Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > Package: ethereal
> > Version: 0.10.13-1
> > Severity: important
> > Tags: security
> > Justification: user security hole
> > 
> > Another security problem has been discovered in Ethereal. This time it's
> > a buffer overflow in the OSPF dissector. Please see 
> > http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities
> > for details. This has been assigned CVE-2005-3651.
> 
> Frederic, attached is the patch we're using for the update in sarge,
> basically the function body is exchanged (variable names adjusted and
> struct adjusted).

Frederic wrote in another bug log that he's currently w/o sufficient internet
access. I've NMUed the sid version with the attached patch.

Cheers,
        Moritz
diff -Naur ethereal-0.10.13.orig/debian/changelog 
ethereal-0.10.13/debian/changelog
--- ethereal-0.10.13.orig/debian/changelog      2005-12-25 11:04:55.000000000 
+0100
+++ ethereal-0.10.13/debian/changelog   2005-12-25 11:17:21.000000000 +0100
@@ -1,3 +1,10 @@
+ethereal (0.10.13-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix buffer overflow in OSPF dissector (CVE-2005-3651)
+
+ -- Moritz Muehlenhoff <[EMAIL PROTECTED]>  Sun, 25 Dec 2005 11:15:28 +0100
+
 ethereal (0.10.13-1) unstable; urgency=high
 
   * New upstream release (urgency high since it fixes security issues;
diff -Naur ethereal-0.10.13.orig/debian/patches/00list 
ethereal-0.10.13/debian/patches/00list
--- ethereal-0.10.13.orig/debian/patches/00list 2005-12-25 11:04:55.000000000 
+0100
+++ ethereal-0.10.13/debian/patches/00list      2005-12-25 11:14:58.000000000 
+0100
@@ -8,3 +8,4 @@
 08_ethereal-desktop-menu
 09_idl2eth
 10_ethereal_gen
+11-security-CVE-2005-3651
diff -Naur 
ethereal-0.10.13.orig/debian/patches/11-security-CVE-2005-3651.dpatch 
ethereal-0.10.13/debian/patches/11-security-CVE-2005-3651.dpatch
--- ethereal-0.10.13.orig/debian/patches/11-security-CVE-2005-3651.dpatch       
1970-01-01 01:00:00.000000000 +0100
+++ ethereal-0.10.13/debian/patches/11-security-CVE-2005-3651.dpatch    
2005-12-25 11:13:49.000000000 +0100
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 11-security-CVE-2005-3651.dpatch by Moritz Muehlenhoff <[EMAIL PROTECTED]>
+## This fixes a buffer overflow in the OSPF dissector
+## See 
http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities
+## Woody and Sarge have been fixed in DSA-920
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+--- trunk/epan/dissectors/packet-ospf.c        2005/11/04 23:03:26     16393
++++ ethereal-0.10.13/epan/dissectors/packet-ospf.c     2005/11/15 10:56:18     
16507
+@@ -2496,39 +2496,28 @@
+ static void dissect_ospf_v3_address_prefix(tvbuff_t *tvb, int offset, int 
prefix_length, proto_tree *tree)
+ {
+ 
+-    guint8 value;
+-    guint8 position;
+-    guint8 bufpos;
+-    gchar  *buffer;
+-    gchar  *bytebuf;
+-    guint8 bytes_to_process;
+-    int start_offset;
+-
+-    start_offset=offset;
+-    position=0;
+-    bufpos=0;
+-    bytes_to_process=((prefix_length+31)/32)*4;
+-
+-    buffer=ep_alloc(32+7);
+-    while (bytes_to_process > 0 ) {
+-
+-        value=tvb_get_guint8(tvb, offset);
++    int bytes_to_process;
++    struct e_in6_addr prefix;
+ 
+-        if ( (position > 0) && ( (position%2) == 0 ) )
+-          buffer[bufpos++]=':';
++    bytes_to_process=((prefix_length+31)/32)*4;
+ 
+-      bytebuf=ep_alloc(3);
+-        g_snprintf(bytebuf, 3, "%02x",value);
+-        buffer[bufpos++]=bytebuf[0];
+-        buffer[bufpos++]=bytebuf[1];
+-
+-      position++;
+-      offset++;
+-        bytes_to_process--;
++    if (prefix_length > 128) {
++        proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++            "Address Prefix: length is invalid (%d, should be <= 128)",
++            prefix_length);
++        return;
+     }
+ 
+-    buffer[bufpos]=0;
+-    proto_tree_add_text(tree, tvb, start_offset, ((prefix_length+31)/32)*4, 
"Address Prefix: %s",buffer);
++    memset(prefix.bytes, 0, sizeof prefix.bytes);
++    if (bytes_to_process != 0) {
++        tvb_memcpy(tvb, prefix.bytes, offset, bytes_to_process);
++        if (prefix_length % 8) {
++            prefix.bytes[bytes_to_process - 1] &=
++                ((0xff00 >> (prefix_length % 8)) & 0xff);
++        }
++    }
++    proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++        "Address Prefix: %s", ip6_to_str(&prefix));
+ 
+ }
+ 
+
+

Reply via email to