Your message dated Mon, 18 Dec 2006 14:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#400624: fixed in dsniff 2.4b1+debian-16
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: dsniff
Version: 2.4b1+debian-15
Severity: important
Tags: patch
urlsnarf directly outputs the user name, URL, Referer-URL, and the
User-Agent string of every HTTP request it sees on the wire, without
any sanitizing. Since it does not escape illegal characters, HTTP
requests containing non-ASCII bytes or double quote characters may
confuse most trying to parse CLF-style log files.
The attached patch modifies urlsnarf so that non-ASCII bytes are
escaped with \0xNN. Double quotes are escaped as \", and the backslash
is escaped as \\. (This is what Apache also seems to be doing.)
Cheers,
-Hilko
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_urlsnarf_escape.dpatch by Hilko Bengen <[EMAIL PROTECTED]>
##
## DP: Escape user, vhost, uri, referer, agent strings in log
@DPATCH@
--- dsniff-2.4b1+debian~/urlsnarf.c 2006-11-27 17:09:54.000000000 +0100
+++ dsniff-2.4b1+debian/urlsnarf.c 2006-11-27 17:08:41.000000000 +0100
@@ -84,6 +84,42 @@
return (tstr);
}
+static char *
+escape_log_entry(char *string)
+{
+ char *out;
+ unsigned char *c, *o;
+ size_t len;
+
+ if (!string)
+ return NULL;
+
+ /* Determine needed length */
+ for (c = string, len = 0; *c; c++, len++) {
+ if ((*c < 32) || (*c >= 128))
+ len += 3;
+ if ((*c == '"') || (*c =='\\'))
+ len++;
+ }
+ out = malloc(len+1);
+ if (!out)
+ return NULL;
+ for (c = string, o = out; *c; c++, o++) {
+ if ((*c < 32) || (*c >= 128)) {
+ *(o++) = '\\';
+ *(o++) = 'x';
+ snprintf(o++, 3, "%02x", *c);
+ } else if ((*c == '"') || ((*c =='\\'))) {
+ *(o++) = '\\';
+ *o = *c;
+ } else {
+ *o=*c;
+ }
+ }
+ out[len]='\0';
+ return out;
+}
+
static int
process_http_request(struct tuple4 *addr, u_char *data, int len)
{
@@ -142,18 +178,23 @@
buf_tok(NULL, NULL, i);
}
}
- if (user == NULL)
- user = "-";
- if (vhost == NULL)
- vhost = libnet_addr2name4(addr->daddr, Opt_dns);
- if (referer == NULL)
- referer = "-";
- if (agent == NULL)
- agent = "-";
-
+ user = escape_log_entry(user);
+ vhost = escape_log_entry(vhost);
+ uri = escape_log_entry(uri);
+ referer = escape_log_entry(referer);
+ agent = escape_log_entry(agent);
+
printf("%s - %s [%s] \"%s http://%s%s\"; - - \"%s\" \"%s\"\n",
libnet_addr2name4(addr->saddr, Opt_dns),
- user, timestamp(), req, vhost, uri, referer, agent);
+ (user?user:"-"), timestamp(), req,
+ (vhost?vhost:libnet_addr2name4(addr->daddr, Opt_dns)),
+ uri, (referer?referer:"-"), (agent?agent:"-"));
+
+ if (user) free(user);
+ if (vhost) free(vhost);
+ if (uri) free(uri);
+ if (referer) free(referer);
+ if (agent) free(agent);
}
fflush(stdout);
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages dsniff depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libdb4.3 4.3.29-6 Berkeley v4.3 Database Libraries [
ii libnet1 1.1.2.1-2 library for the construction and h
ii libnids1.21 1.21-0 IP defragmentation TCP segment rea
ii libpcap0.8 0.9.5-1 System interface for user-level pa
ii libssl0.9.8 0.9.8c-3 SSL shared libraries
ii openssl 0.9.8c-3 Secure Socket Layer (SSL) binary a
dsniff recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: dsniff
Source-Version: 2.4b1+debian-16
We believe that the bug you reported is fixed in the latest version of
dsniff, which is due to be installed in the Debian FTP archive:
dsniff_2.4b1+debian-16.diff.gz
to pool/main/d/dsniff/dsniff_2.4b1+debian-16.diff.gz
dsniff_2.4b1+debian-16.dsc
to pool/main/d/dsniff/dsniff_2.4b1+debian-16.dsc
dsniff_2.4b1+debian-16_i386.deb
to pool/main/d/dsniff/dsniff_2.4b1+debian-16_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <[EMAIL PROTECTED]> (supplier of updated dsniff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 8 Dec 2006 18:31:05 -0300
Source: dsniff
Binary: dsniff
Architecture: source i386
Version: 2.4b1+debian-16
Distribution: experimental
Urgency: low
Maintainer: Luciano Bello <[EMAIL PROTECTED]>
Changed-By: Luciano Bello <[EMAIL PROTECTED]>
Description:
dsniff - Various tools to sniff network traffic for cleartext insecurities
Closes: 400624
Changes:
dsniff (2.4b1+debian-16) experimental; urgency=low
.
* Urlsnarf sanitizes the sniffed output (Closes:#400624).
* The Uploaders field in ~/debian/control added.
* The Recommends field in ~/debian/control added.
* The long description cosmetic improvement.
Files:
d4be3e071cdf36b3c97dc1f37769ba24 717 net extra dsniff_2.4b1+debian-16.dsc
3e51ceca7ecbd9bdcdee490f10dbd4d6 41332 net extra dsniff_2.4b1+debian-16.diff.gz
2e6e5c563e09034f43be8f8b4cfee34b 118442 net extra
dsniff_2.4b1+debian-16_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhpukUCgnLz/SlGgRAoaSAJ9Z5m1KULs84OaJQPdVgqK1DbKHNQCeM0Tb
pvc4BTr68sembaYhOge0rR8=
=ihe7
-----END PGP SIGNATURE-----
--- End Message ---
