Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu

Dear Release Team,

I would like to update the bettercap on the trixie to prevent remote DoS via
crafted client handshake on mysql.server module, because during a review of
the Debian Security Tracker, I found CVE-2026-8276.

There is no DSA assigned to the bug and it was marked "no-dsa" and so I'm doing
a normal upload.

"mysql.server crashes entire process on crafted client handshake (remote DoS)",
as reported in: https://github.com/bettercap/bettercap/issues/1265

This vulnerability has been assigned the CVE id CVE-2026-8276.

Upstream fixed the bug at:
https://github.com/bettercap/bettercap/commit/0eaa375c5e5446bfba94a290eff92967a5deac9e

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8276
[1] https://security-tracker.debian.org/tracker/CVE-2026-8276
[2] https://bugs.debian.org/1136448

Regards,
Francisco

diff -Nru bettercap-2.33.0/debian/changelog bettercap-2.33.0/debian/changelog
--- bettercap-2.33.0/debian/changelog   2024-08-18 20:54:15.000000000 +0000
+++ bettercap-2.33.0/debian/changelog   2026-07-13 02:41:40.000000000 +0000
@@ -1,3 +1,10 @@
+bettercap (2.33.0-1+deb13u1) trixie; urgency=medium
+
+  * Add debian/patches/CVE-2026-8276.patch.
+    (Closes: #1136448, CVE-2026-8276)
+
+ -- Francisco Vilmar Cardoso Ruviaro <[email protected]>  Mon, 13 Jul 2026 
02:41:40 +0000
+
 bettercap (2.33.0-1) unstable; urgency=medium
 
   * New upstream version 2.33.0.
diff -Nru bettercap-2.33.0/debian/patches/CVE-2026-8276.patch 
bettercap-2.33.0/debian/patches/CVE-2026-8276.patch
--- bettercap-2.33.0/debian/patches/CVE-2026-8276.patch 1970-01-01 
00:00:00.000000000 +0000
+++ bettercap-2.33.0/debian/patches/CVE-2026-8276.patch 2026-07-13 
02:34:14.000000000 +0000
@@ -0,0 +1,34 @@
+Description: Fix mysql.server panic on crafted client handshake (remote DoS).
+Author: Simone Margaritelli <[email protected]>
+Origin: upstream, 
https://github.com/bettercap/bettercap/commit/0eaa375c5e5446bfba94a290eff92967a5deac9e.patch
+Bug: https://github.com/bettercap/bettercap/issues/1265
+Bug-Debian: https://bugs.debian.org/1136448
+Forwarded: not-needed
+Reviewed-By: Francisco Vilmar Cardoso Ruviaro <[email protected]>
+Last-Update: 2026-07-10
+
+--- a/modules/mysql_server/mysql_server.go
++++ b/modules/mysql_server/mysql_server.go
+@@ -121,15 +121,20 @@ func (mod *MySQLServer) Start() error {
+                               if _, err := conn.Write(packets.MySQLGreeting); 
err != nil {
+                                       mod.Warning("error while writing server 
greeting: %s", err)
+                                       continue
+-                              } else if _, err = reader.Read(readBuffer); err 
!= nil {
++                              } else if read, err = reader.Read(readBuffer); 
err != nil {
+                                       mod.Warning("error while reading client 
message: %s", err)
+                                       continue
+                               }
+ 
++                              if read < 37 {
++                                      mod.Warning("client handshake too short 
(%d bytes)", read)
++                                      continue
++                              }
++
+                               // parse client capabilities and validate 
connection
+                               // TODO: parse mysql connections properly and
+                               //       display additional connection 
attributes
+-                              capabilities := fmt.Sprintf("%08b", 
(int(uint32(readBuffer[4]) | uint32(readBuffer[5])<<8)))
++                              capabilities := fmt.Sprintf("%016b", 
(int(uint32(readBuffer[4]) | uint32(readBuffer[5])<<8)))
+                               loadData := string(capabilities[8])
+                               username := string(bytes.Split(readBuffer[36:], 
[]byte{0})[0])
+ 
diff -Nru bettercap-2.33.0/debian/patches/series 
bettercap-2.33.0/debian/patches/series
--- bettercap-2.33.0/debian/patches/series      2024-08-18 17:41:44.000000000 
+0000
+++ bettercap-2.33.0/debian/patches/series      2026-07-13 02:34:56.000000000 
+0000
@@ -1,3 +1,4 @@
 adapt-service-file.patch
 disable-install-update-bettercap.patch
 disable-install-update-caplets.patch
+CVE-2026-8276.patch

Regards,
-- 
Francisco Vilmar Cardoso Ruviaro <[email protected]>
4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to