[ettercap] Patches for multiple CVEs.
Jon Ciesla
limb at fedoraproject.org
Tue Dec 16 16:06:57 UTC 2014
commit d648cfa677eb9c18877645e7eaca035fcae0c0f6
Author: Jon Ciesla <limburgher at gmail.com>
Date: Tue Dec 16 10:05:20 2014 -0600
Patches for multiple CVEs.
ettercap-0.8.1-arbitrary-length.patch | 22 +++++
ettercap-0.8.1-cvs-ignore-base64-error-value.patch | 31 +++++++
ettercap-0.8.1-cvs-ignore-end-checking.patch | 32 ++++++++
ettercap-0.8.1-cvs-signed-pointer.patch | 22 +++++
...-dissector-arbitrary-length-heap-overflow.patch | 85 ++++++++++++++++++++
ettercap-0.8.1-ignored-dn_expand-error.patch | 23 +++++
ettercap-0.8.1-radius-stack-overflow.patch | 22 +++++
ettercap.spec | 19 ++++-
8 files changed, 255 insertions(+), 1 deletions(-)
---
diff --git a/ettercap-0.8.1-arbitrary-length.patch b/ettercap-0.8.1-arbitrary-length.patch
new file mode 100644
index 0000000..efcaff9
--- /dev/null
+++ b/ettercap-0.8.1-arbitrary-length.patch
@@ -0,0 +1,22 @@
+From 103f16582ee88341a6a610378011781cdc866b0c Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 17:14:28 +0300
+Subject: [PATCH] Fix arbitary length
+
+---
+ src/dissectors/ec_dhcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dissectors/ec_dhcp.c b/src/dissectors/ec_dhcp.c
+index 1ca7d05..c984153 100644
+--- a/src/dissectors/ec_dhcp.c
++++ b/src/dissectors/ec_dhcp.c
+@@ -256,7 +256,7 @@ FUNC_DECODER(dissector_dhcp)
+ (opt = get_dhcp_option(DHCP_OPT_FQDN, options, end)) != NULL)
+ {
+ u_char size = opt[0];
+- if ((opt + size + 2) > end)
++ if ((opt + size + 2) > end || size < 3)
+ {
+ // the +2 accounts for a-rr and ptr-rr
+ return NULL;
diff --git a/ettercap-0.8.1-cvs-ignore-base64-error-value.patch b/ettercap-0.8.1-cvs-ignore-base64-error-value.patch
new file mode 100644
index 0000000..ac1c69d
--- /dev/null
+++ b/ettercap-0.8.1-cvs-ignore-base64-error-value.patch
@@ -0,0 +1,31 @@
+From 9e9fdc7ed1ee8eba01a5a05e000b6c55d2a70923 Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 21:29:25 +0300
+Subject: [PATCH] Fix cvs ignore base64 error value
+
+---
+ src/dissectors/ec_imap.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/dissectors/ec_imap.c b/src/dissectors/ec_imap.c
+index 0ab3dfc..d45ecab 100644
+--- a/src/dissectors/ec_imap.c
++++ b/src/dissectors/ec_imap.c
+@@ -284,12 +284,15 @@ FUNC_DECODER(dissector_imap)
+
+ DEBUG_MSG("\tDissector_imap AUTHENTICATE PLAIN USER/PASS");
+
+- //SAFE_CALLOC(cred, strlen((const char*)ptr), sizeof(char));
+-
+ /* password is encoded in base64 */
+ i = base64decode((const char *)ptr, &cred);
+ p = cred;
+ cred_end = cred+i;
++ if (p > cred_end) {
++ SAFE_FREE(cred);
++ dissect_wipe_session(PACKET, DISSECT_CODE(dissector_imap));
++ return NULL;
++ }
+ /* move to the username right after the first \0 */
+ while(*p && p!=cred_end) p++;
+ if (p!=cred_end) p++;
diff --git a/ettercap-0.8.1-cvs-ignore-end-checking.patch b/ettercap-0.8.1-cvs-ignore-end-checking.patch
new file mode 100644
index 0000000..91a8885
--- /dev/null
+++ b/ettercap-0.8.1-cvs-ignore-end-checking.patch
@@ -0,0 +1,32 @@
+From 6b196e011fa456499ed4650a360961a2f1323818 Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 21:00:41 +0300
+Subject: [PATCH] Fix cvs ignore end checking
+
+---
+ src/dissectors/ec_cvs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dissectors/ec_cvs.c b/src/dissectors/ec_cvs.c
+index ff19b60..f6195c6 100644
+--- a/src/dissectors/ec_cvs.c
++++ b/src/dissectors/ec_cvs.c
+@@ -96,16 +96,16 @@ FUNC_DECODER(dissector_cvs)
+ /* move over the cvsroot path */
+ ptr += strlen(CVS_LOGIN) + 1;
+
++ if (ptr >= end)
++ return NULL;
+ /* go until \n */
+ while(*ptr != '\n' && ptr != end) ptr++;
+ if (ptr == end) return NULL;
+-
+ PACKET->DISSECTOR.user = strdup((const char*)++ptr);
+
+ /* cut the username on \n */
+ if ( (p = strchr(PACKET->DISSECTOR.user, '\n')) != NULL )
+ *p = '\0';
+-
+ /* go until \n */
+ while(*ptr != '\n' && ptr != end) ptr++;
+ if (ptr == end) return NULL;
diff --git a/ettercap-0.8.1-cvs-signed-pointer.patch b/ettercap-0.8.1-cvs-signed-pointer.patch
new file mode 100644
index 0000000..636ce42
--- /dev/null
+++ b/ettercap-0.8.1-cvs-signed-pointer.patch
@@ -0,0 +1,22 @@
+From 31b937298c8067e6b0c3217c95edceb983dfc4a2 Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 21:10:14 +0300
+Subject: [PATCH] Fix cvs signed pointer
+
+---
+ src/dissectors/ec_cvs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dissectors/ec_cvs.c b/src/dissectors/ec_cvs.c
+index ff19b60..bb71981 100644
+--- a/src/dissectors/ec_cvs.c
++++ b/src/dissectors/ec_cvs.c
+@@ -69,7 +69,7 @@ FUNC_DECODER(dissector_cvs)
+ {
+ DECLARE_DISP_PTR_END(ptr, end);
+ char tmp[MAX_ASCII_ADDR_LEN];
+- char *p;
++ u_char *p;
+ size_t i;
+
+ /* don't complain about unused var */
diff --git a/ettercap-0.8.1-gg-dissector-arbitrary-length-heap-overflow.patch b/ettercap-0.8.1-gg-dissector-arbitrary-length-heap-overflow.patch
new file mode 100644
index 0000000..f24baf1
--- /dev/null
+++ b/ettercap-0.8.1-gg-dissector-arbitrary-length-heap-overflow.patch
@@ -0,0 +1,85 @@
+From 37dcfdf79e1ac6dcacd565894cd7717aa0224164 Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 19:24:49 +0300
+Subject: [PATCH] Fix gg dissector arbitary length heap overflow
+
+---
+ src/dissectors/ec_gg.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/dissectors/ec_gg.c b/src/dissectors/ec_gg.c
+index 6f8260d..9665894 100644
+--- a/src/dissectors/ec_gg.c
++++ b/src/dissectors/ec_gg.c
+@@ -358,6 +358,8 @@ FUNC_DECODER(dissector_gg)
+ if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
+ gg_get_status(gg_login50->status,tbuf);
+ gg_get_version(gg_login50->version,tbuf3);
++ if ((int)gg->len-22 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_login50->description, (gg->len)-22);
+ tbuf2[(gg->len)-22]='\0';
+ sprintf(user,"%u",gg_login50->uin);
+@@ -378,6 +380,8 @@ if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
+ else if (gg->type == GG_LOGIN60_CMD) {
+ gg_get_status(gg_login60->status,tbuf);
+ gg_get_version(gg_login60->version,tbuf3);
++ if ((int)gg->len-31 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_login60->description, (gg->len)-31);
+ tbuf2[(gg->len)-31]='\0';
+ sprintf(user,"%u",gg_login60->uin);
+@@ -400,6 +404,8 @@ else if (gg->type == GG_LOGIN60_CMD) {
+ else if (gg->type == GG_LOGIN70_CMD) {
+ gg_get_status(gg_login70->status,tbuf);
+ gg_get_version(gg_login70->version,tbuf3);
++ if ((int)gg->len-92 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_login70->description, (gg->len)-92);
+ tbuf2[(gg->len)-92]='\0';
+ sprintf(user,"%u",gg_login70->uin);
+@@ -447,6 +453,8 @@ else if (gg->type == GG_WELCOME_CMD) {
+ #ifdef GG_CONTACTS_STATUS_CHANGES
+ else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
+ gg_get_status(gg_status->status,tbuf);
++ if ((int)gg->len-8 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_status->description, (gg->len)-8);
+ tbuf2[(gg->len)-8]='\0';
+ DISSECT_MSG("GG : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
+@@ -459,6 +467,8 @@ else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
+ #endif
+ else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
+ gg_get_status(gg_new_status->status,tbuf);
++ if ((int)gg->len-4 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_new_status->description, (gg->len)-4);
+ tbuf2[(gg->len)-4]='\0';
+ DISSECT_MSG("GG : %s:%d -> %s:%d - NEW STATUS STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
+@@ -471,6 +481,8 @@ else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
+ else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
+ gg_get_status(gg_status50->status,tbuf);
+ gg_get_version(gg_status50->version,tbuf3);
++ if ((int)gg->len-20 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_status50->description, (gg->len)-20);
+ tbuf2[(gg->len)-20]='\0';
+ DISSECT_MSG("GG4/5 : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s) VERSION: %s RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
+@@ -486,6 +498,8 @@ else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
+ else if (gg->type == GG_STATUS60_CMD) {
+ gg_get_status(gg_status60->status,tbuf);
+ gg_get_version(gg_status60->version,tbuf3);
++ if ((int)gg->len-14 < 0)
++ return NULL;
+ strncpy(tbuf2,gg_status60->description, (gg->len)-14);
+ tbuf2[(gg->len)-14]='\0';
+ DISSECT_MSG("GG6 : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s) VERSION: %s RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
+@@ -500,6 +514,8 @@ else if (gg->type == GG_STATUS60_CMD) {
+ }
+ else if (gg->type == GG_STATUS70_CMD) {
+ gg_get_status(gg_status70->status,tbuf);
++ if ((int)gg->len-18 < 0)
++ return NULL;
+ gg_get_version(gg_status70->version,tbuf3);
+ strncpy(tbuf2,gg_status70->description, (gg->len)-18);
+ tbuf2[(gg->len)-18]='\0';
diff --git a/ettercap-0.8.1-ignored-dn_expand-error.patch b/ettercap-0.8.1-ignored-dn_expand-error.patch
new file mode 100644
index 0000000..6a18f5e
--- /dev/null
+++ b/ettercap-0.8.1-ignored-dn_expand-error.patch
@@ -0,0 +1,23 @@
+From cb7b2028dc03c628aa0a1a5130ca41421ddebcb2 Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 17:47:28 +0300
+Subject: [PATCH] Fix ignored dn_expand error
+
+---
+ plug-ins/mdns_spoof/mdns_spoof.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/mdns_spoof/mdns_spoof.c b/plug-ins/mdns_spoof/mdns_spoof.c
+index a9cd968..190fb68 100644
+--- a/plug-ins/mdns_spoof/mdns_spoof.c
++++ b/plug-ins/mdns_spoof/mdns_spoof.c
+@@ -309,7 +309,8 @@ static int parse_line (const char *str, int line, int *type_p, char **ip_p, u_in
+ for (x = 0; x < mdns->questions; x++) {
+
+ name_len = dn_expand((u_char*)mdns, end, q, name, sizeof(name));
+-
++ if (name_len == -1)
++ return;
+ q = data + name_len;
+
+ if (q >= end || name_len == 0)
diff --git a/ettercap-0.8.1-radius-stack-overflow.patch b/ettercap-0.8.1-radius-stack-overflow.patch
new file mode 100644
index 0000000..fd5702e
--- /dev/null
+++ b/ettercap-0.8.1-radius-stack-overflow.patch
@@ -0,0 +1,22 @@
+From c2a3c99af956146570d7883e4b540b9d0c0a3c46 Mon Sep 17 00:00:00 2001
+From: NickSampanis <nicksampanis at gmail.com>
+Date: Fri, 17 Oct 2014 20:50:46 +0300
+Subject: [PATCH] Fix radius stack overflow
+
+---
+ src/dissectors/ec_radius.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dissectors/ec_radius.c b/src/dissectors/ec_radius.c
+index 3b98652..3f673e3 100644
+--- a/src/dissectors/ec_radius.c
++++ b/src/dissectors/ec_radius.c
+@@ -203,7 +203,7 @@ static u_char * radius_get_attribute(u_int8 attr, u_int16 *attr_len, u_char *beg
+ while (begin < end) {
+
+ /* get the len of the attribute and subtract the header len */
+- *attr_len = *(begin + 1) - 2;
++ *attr_len = (u_char)*(begin + 1) - 2;
+
+ /* we have found our attribute */
+ if (*begin == attr) {
diff --git a/ettercap.spec b/ettercap.spec
index d06efa3..2cc484d 100644
--- a/ettercap.spec
+++ b/ettercap.spec
@@ -1,7 +1,7 @@
%define _hardened_build 1
Name: ettercap
Version: 0.8.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Network traffic sniffer/analyser, NCURSES interface version
Group: Applications/Internet
License: GPLv2+
@@ -20,6 +20,13 @@ Source3: ettercap_easter_egg_license.txt
#Patch9: ettercap-0.7.4-CVE-2010-3843.patch
#Patch10: ettercap-0.7.5-dhcp-spoof.patch
#Patch11: ettercap-0.7.5.1-CVE-2013-0722.patch
+Patch12: ettercap-0.8.1-arbitrary-length.patch
+Patch13: ettercap-0.8.1-ignored-dn_expand-error.patch
+Patch14: ettercap-0.8.1-gg-dissector-arbitrary-length-heap-overflow.patch
+Patch15: ettercap-0.8.1-radius-stack-overflow.patch
+Patch16: ettercap-0.8.1-cvs-ignore-end-checking.patch
+Patch17: ettercap-0.8.1-cvs-signed-pointer.patch
+Patch18: ettercap-0.8.1-cvs-ignore-base64-error-value.patch
BuildRoot: %{_tmppath}/%{name}-NG-%{version}-%{release}-root%(%{__id_u} -n)
@@ -74,6 +81,13 @@ analysis.
#%patch9 -p0
#%patch10 -p0
#%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
rm -rf bundled_deps
@@ -143,6 +157,9 @@ rm -rf %{buildroot}
%{_datadir}/appdata/ettercap.appdata.xml
%changelog
+* Tue Dec 16 2014 Jon Ciesla <limburgher at gmail.com> - 0.8.1-2
+- Patches for multiple CVEs
+
* Mon Nov 03 2014 Jon Ciesla <limburgher at gmail.com> - 0.8.1-1
- 0.8.1.
More information about the scm-commits
mailing list