Your message dated Sat, 30 Nov 2013 21:20:11 +0000 with message-id <[email protected]> and subject line Bug#712648: fixed in dsniff 2.4b1+debian-22.1 has caused the Debian Bug report #712648, regarding dsniff: tds decoder uses uninitialized pointer, crashes to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 712648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712648 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dsniff Version: 2.4b1+debian-22 Severity: grave Tags: security The fix for #609988 was not implemented correctly: ,----[ decode_tds.c ] | int | decode_tds(u_char *buf, int len, u_char *obuf, int olen) | { | struct tds_hdr *th; | struct tds_login *tl; | struct tds7_login *t7l, *myt7l; | u_char *user, *pass, *serv; | u_short userlen, passlen, servlen; | | obuf[0] = '\0'; | | if (th->size != 8) { | /* wrong header length */ | return (strlen(obuf)); | } | | for (th = (struct tds_hdr *)buf; | len > sizeof(*th) && len >= ntohs(th->size); | buf += ntohs(th->size), len -= ntohs(th->size)) { | | if (th->type == 2) { | /* Version 4.x, 5.0 */ `---- th is not initialized outside the "for" loop, so uninitialized or unmapped memory is accessed. This leads to segmentation faults which makes the program unusable. This is in part my fault: I only provided a description where put the four lines, instead of a real patch. Since I was already using a locally patched dsniff package, I never verified if the problem has been properly fixed. This time, I have attached a real patch. Cheers, -Hilko -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dsniff depends on: ii libc6 2.13-38 ii libdb5.1 5.1.29-5 ii libice6 2:1.0.8-2 ii libnet1 1.1.4-2.1 ii libnids1.21 1.23-2 ii libpcap0.8 1.3.0-1 ii libsm6 2:1.2.1-2 ii libssl1.0.0 1.0.1e-2 ii libx11-6 2:1.5.0-1 ii libxmu6 2:1.1.1-1 ii openssl 1.0.1e-2 dsniff recommends no packages. dsniff suggests no packages. -- no debconf information--- decode_tds.c.orig 2013-06-18 10:35:34.000000000 +0200 +++ decode_tds.c 2013-06-18 10:37:41.000000000 +0200 @@ -140,15 +140,15 @@ obuf[0] = '\0'; - if (th->size != 8) { - /* wrong header length */ - return (strlen(obuf)); - } - for (th = (struct tds_hdr *)buf; len > sizeof(*th) && len >= ntohs(th->size); buf += ntohs(th->size), len -= ntohs(th->size)) { + if (th->size != 8) { + /* wrong header length */ + break; + } + if (th->type == 2) { /* Version 4.x, 5.0 */ if (len < sizeof(*th) + sizeof(*tl))
--- End Message ---
--- Begin Message ---Source: dsniff Source-Version: 2.4b1+debian-22.1 We believe that the bug you reported is fixed in the latest version of dsniff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrew Shadura <[email protected]> (supplier of updated dsniff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 30 Nov 2013 21:29:23 +0100 Source: dsniff Binary: dsniff Architecture: source i386 Version: 2.4b1+debian-22.1 Distribution: unstable Urgency: low Maintainer: William Vera <[email protected]> Changed-By: Andrew Shadura <[email protected]> Description: dsniff - Various tools to sniff network traffic for cleartext insecurities Closes: 712648 Changes: dsniff (2.4b1+debian-22.1) unstable; urgency=low . * Non-maintainer upload. * Fix TDS decoder patch (Closes: #712648). Checksums-Sha1: 5545555e312242022a643316bfd2fb4a54e3e4d4 1839 dsniff_2.4b1+debian-22.1.dsc 1d4dfd12de5423a02396e716bd105f8b2ef92ce2 29657 dsniff_2.4b1+debian-22.1.debian.tar.gz 6bf900cc83eb642a861bf747a8e666f6db84d9f9 93654 dsniff_2.4b1+debian-22.1_i386.deb Checksums-Sha256: 05c595fd3b3c38de14e1428acedd34f29241865a7ecf7178d7dfda25107d83ff 1839 dsniff_2.4b1+debian-22.1.dsc 28ddb8514c6a7a17f51f428b6fada299baf5a3efa153f77f081ac6c1e6466633 29657 dsniff_2.4b1+debian-22.1.debian.tar.gz f18c5525128e571b58ab3242f3413ff311b934d7a5492579cddd2ae00cea5220 93654 dsniff_2.4b1+debian-22.1_i386.deb Files: afb303a07c9a348145f29242f5033fca 1839 net extra dsniff_2.4b1+debian-22.1.dsc e80551b70dc3976d4cdddd3319cca9eb 29657 net extra dsniff_2.4b1+debian-22.1.debian.tar.gz 3f3a26c47586848e961443fcf076911d 93654 net extra dsniff_2.4b1+debian-22.1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJSmkyYAAoJEG6k0jEaLSaNjjQP/iXenJTo8ia2XVhtrZQhS5ju CUUgrp/jRO7qauc6qS3VSfv1CBR0zERN+r/18RnbQXm3kj1DMktNVCHUlfLTqs08 jppYMib8KzWWCjoNbHviyowUJGGmMeC/9NnJeV/xmEJ4uB6CBiVK3HQJCK2Z+V1f 05B7tG007ZQRPXrPp3BaUF9MDUHjQZq3vZo74BeYpVdBasaIlF9ESBp9dj9A2k3c ZN4BOxq0EInQEOufRp8ggavb+LZDcE9CdjwmkXuuWZv2+hV/kXkZQ+epFkTl8VAk HUgv+xkU+mb07JRBQeJELq7HvlzE675ji9V/G+vzBWopmAeROfa8WLUXKcMiyVCy qtrCEpEjvSlB/2TegwgaXwHwTGX7qmfYB0ove+7oU65Pxn8vRpBMcX7l0Cj3zi72 rSptOcypTcU9XgTkb3DrpAPPujE9DI0af0KH0MJcouGY8ttKOMJ+164G55emRZs8 DZ5vTqBjHyVtCJCyejQRiTEbwaYTxKuNr9msps4pb0Aq4kCAe956fcr2/BNSHBT/ HOIu5Lyos8Vds6bgCbxHnwEAHPOWRIpfGBkmEtC1IddxI2umfoSiefsE8Q6Vulct Pm7iWgzOrPIAi2dYPEEP0srKPW4JtswGrq4yz4liEjiLHJTDi/OtGQAr5q5d0gwO M+CDSeybwsHS6sIua9a/ =uWLN -----END PGP SIGNATURE-----
--- End Message ---
