Bugzilla – Bug 62183
VUL-0: CVE-2004-0507: ethereal: missed patches for security problems in ethereal
Last modified: 2021-09-26 10:33:11 UTC
Looks like we missed some security updates for ethereal: http://www.ethereal.com/appnotes/enpa-sa-00014.html CAN-2004-0504 CAN-2004-0505 CAN-2004-0506 CAN-2004-0507 The last one is a buffer overflow, possibly allowing code execution.
I looking in others distributions and all make version update from ethereal-0.10.3 to ethereal-0.10.4. I try find problematic code in CVS, but it will take a lot of time, because the changes doesn't describe any security problem ;( and it is hard to detect what is normal bug, new feature or security bug. Can I make version update for old distributions (in all we have ethereal-0.10.3) ?
We'd need to ask the project managers. 94000 lines of diff between the versions is quite large so this is not just a bugfix release. Those dissectors are all in separate files right? Maybe it's possible to upgrade only the affected files. Does the cvs log on them help (or cvsps)?
We did version upgrades for ethereal in former updates too apparently, even for SLES 8. ethereal is a leafpackage, so it is mostly harmless to do so. I think we can do the same here.
Fedora upgraded "affected files" (patch has 6844 lines), but is hard to say (and cvs log doesn't help much) if all affected files was included.
Hi Petr, do you have news for this issue?
Sorry, I haven't seen any decision of project managers and mail from kukuk you read.
ok, thought there were some communication in the background...
as you read in the email... the gods have spoken.
;), yes I trying prepare patch...
Ralf Flaxa wrote: On Thu, Nov 18, 2004 at 01:04:48PM +0100, Thomas Biege wrote: > > > > > > > > I see possible problems with updates if we make a version update, > > > > ethereal has a long list of requirements... > > Is this an official decission or will we get any feedback from the > project managers too? Nobody did object, so this is the decision. Rationale: Rule 1: We do not do any version updates during maintenance Rule 2: We may do exceptions if backporting is impossible or an unreasonable effort Rule 3: We will definitely NOT do a version update if this will likely cause additional dependency trouble in the future So Rule 3 hits here. Feel free to apply these rules in similar cases. Ralf
I fixed and submited ethereal for following affected distributions: sles8, 8.2, 9.0, 9.1 .
Thank you. I'll submit the patchinfo files ASAP.
Petr, sles9 is not affected?
Sles9 is affected too (9.1 and sles9 used same sources).
ok! submitted patchinfo files: /work/src/done/PATCHINFO/patchinfo-box.ethereal /work/src/done/PATCHINFO/patchinfo.ethereal
If 9.2 is not affected why is it listed in the patchinfo file?
my mistake. it's removed now.
packages were approved
CVE-2004-0507: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)