Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > Package: ethereal
> > Version: 0.10.13-1
> > Severity: important
> > Tags: security
> > Justification: user security hole
> >
> > Another security problem has been discovered in Ethereal. This time it's
> > a buffer overflow in the OSPF dissector. Please see
> > http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities
> > for details. This has been assigned CVE-2005-3651.
>
> Frederic, attached is the patch we're using for the update in sarge,
> basically the function body is exchanged (variable names adjusted and
> struct adjusted).
Frederic wrote in another bug log that he's currently w/o sufficient internet
access. I've NMUed the sid version with the attached patch.
Cheers,
Moritzdiff -Naur ethereal-0.10.13.orig/debian/changelog
ethereal-0.10.13/debian/changelog
--- ethereal-0.10.13.orig/debian/changelog 2005-12-25 11:04:55.000000000
+0100
+++ ethereal-0.10.13/debian/changelog 2005-12-25 11:17:21.000000000 +0100
@@ -1,3 +1,10 @@
+ethereal (0.10.13-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix buffer overflow in OSPF dissector (CVE-2005-3651)
+
+ -- Moritz Muehlenhoff <[EMAIL PROTECTED]> Sun, 25 Dec 2005 11:15:28 +0100
+
ethereal (0.10.13-1) unstable; urgency=high
* New upstream release (urgency high since it fixes security issues;
diff -Naur ethereal-0.10.13.orig/debian/patches/00list
ethereal-0.10.13/debian/patches/00list
--- ethereal-0.10.13.orig/debian/patches/00list 2005-12-25 11:04:55.000000000
+0100
+++ ethereal-0.10.13/debian/patches/00list 2005-12-25 11:14:58.000000000
+0100
@@ -8,3 +8,4 @@
08_ethereal-desktop-menu
09_idl2eth
10_ethereal_gen
+11-security-CVE-2005-3651
diff -Naur
ethereal-0.10.13.orig/debian/patches/11-security-CVE-2005-3651.dpatch
ethereal-0.10.13/debian/patches/11-security-CVE-2005-3651.dpatch
--- ethereal-0.10.13.orig/debian/patches/11-security-CVE-2005-3651.dpatch
1970-01-01 01:00:00.000000000 +0100
+++ ethereal-0.10.13/debian/patches/11-security-CVE-2005-3651.dpatch
2005-12-25 11:13:49.000000000 +0100
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 11-security-CVE-2005-3651.dpatch by Moritz Muehlenhoff <[EMAIL PROTECTED]>
+## This fixes a buffer overflow in the OSPF dissector
+## See
http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities
+## Woody and Sarge have been fixed in DSA-920
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+--- trunk/epan/dissectors/packet-ospf.c 2005/11/04 23:03:26 16393
++++ ethereal-0.10.13/epan/dissectors/packet-ospf.c 2005/11/15 10:56:18
16507
+@@ -2496,39 +2496,28 @@
+ static void dissect_ospf_v3_address_prefix(tvbuff_t *tvb, int offset, int
prefix_length, proto_tree *tree)
+ {
+
+- guint8 value;
+- guint8 position;
+- guint8 bufpos;
+- gchar *buffer;
+- gchar *bytebuf;
+- guint8 bytes_to_process;
+- int start_offset;
+-
+- start_offset=offset;
+- position=0;
+- bufpos=0;
+- bytes_to_process=((prefix_length+31)/32)*4;
+-
+- buffer=ep_alloc(32+7);
+- while (bytes_to_process > 0 ) {
+-
+- value=tvb_get_guint8(tvb, offset);
++ int bytes_to_process;
++ struct e_in6_addr prefix;
+
+- if ( (position > 0) && ( (position%2) == 0 ) )
+- buffer[bufpos++]=':';
++ bytes_to_process=((prefix_length+31)/32)*4;
+
+- bytebuf=ep_alloc(3);
+- g_snprintf(bytebuf, 3, "%02x",value);
+- buffer[bufpos++]=bytebuf[0];
+- buffer[bufpos++]=bytebuf[1];
+-
+- position++;
+- offset++;
+- bytes_to_process--;
++ if (prefix_length > 128) {
++ proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++ "Address Prefix: length is invalid (%d, should be <= 128)",
++ prefix_length);
++ return;
+ }
+
+- buffer[bufpos]=0;
+- proto_tree_add_text(tree, tvb, start_offset, ((prefix_length+31)/32)*4,
"Address Prefix: %s",buffer);
++ memset(prefix.bytes, 0, sizeof prefix.bytes);
++ if (bytes_to_process != 0) {
++ tvb_memcpy(tvb, prefix.bytes, offset, bytes_to_process);
++ if (prefix_length % 8) {
++ prefix.bytes[bytes_to_process - 1] &=
++ ((0xff00 >> (prefix_length % 8)) & 0xff);
++ }
++ }
++ proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++ "Address Prefix: %s", ip6_to_str(&prefix));
+
+ }
+
+
+