Ethereal, an open-source network protocol analyzer, has been reported to be vulnerable to 13 buffer overflow conditions in multiple protocol parser functions. Version 0.10.3 is reportedly fixed and no longer vulnerable. It appears that only 9 of these vulnerabilities affect version 0.9.16. ------- Additional Comments From jpdalbec 2004-03-31 11:41:48 ---- RHL 9 update is at http://rhn.redhat.com/errata/RHSA-2004-137.html ------- Additional Comments From jpdalbec 2004-04-02 11:29:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Updated packages for ethereal are available from http://www.fedoralegacy.org/contrib/ethereal/ : eef66c47451030af2790e7f53c9b24d42cffa6a8 ethereal-0.10.3-0.7x.1.legacy.i386.rpm 36e51d437fd78a6d1b04d9f797e7e6734a592df8 ethereal-0.10.3-0.7x.1.legacy.src.rpm 5b2d6987b53898b6f07ff1a3983c9d52d55219c4 ethereal-0.10.3-0.80.1.i386.rpm ec034aa5816c42258af4871d87f03e91588e6040 ethereal-0.10.3-0.80.1.src.rpm caad586fd1a685850459f36ea8a597be9159078e \ ethereal-gnome-0.10.3-0.7x.1.legacy.i386.rpm 501fb697a3aea2eacf0665008ed7e751afc0ff4f ethereal-gnome-0.10.3-0.80.1.i386.rpm I have tested these under 7.2 (mach chroot), 7.3, and 8.0. The packages are all based on the RHL 9 package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAbdrFJL4A+ldA7asRAjo+AJwJgucTiYazlrrTBVvV0nszvXeR4gCgitj6 EUXxLsFHv1HeeXMgGxa23KA= =ySw4 -----END PGP SIGNATURE----- ------- Additional Comments From jpdalbec 2004-05-17 02:40:24 ---- 04.19.29 CVE: Not Available Platform: Cross Platform Title: Ethereal Protocol Analyzer Vulnerabilities Description: Ethereal developers have released an update to fix a number of vulnerabilities in the protocol analysis component. Problems have been fixed in the SIP, AIM, SPNEGO and MMSE protocol dissectors. Ethereal version 0.10.4 fixes the known problems. Ref: http://www.ethereal.com/appnotes/enpa-sa-00014.html ------- Additional Comments From jkeating 2004-05-18 18:35:05 ---- To comment #2, any chance of getting you to backport the patches to the 7.2/7.3/8.0 versions of ethereal instead of all the same package? What are the implications of upgrading ethereal rather than backporting it? I'm confused by comment #3, is this issue NOT fixed by the packages in comment #2? ------- Additional Comments From jpdalbec 2004-05-19 02:30:51 ---- Red Hat didn't seem too concerned about upgrading ethereal rather than backporting fixes for it for Red Hat Linux 9. Comment #3 is not fixed by the existing packages. I'll try building new ones when I finish XFree86. I'll upgrade again since 0.10.4 seems to be mainly a bugfix release. I notice that one of the vulnerabilities in comment #3 (SPNEGO) affects 0.9.16 so new packages would be needed even if I had gone to the trouble of backporting fixes. ------- Additional Comments From marcdeslauriers 2004-06-04 18:40:15 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for 7.3 and 9. I used the same approach as RH, upgrading to 0.10.3 and using a 0.10.4 security backport. 7.3: 8cca507df75aa4e6dd4fa290a3bd937b055cd681 ethereal-0.10.3-0.73.1.legacy.i386.rpm f2da629cd52d9077f35c14ada1e7f1ba64616846 ethereal-0.10.3-0.73.1.legacy.src.rpm 0c5a8a46cfe2a3ad6f874998ae32c8b4fcfd1a7a ethereal-gnome-0.10.3-0.73.1.legacy.i386.rpm 9: fd2ebd3244d57df5327d5cf753e50b80f0e67798 ethereal-0.10.3-0.90.2.legacy.i386.rpm bdebec8e68b18ce2b6b8b605d3d06c9271402582 ethereal-0.10.3-0.90.2.legacy.src.rpm 865b18a2a43eddb7a4d5829b907a5c6008bc0b50 ethereal-gnome-0.10.3-0.90.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/ethereal-0.10.3-0.73.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/ethereal-0.10.3-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/ethereal-gnome-0.10.3-0.73.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/ethereal-0.10.3-0.90.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/ethereal-0.10.3-0.90.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/ethereal-gnome-0.10.3-0.90.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwU5GLMAs/0C4zNoRAtMrAJ0ZuGEk5fZJ3igWC425YJsCgznVXQCcCtRO K68KZ90wiVskENDUbkifN9A= =E66/ -----END PGP SIGNATURE----- ------- Additional Comments From jonny.strom 2004-06-05 22:42:16 ---- I did a QA on the RH 9 packages. SHA1 is ok. Installs ok. Spec file looks ok. I did a fucntionallity test and ethereal works as expected on RH9. I wote for publish. ------- Additional Comments From michal 2004-06-06 14:47:47 ---- Created an attachment (id=716) A security update from ethereal-0.10.3-0.1.1 update to FC1 Recently a massive security update for ethereal showed up in FC1. A patch from there applies without any changes to 0.10.3-0.7x.1 sources. Most likely the same will be true for RH9 as well but somebody has to check ------- Additional Comments From michal 2004-06-06 14:50:47 ---- Created an attachment (id=717) changes to ehtereal specs to incorporate ethereal-0.10.3-security.patch With these changes updated ehtereal compiles, installs and even runs on RH7.3 installation ------- Additional Comments From marcdeslauriers 2004-06-06 14:57:51 ---- Umm...the ethereal packages in comment 6 already contain that patch. ------- Additional Comments From jpdalbec 2004-06-07 02:25:24 ---- RH9 package is missing Buildrequires: elfutils-devel When building for RH8 this must be changed to Buildrequires: libelf-devel ------- Additional Comments From jpdalbec 2004-06-07 10:24:09 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New RH 8.0/9 packages are available from http://www.fedoralegacy.org/contrib/ethereal/ sha1sums: ca400f266cad5f372586512492e66a7d8faae862 ethereal-0.10.3-0.80.3.legacy.i386.rpm bae183142585320f868a493a1131ae362917ebf1 ethereal-0.10.3-0.80.3.legacy.src.rpm 0ec680d15aa522170b01fa5a26e6c8ba0abf6e39 ethereal-0.10.3-0.90.3.legacy.i386.rpm 12fb927d3379a5655c487eb6afa9750f0e0d0da4 ethereal-0.10.3-0.90.3.legacy.src.rpm 4684e66582a290662acd2f42018701b942d5c8f3 ethereal-gnome-0.10.3-0.80.3.legacy.i386.rpm 5bef79cac9dd382228a1cad8192d6701ed20c4b6 ethereal-gnome-0.10.3-0.90.3.legacy.i386.rpm These include the missing elfutils(9)/libelf(8.0)-devel BuildRequires:. I installed the RH9 packages on a VMware box. They captured their own TCP traffic with no problems. I installed the RH8 packages on a box in our test lab. They captured somewhat more traffic - UDP, ARP, NetBIOS, etc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAxM7AJL4A+ldA7asRAjWxAJ42uvvVGmC0eJzgNUkljz3AgAr8JACgzSxU MSY+QucFIZd+CRaXX4krQoI= =Vhqg -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-06-10 18:06:52 ---- Pushed to updates-testing. http://download.fedoralegacy.org/redhat/ 8895ed56f2319fe44ae8a48ba9577f82bcf3491a 7.3/updates-testing/SRPMS/ethereal-0.10.3-0.73.2.legacy.src.rpm 1e020d735de16e1d1299dcd3c90541f37e2d2f4e 7.3/updates-testing/i386/ethereal-0.10.3-0.73.2.legacy.i386.rpm f4a4868c3450fa289d64c3e2d1099184525b38f1 7.3/updates-testing/i386/ethereal-gnome-0.10.3-0.73.2.legacy.i386.rpm 8182abd65f2e36bdc29c01b126a13df2945fe096 9/updates-testing/SRPMS/ethereal-0.10.3-0.90.3.legacy.src.rpm 8f24a03dbefc23c19eb43590f6e1e8ef2e17d417 9/updates-testing/i386/ethereal-0.10.3-0.90.3.legacy.i386.rpm 89bcb4a2b7dfd06f664c3e5795dceef6bcbf333f 9/updates-testing/i386/ethereal-gnome-0.10.3-0.90.3.legacy.i386.rpm ------- Additional Comments From marcdeslauriers 2004-09-08 11:05:45 ---- This bug has been superseded by bug 1840 ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1419 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1419 Originally filed under the Fedora Legacy product and Package request component. Attachments: A security update from ethereal-0.10.3-0.1.1 update to FC1 https://bugzilla.fedora.us/attachment.cgi?action=view&id=716 changes to ehtereal specs to incorporate ethereal-0.10.3-security.patch https://bugzilla.fedora.us/attachment.cgi?action=view&id=717 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.