +     Patches taken from upstream
> > +     - 6b196e011fa456499ed4650a360961a2f1323818 pull/608
> > +     - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609
> > +     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is 
> > responsible for
> > +     both finding and repairing these issues.
> > +
> > + -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 23 Dec 2014 
> > 09:44:32 +0700
> > +
> > ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high
> >
> > * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when
> > diff -u ettercap-0.7.3/debian/patches/series 
> > ettercap-0.7.3/debian/patches/series
> > --- ettercap-0.7.3/debian/patches/series
> > +++ ettercap-0.7.3/debian/patches/series
> > @@ -3,0 +4 @@
> > +04_CVE-2014-9380-9381.patch
> > --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> > +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
> > @@ -0,0 +1,35 @@
> > +From: Nick Sampanis <n.sampanis@obrela.com>
> > +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
> > +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
> > +
> > +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1
> > +allows remote attackers to cause a denial of service (out-of-bounds
> > +read) via a packet containing only a CVS_LOGIN signature.
> > +
> > +Integer signedness error in the dissector_cvs function in
> > +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause
> > +a denial of service (crash) via a crafted password, which triggers
> > +a large memory allocation.
> > +See Debian Bug #773416#20
> > +
> > +--- a/src/dissectors/ec_cvs.c
> > ++++ b/src/dissectors/ec_cvs.c
> > +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs)
> > + {
> > +    DECLARE_DISP_PTR_END(ptr, end);
> > +    char tmp[MAX_ASCII_ADDR_LEN];
> > +-   char *p;
> > ++   u_char *p;
> > +    size_t i;
> > +
> > +    /* don't complain about unused var */
> > +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs)
> > +
> > +    /* move over the cvsroot path */
> > +    ptr += strlen(CVS_LOGIN) + 1;
> > ++    if (ptr >= end)
> > ++        return NULL;
> > +
> > +    /* go until \n */
> > +    while(*ptr != '\n' && ptr != end) ptr++;
> >
> >
> > cheers,
> >
> > and Merry XMas,
> >
> > Gianfranco

--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel:    +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyenthe@toshiba-tsdv.com
=====================================================================

Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.

diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
--- ettercap-0.7.3/debian/changelog
+++ ettercap-0.7.3/debian/changelog
@@ -1,3 +1,19 @@
+ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
+
+  * Non-maintainer upload.
+  * Patch a bunch of security vulnerabilities (closes: #773416)
+    - CVE-2014-9380 (Buffer over-read)
+    - CVE-2014-9381 (Signedness error)
+    See:
+    https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
+    Patches taken from upstream
+    - 6b196e011fa456499ed4650a360961a2f1323818 pull/608
+    - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609
+    Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
+    both finding and repairing these issues.
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Thu, 25 Dec 2014 15:43:59 +0700
+
 ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high
 
   * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when
diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series
--- ettercap-0.7.3/debian/patches/series
+++ ettercap-0.7.3/debian/patches/series
@@ -3,0 +4 @@
+04_CVE-2014-9380-9381.patch
only in patch2:
unchanged:
--- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
+++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
@@ -0,0 +1,31 @@
+From: Nick Sampanis <n.sampanis@obrela.com>
+Subject: Twelve vulnerabilities exist on ettercap-ng which 
+ allow remote denial of service and possible remote code 
+ execution. Specifically, the following vulnerabilities were identified:
+
+* src/dissectors/ec_cvs.c: Fix buffer over-read and signedness error
+
+Origin: upstream,
+ https://github.com/NickSampanis/ettercap/commit/31b937298c8067e6b0c3217c95edceb983dfc4a2
+ https://github.com/NickSampanis/ettercap/commit/6b196e011fa456499ed4650a360961a2f1323818 
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416
+--- a/src/dissectors/ec_cvs.c
++++ b/src/dissectors/ec_cvs.c
+@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs)
+ {
+    DECLARE_DISP_PTR_END(ptr, end);
+    char tmp[MAX_ASCII_ADDR_LEN];
+-   char *p;
++   u_char *p;
+    size_t i;
+ 
+    /* don't complain about unused var */
+@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs)
+    
+    /* move over the cvsroot path */
+    ptr += strlen(CVS_LOGIN) + 1;
++	if (ptr >= end)
++		return NULL;
+ 
+    /* go until \n */
+    while(*ptr != '\n' && ptr != end) ptr++;

-- 
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com