Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
This update will fix CVE-2014-5439: Root shell on Sniffit[1]. The issue is
already fixed in Sid (since 0.3.7.beta-20, without a bug) and in upstream.
[1]
http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
Thanks a lot in advance.
Regards,
Eriberto
diff -Nru sniffit-0.3.7.beta/debian/changelog sniffit-0.3.7.beta/debian/changelog
--- sniffit-0.3.7.beta/debian/changelog 2012-08-21 19:51:44.0 -0300
+++ sniffit-0.3.7.beta/debian/changelog 2016-11-23 17:05:14.0 -0200
@@ -1,3 +1,9 @@
+sniffit (0.3.7.beta-17+deb8u1) jessie; urgency=medium
+
+ * Added a patch to fix CVE-2014-5439 (Root shell on Sniffit).
+
+ -- Joao Eriberto Mota Filho Wed, 23 Nov 2016 16:57:34 -0200
+
sniffit (0.3.7.beta-17) unstable; urgency=low
* Acknowledge NMU.
diff -Nru sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch
--- sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch 1969-12-31 21:00:00.0 -0300
+++ sniffit-0.3.7.beta/debian/patches/fix-CVE-2014-5439.patch 2016-11-23 17:11:18.0 -0200
@@ -0,0 +1,33 @@
+Description: fix CVE-2014-5439 - Root shell on Sniffit.
+Author: Hector Marco < hma...@hmarco.or>
+Ismael Ripoll
+Last-Update: 2014-07-??
+Origin: http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
+Index: sniffit-0.3.7.beta/sn_cfgfile.c
+===
+--- sniffit-0.3.7.beta.orig/sn_cfgfile.c
sniffit-0.3.7.beta/sn_cfgfile.c
+@@ -119,6 +119,11 @@ char *clean_string (char *string)
+ char help[20];
+ int i, j;
+
++if(strlen(string) >= 20){
++ fprintf(stderr, "Error: String too long [%s]\n", string);
++ exit(-1);
++}
++
+ j=0;
+ for(i=0;i= 20){
++ fprintf(stderr, "Error: String too long [%s]\n", string);
++ exit(-1);
++}
++
+ j=0;
+ for(i=0;i