Bug#773416: [DEBIAN-LTS] ettercap package
Hi Nguyen, On Fri, 26 Dec 2014, Nguyen Cong wrote: Yes. Sorry for my mistake, I changed it. Please tell me if I had to set the name in changelog to you, Gianfranco Costamagna. I have re-built it with care. But not sure it's good enough since I have troubled with DEP3. I ended up with upstream patch style. This debdiff looks mostly fine, thanks. I'm not at home and can't really handle the upload + announce for now though. If anyone else on this list can take care of it, please go ahead. Otherwise I'll take care of it early next year. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773416: [DEBIAN-LTS] ettercap package
Hi dear Nguyen, for me if it applies to ettercap/squeeze cleanly it is fine :) Let's wait for Raphael, I don't have any more issues! Cheers, G. Il Sabato 27 Dicembre 2014 5:04, Nguyen Cong cong.nguyen...@toshiba-tsdv.com ha scritto: Dear Gianfranco Costamagna, Many thanks for your comments. I would say two here, because the other vulnerabilities are not available here Yes. My bad, stupid mistake :(. It has been corrected. only in patch2: unchanged: I would remove the two lines above, don't know why there are here, but they seems to be not useful at all I don't understand also. Could anyone please give me idea for fixing this problem. I attached newest debdiff file. Hope this nearly good enough. Thanks and best regards Cong On 26/12/2014 14:29, Gianfranco Costamagna wrote: Hi Nguyen, for me (note: I don't have any upload power, so my opinion counts less than 0 here) :) --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog [snip] fine for me, do not need to mention me at all :) --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series [snip] fine only in patch2: unchanged: I would remove the two lines above, don't know why there are here, but they seems to be not useful at all --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch should be fine even if usually newly created files should be something like --- /dev/null +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch [snip] +Subject: Twelve vulnerabilities exist on ettercap-ng which I would say two here, because the other vulnerabilities are not available here the other looks good to me :) cheers, G. (sorry for top posting) Il Giovedì 25 Dicembre 2014 11:26, Nguyen Cong cong.nguyen...@toshiba-tsdv.com ha scritto: Hello Gianfranco Costamagna and Raphael Hertzog, Many thanks for your comments, especially Raphael :). I propose something like this instead. (note the patch might not apply at all, I manually changed it) Yes. Sorry for my mistake, I changed it. Please tell me if I had to set the name in changelog to you, Gianfranco Costamagna. I have re-built it with care. But not sure it's good enough since I have troubled with DEP3. I ended up with upstream patch style. --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch Why is there no context shown here? And this one also. I don't really get it. Could you please review it and give me some comments. Many thanks and Merry Christmas :) Cong On 25/12/2014 16:34, Gianfranco Costamagna wrote: Hi *, nope, you seems to be modifying other patches rather than the strict necessary to fix this bug. Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the description mentions only one) (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) ) also the patch subject might be not really needed, I leave Raphael to review the rest :) I propose something like this instead. (note the patch might not apply at all, I manually changed it) diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog @@ -1,3 +1,16 @@ +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Patch a bunch of security vulnerabilities (closes: #773416) + - CVE-2014-9380 (Buffer over-read) + - CVE-2014-9381 (Signedness error) + See: + https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ + Patches taken from upstream + - 6b196e011fa456499ed4650a360961a2f1323818 pull/608 + - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609 + Thanks to Nick Sampanis n.sampa...@obrela.com who is responsible for + both finding and repairing these issues. + + -- Nguyen Cong cong.nguyen...@toshiba-tsdv.com Tue, 23 Dec 2014 09:44:32 +0700 + ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch @@ -0,0 +1,35 @@ +From: Nick Sampanis n.sampa...@obrela.com +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3 +Date: Mon, 22 Dec 2014 10:22:56 + (UTC) + +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 +allows remote attackers to cause a denial of service (out-of-bounds +read) via a packet containing only a CVS_LOGIN signature. + +Integer
Bug#773416: [DEBIAN-LTS] ettercap package
Hi *, nope, you seems to be modifying other patches rather than the strict necessary to fix this bug. Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the description mentions only one) (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) ) also the patch subject might be not really needed, I leave Raphael to review the rest :) I propose something like this instead. (note the patch might not apply at all, I manually changed it) diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog @@ -1,3 +1,16 @@ +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Patch a bunch of security vulnerabilities (closes: #773416) + - CVE-2014-9380 (Buffer over-read) + - CVE-2014-9381 (Signedness error) + See: + https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ + Patches taken from upstream + - 6b196e011fa456499ed4650a360961a2f1323818 pull/608 + - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609 + Thanks to Nick Sampanis n.sampa...@obrela.com who is responsible for + both finding and repairing these issues. + + -- Nguyen Cong cong.nguyen...@toshiba-tsdv.com Tue, 23 Dec 2014 09:44:32 +0700 + ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch @@ -0,0 +1,35 @@ +From: Nick Sampanis n.sampa...@obrela.com +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3 +Date: Mon, 22 Dec 2014 10:22:56 + (UTC) + +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 +allows remote attackers to cause a denial of service (out-of-bounds +read) via a packet containing only a CVS_LOGIN signature. + +Integer signedness error in the dissector_cvs function in +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause +a denial of service (crash) via a crafted password, which triggers +a large memory allocation. +See Debian Bug #773416#20 + +--- a/src/dissectors/ec_cvs.c b/src/dissectors/ec_cvs.c +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs) + { +DECLARE_DISP_PTR_END(ptr, end); +char tmp[MAX_ASCII_ADDR_LEN]; +- char *p; ++ u_char *p; +size_t i; + +/* don't complain about unused var */ +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs) + +/* move over the cvsroot path */ +ptr += strlen(CVS_LOGIN) + 1; ++ if (ptr = end) ++ return NULL; + +/* go until \n */ +while(*ptr != '\n' ptr != end) ptr++; cheers, and Merry XMas, Gianfranco -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773416: [DEBIAN-LTS] ettercap package
Hi Nguyen, for me (note: I don't have any upload power, so my opinion counts less than 0 here) :) --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog [snip] fine for me, do not need to mention me at all :) --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series [snip] fine only in patch2: unchanged: I would remove the two lines above, don't know why there are here, but they seems to be not useful at all --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch should be fine even if usually newly created files should be something like --- /dev/null +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch [snip] +Subject: Twelve vulnerabilities exist on ettercap-ng which I would say two here, because the other vulnerabilities are not available here the other looks good to me :) cheers, G. (sorry for top posting) Il Giovedì 25 Dicembre 2014 11:26, Nguyen Cong cong.nguyen...@toshiba-tsdv.com ha scritto: Hello Gianfranco Costamagna and Raphael Hertzog, Many thanks for your comments, especially Raphael :). I propose something like this instead. (note the patch might not apply at all, I manually changed it) Yes. Sorry for my mistake, I changed it. Please tell me if I had to set the name in changelog to you, Gianfranco Costamagna. I have re-built it with care. But not sure it's good enough since I have troubled with DEP3. I ended up with upstream patch style. --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch Why is there no context shown here? And this one also. I don't really get it. Could you please review it and give me some comments. Many thanks and Merry Christmas :) Cong On 25/12/2014 16:34, Gianfranco Costamagna wrote: Hi *, nope, you seems to be modifying other patches rather than the strict necessary to fix this bug. Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the description mentions only one) (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) ) also the patch subject might be not really needed, I leave Raphael to review the rest :) I propose something like this instead. (note the patch might not apply at all, I manually changed it) diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog @@ -1,3 +1,16 @@ +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Patch a bunch of security vulnerabilities (closes: #773416) + - CVE-2014-9380 (Buffer over-read) + - CVE-2014-9381 (Signedness error) + See: + https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ + Patches taken from upstream + - 6b196e011fa456499ed4650a360961a2f1323818 pull/608 + - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609 + Thanks to Nick Sampanis n.sampa...@obrela.com who is responsible for + both finding and repairing these issues. + + -- Nguyen Cong cong.nguyen...@toshiba-tsdv.com Tue, 23 Dec 2014 09:44:32 +0700 + ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch @@ -0,0 +1,35 @@ +From: Nick Sampanis n.sampa...@obrela.com +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3 +Date: Mon, 22 Dec 2014 10:22:56 + (UTC) + +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 +allows remote attackers to cause a denial of service (out-of-bounds +read) via a packet containing only a CVS_LOGIN signature. + +Integer signedness error in the dissector_cvs function in +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause +a denial of service (crash) via a crafted password, which triggers +a large memory allocation. +See Debian Bug #773416#20 + +--- a/src/dissectors/ec_cvs.c b/src/dissectors/ec_cvs.c +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs) + { +DECLARE_DISP_PTR_END(ptr, end); +char tmp[MAX_ASCII_ADDR_LEN]; +- char *p; ++ u_char *p; +size_t i; + +/* don't complain about unused var */ +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs) + +/* move over the cvsroot path */ +ptr += strlen(CVS_LOGIN) + 1; ++if (ptr = end) ++return NULL; + +/* go until \n */ +while(*ptr != '\n' ptr != end) ptr++; cheers, and Merry XMas, Gianfranco --
Bug#773416: [DEBIAN-LTS] ettercap package
Hello, On Tue, 23 Dec 2014, Thorsten Alteholz wrote: On Tue, 23 Dec 2014, Nguyen Cong wrote: I have created .deb file for ettercap package. great, thanks alot. Since I'm not DD or DM so I attached debdiff file for review as mentioned in LTS/Development wiki page. Could anyone please check it and tell me if any comments? After a first glimpse it seems to be that this package uses quilt, but you directly changed the source files. Please don't change the way of the original maintainer to handle patches. It looks like the upstream author made the same mistake when preparing an upload of his own in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#50 I propose to let Nguyen Cong take care of fixing this so that he can learn about quilt and have some easy entry into contributing to the LTS team. Nguyen, feel free to get some inspiration from Gianfranco's more verbose changelog message though. :) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773416: [DEBIAN-LTS] ettercap package
On Wed, 24 Dec 2014, Nguyen Cong wrote: I have done rebuild the ettercap package using quilt patch. Could you please give me some comments. Here they are. diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog @@ -1,3 +1,11 @@ +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2014-9380 and CVE-2014-9381 using patch file from +Gianfranco Costamagna in Bug#773416 Mes#20 + + -- Nguyen Cong cong.nguyen...@toshiba-tsdv.com Tue, 23 Dec 2014 09:44:32 +0700 Please have a look at the changelog of Gianfranco and acknowledge the origin of the patch as coming from their true author. --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch Why is there no context shown here? --- ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch +++ ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch Why are there changes to this patch file? You should strive to modify the strict minimum. And AFAIK this patch doesn't have to be updated. It is applying cleanly. --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch @@ -0,0 +1,30 @@ +From: Gianfranco Costamagna costamagnagianfra...@yahoo.it +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3 +Date: Mon, 22 Dec 2014 10:22:56 + (UTC) + +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 +allows remote attackers to cause a denial of service (out-of-bounds +read) via a packet containing only a CVS_LOGIN signature. + +See Debian Bug #773416 Message #20 FYI, we like to document new patches with meta-information that respect this format: http://dep.debian.net/deps/dep3/ Besides those details, it looks ok. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org