Bug#845474: jessie-pu: package sniffit/0.3.7.beta-17

[Adam D. Barratt]

Control: tags -1 + pending

On Mon, 2016-12-12 at 14:52 -0200, Eriberto wrote:
> 2016-12-10 19:48 GMT-02:00 Adam D. Barratt :
> > Control: tags -1 + confirmed
> >
> > On Wed, 2016-11-23 at 17:32 -0200, Joao Eriberto Mota Filho wrote:
> >> This update will fix CVE-2014-5439: Root shell on Sniffit[1]. The issue is
> >> already fixed in Sid (since 0.3.7.beta-20, without a bug) and in upstream.
> >>
> >> [1] 
> >> http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
> >
> > Please go ahead.
> 
> 
> Uploaded. Thanks!

Flagged for acceptance into p-u.

Regards,

Adam

Bug#845474: jessie-pu: package sniffit/0.3.7.beta-17

[Eriberto]

2016-12-10 19:48 GMT-02:00 Adam D. Barratt :
> Control: tags -1 + confirmed
>
> On Wed, 2016-11-23 at 17:32 -0200, Joao Eriberto Mota Filho wrote:
>> This update will fix CVE-2014-5439: Root shell on Sniffit[1]. The issue is
>> already fixed in Sid (since 0.3.7.beta-20, without a bug) and in upstream.
>>
>> [1] 
>> http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
>
> Please go ahead.


Uploaded. Thanks!

Eriberto

Bug#845474: jessie-pu: package sniffit/0.3.7.beta-17

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2016-11-23 at 17:32 -0200, Joao Eriberto Mota Filho wrote:
> This update will fix CVE-2014-5439: Root shell on Sniffit[1]. The issue is
> already fixed in Sid (since 0.3.7.beta-20, without a bug) and in upstream.
> 
> [1] 
> http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html

Please go ahead.

Regards,

Adam

Bug#845474: jessie-pu: package sniffit/0.3.7.beta-17

[Joao Eriberto Mota Filho]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This update will fix CVE-2014-5439: Root shell on Sniffit[1]. The issue is
already fixed in Sid (since 0.3.7.beta-20, without a bug) and in upstream.

[1] 
http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html

Thanks a lot in advance.

Regards,

Eriberto
diff -Nru sniffit-0.3.7.beta/debian/changelog sniffit-0.3.7.beta/debian/changelog
--- sniffit-0.3.7.beta/debian/changelog	2012-08-21 19:51:44.0 -0300
+++ sniffit-0.3.7.beta/debian/changelog	2016-11-23 17:05:14.0 -0200
@@ -1,3 +1,9 @@
+sniffit (0.3.7.beta-17+deb8u1) jessie; urgency=medium
+
+  * Added a patch to fix CVE-2014-5439 (Root shell on Sniffit).
+
+ -- Joao Eriberto Mota Filho   Wed, 23 Nov 2016 16:57:34 -0200
+
 sniffit (0.3.7.beta-17) unstable; urgency=low
 
   * Acknowledge NMU.
diff -Nru sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch
--- sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch	1969-12-31 21:00:00.0 -0300
+++ sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch	2016-11-23 17:11:18.0 -0200
@@ -0,0 +1,33 @@
+Description: fix CVE-2014-5439 - Root shell on Sniffit.
+Author: Hector Marco < hma...@hmarco.or>
+Ismael Ripoll 
+Last-Update: 2014-07-??
+Origin: http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
+Index: sniffit-0.3.7.beta/sn_cfgfile.c
+===
+--- sniffit-0.3.7.beta.orig/sn_cfgfile.c
 sniffit-0.3.7.beta/sn_cfgfile.c
+@@ -119,6 +119,11 @@ char *clean_string (char *string)
+ char help[20];
+ int i, j;
+ 
++if(strlen(string) >= 20){
++   fprintf(stderr, "Error: String too long [%s]\n", string);
++   exit(-1);
++}
++
+ j=0;
+ for(i=0;i= 20){
++   fprintf(stderr, "Error: String too long [%s]\n", string);
++   exit(-1);
++}
++
+ j=0;
+ for(i=0;i