Bug#845474: jessie-pu: package sniffit/0.3.7.beta-17

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#845474: jessie-pu: package sniffit/0.3.7.beta-17
From: Joao Eriberto Mota Filho <eriberto@debian.org>
Date: Wed, 23 Nov 2016 17:32:19 -0200
Message-id: <[🔎] 20161123193219.22823.74888.reportbug@octans.cdciber.eb.mil.br>
Reply-to: Joao Eriberto Mota Filho <eriberto@debian.org>, 845474@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

This update will fix CVE-2014-5439: Root shell on Sniffit[1]. The issue is
already fixed in Sid (since 0.3.7.beta-20, without a bug) and in upstream.

[1] http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html

Thanks a lot in advance.

Regards,

Eriberto

diff -Nru sniffit-0.3.7.beta/debian/changelog sniffit-0.3.7.beta/debian/changelog
--- sniffit-0.3.7.beta/debian/changelog	2012-08-21 19:51:44.000000000 -0300
+++ sniffit-0.3.7.beta/debian/changelog	2016-11-23 17:05:14.000000000 -0200
@@ -1,3 +1,9 @@
+sniffit (0.3.7.beta-17+deb8u1) jessie; urgency=medium
+
+  * Added a patch to fix CVE-2014-5439 (Root shell on Sniffit).
+
+ -- Joao Eriberto Mota Filho <eriberto@debian.org>  Wed, 23 Nov 2016 16:57:34 -0200
+
 sniffit (0.3.7.beta-17) unstable; urgency=low
 
   * Acknowledge NMU.
diff -Nru sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch
--- sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch	1969-12-31 21:00:00.000000000 -0300
+++ sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch	2016-11-23 17:11:18.000000000 -0200
@@ -0,0 +1,33 @@
+Description: fix CVE-2014-5439 - Root shell on Sniffit.
+Author: Hector Marco < hmarco@hmarco.or>
+        Ismael Ripoll <iripoll@upv.es>
+Last-Update: 2014-07-??
+Origin: http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
+Index: sniffit-0.3.7.beta/sn_cfgfile.c
+===================================================================
+--- sniffit-0.3.7.beta.orig/sn_cfgfile.c
++++ sniffit-0.3.7.beta/sn_cfgfile.c
+@@ -119,6 +119,11 @@ char *clean_string (char *string)
+ char help[20];
+ int i, j;
+ 
++if(strlen(string) >= 20){
++   fprintf(stderr, "Error: String too long [%s]\n", string);
++   exit(-1);
++}
++
+ j=0;
+ for(i=0;i<strlen(string);i++)
+ 	{
+@@ -138,6 +143,11 @@ char *clean_filename (char *string)
+ char help[20];
+ int i, j;
+ 
++if(strlen(string) >= 20){
++   fprintf(stderr, "Error: String too long [%s]\n", string);
++   exit(-1);
++}
++
+ j=0;
+ for(i=0;i<strlen(string);i++)
+ 	{
diff -Nru sniffit-0.3.7.beta/debian/patches/series sniffit-0.3.7.beta/debian/patches/series
--- sniffit-0.3.7.beta/debian/patches/series	2012-08-16 19:51:09.000000000 -0300
+++ sniffit-0.3.7.beta/debian/patches/series	2016-11-23 17:08:57.000000000 -0200
@@ -5,3 +5,4 @@
 05_fix_segfaults_on_amd64_bts644978.patch
 use-dpkg-buildflags.patch
 fixspelling.patch
+fix-CVE-2014-5439.patch

Reply to:

Prev by Date: Bug#845443: jessie-pu: package nss-pam-ldapd/0.9.4-3+deb8u2
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#845443: jessie-pu: package nss-pam-ldapd/0.9.4-3+deb8u2
Next by thread: Se Mantiene el Precio y se Rematan 114 Camiones y 30 Gandolas - Excelente Oportunidad
Index(es):
- Date
- Thread