ettercap: CVE-2017-8366

Debian Bug report logs - #861604
ettercap: CVE-2017-8366

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ettercap: CVE-2017-8366

Date: Mon, 01 May 2017 13:18:46 +0200

Source: ettercap
Version: 1:0.8.2-1
Severity: important
Tags: upstream security
Forwarded: https://github.com/Ettercap/ettercap/issues/792

Hi,

the following vulnerability was published for ettercap.

CVE-2017-8366[0]:
| The strescape function in ec_strings.c in Ettercap 0.8.2 allows remote
| attackers to cause a denial of service (heap-based buffer overflow and
| application crash) or possibly have unspecified other impact via a
| crafted filter that is mishandled by etterfilter.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8366
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8366
[1] https://github.com/Ettercap/ettercap/issues/792

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 861604-close@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 861604-close@bugs.debian.org

Subject: Bug#861604: fixed in ettercap 1:0.8.2-5

Date: Sun, 04 Jun 2017 07:48:36 +0000

Source: ettercap
Source-Version: 1:0.8.2-5

We believe that the bug you reported is fixed in the latest version of
ettercap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861604@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated ettercap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Jun 2017 09:24:59 +0200
Source: ettercap
Binary: ettercap-common ettercap-text-only ettercap-graphical ettercap-dbg
Architecture: source
Version: 1:0.8.2-5
Distribution: unstable
Urgency: high
Maintainer: Barak A. Pearlmutter <bap@debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
 ettercap-common - Multipurpose sniffer/interceptor/logger for switched LAN
 ettercap-dbg - Debug symbols for Ettercap
 ettercap-graphical - Ettercap GUI-enabled executable
 ettercap-text-only - Ettercap console-mode executable
Closes: 861604
Changes:
 ettercap (1:0.8.2-5) unstable; urgency=high
 .
   [ Alexander Koeppe ]
   * debian/patches/803.patch: Fix buffer overflow/underflow
     with bad filters (Closes: #861604).
     CVE-2017-8366
Checksums-Sha1:
 167983d0b7f15afe5b74e280617591a3828d4a6f 2402 ettercap_0.8.2-5.dsc
 7e7f395dfbd9f9994c205212f9e3d26a24bf8536 16360 ettercap_0.8.2-5.debian.tar.xz
Checksums-Sha256:
 7a9c2d64167323b58472d4ae4cfe0e9e8212def4c594d3e49d7e1ee70df7eb1c 2402 ettercap_0.8.2-5.dsc
 a24ea720436d93ac3c0d2ed6a0f4dfb97e046c2c25feeb8d842e0ffaf603102b 16360 ettercap_0.8.2-5.debian.tar.xz
Files:
 5e4ba8857582a62a5dda99c1867787ad 2402 net optional ettercap_0.8.2-5.dsc
 fab8273b3fc3551df033f6c2cbfa2df4 16360 net optional ettercap_0.8.2-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZM7ZTAAoJEPNPCXROn13ZFv0QAK6iYOHROWA8eqTf+CSBqhvZ
jy0xDWAhzQAN4u6+UPVHZjvgMXhaTUNeSiJgatG+/1hp7Q/A24RTH4cTsFmfUJA6
T8cVJ1Z4w51HyOGaNLKiqXGju3ayvs4l7am8cVckiefyUw9yy2gcIQpBlugOnhpO
wV4kWWaZ661xVZ9rphlSNDrjQv287m41RtE63z3sUWiXUUeHZ93u3VRPrvW6sIbO
FgB4H983AegNpkTNoIrdGvs+fBhHUTvGPgEOEmIvJx752uh4PJoSitrjlvfClF4s
an1fb3VQGewAAKr9BQQykDmB5W18cEyn68VPih6lW1Q6NPjOALiI9YpxgqTHJ1G1
e7zroXCdBzuxoygAd36rK5UNlGGppaufrwTSjtfg7UR/aydpSPGyki4Z7lVgyMzl
WzdyOpkJ7cW8LmWda3EGNdwng73jyK6av7zPubJcYn2S30M3V2sdcfncl52l3pud
1bfqKgYIYS+E9kbLbCAzTy/NHZtOIkJW06+0lTMaXLS37Na2VttlH0U20CMknJpQ
/iPc9hC9HglS8jOZJrWQUq+ifIU0NViyK1HKKUY25+RqIUCRJ97zHkTyPB3znODr
gr837F0nWk0Ndv1nhnWY70/itHk+i5DYJksxmcGJi6wutrVYJDqPif/HWiOiCeiJ
3rgBw3gdokQY8fe0WpFX
=LUc3
-----END PGP SIGNATURE-----

Message #15 received at 861604-close@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 861604-close@bugs.debian.org

Subject: Bug#861604: fixed in ettercap 1:0.8.1-3+deb8u1

Date: Sun, 11 Jun 2017 21:02:09 +0000

Source: ettercap
Source-Version: 1:0.8.1-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
ettercap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861604@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated ettercap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu,  8 Jun 2017 12:54:40 CEST
Source: ettercap
Binary: ettercap-common ettercap-text-only ettercap-graphical ettercap-dbg
Architecture: source amd64
Version: 1:0.8.1-3+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Barak A. Pearlmutter <bap@debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
 ettercap-common - Multipurpose sniffer/interceptor/logger for switched LAN
 ettercap-dbg - Debug symbols for Ettercap
 ettercap-graphical - Ettercap GUI-enabled executable
 ettercap-text-only - Ettercap console-mode executable
Closes: 857035 861604
Changes:
 ettercap (1:0.8.1-3+deb8u1) jessie-security; urgency=medium
 .
   * SECURITY UPDATE:
   * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch:
     - upstream fix fox CVE-2017-6430 (Closes: #857035)
       (crash fix when a corrupted filter is used)
   * debian/patches/803.patch:
     - fix buffer overflow/underflow with bad filters (Closes: #861604).
       CVE-2017-8366 (Buffer overflow/underflow issue)
   - CVE-2017-6430
   - CVE-2017-8366
Checksums-Sha256: 
 d821cada796c44eb85a9d9fdfb5c653f7197c73f020e91c77735916a2a755e20 2449 ettercap_0.8.1-3+deb8u1.dsc
 85db83a36ec62e0a7ec3dc18d7514df5fd84b0b95b2c69e2e787007ef1731873 16916 ettercap_0.8.1-3+deb8u1.debian.tar.xz
 8d3cea9bc356e209246469d4022abf8aa51754fe602c3eeee5f39a8070fa2f04 566264 ettercap-common_0.8.1-3+deb8u1_amd64.deb
 b4f75c3be0d69c0666270dd5067f595045a2eccba055c2a71277e267c6c99376 51158 ettercap-text-only_0.8.1-3+deb8u1_amd64.deb
 7ae4e6bf489ebe0c6d2a88b86c275d5788124d75cbb179d80e7c51ec29f0c9a6 176418 ettercap-graphical_0.8.1-3+deb8u1_amd64.deb
 d559ec3b5603bd7ed478aa98e483d5afc8c756a83080997138fcad35590f883a 1543056 ettercap-dbg_0.8.1-3+deb8u1_amd64.deb
 a0294f4c075c4c1d84c7a12370b9b1fa110956deae00c3dab2e89b235299926a 1021449 ettercap_0.8.1.orig.tar.gz
Checksums-Sha1: 
 6d0f74b3072d58e2ba239946b8177dbc85937291 2449 ettercap_0.8.1-3+deb8u1.dsc
 6dec7dd86cf5e68fb7cdb3e8364e774870ae2125 16916 ettercap_0.8.1-3+deb8u1.debian.tar.xz
 4f11b7c214d84b51de79aea10ebb0ac50dc948d9 566264 ettercap-common_0.8.1-3+deb8u1_amd64.deb
 81f2f0d51954659b74dfc075557f6bdf176ffd7a 51158 ettercap-text-only_0.8.1-3+deb8u1_amd64.deb
 1b1ca14713cde0dd80f74964097de46d0d6ce84f 176418 ettercap-graphical_0.8.1-3+deb8u1_amd64.deb
 7d26359d83815cf1d5c793f2fea42ad4ef5a38b4 1543056 ettercap-dbg_0.8.1-3+deb8u1_amd64.deb
 1179923d94954cd6e00117c3492c4ca3991bc401 1021449 ettercap_0.8.1.orig.tar.gz
Files: 
 d91fc519613c71b8f0bae8a040262fd1 2449 net optional ettercap_0.8.1-3+deb8u1.dsc
 7a781b6839c214fe663d80673778fcec 16916 net optional ettercap_0.8.1-3+deb8u1.debian.tar.xz
 a8710a7d475d19961f9bcbf36db7345f 566264 net optional ettercap-common_0.8.1-3+deb8u1_amd64.deb
 bea3d83e3d5d02aa1eb841a783ee849a 51158 net optional ettercap-text-only_0.8.1-3+deb8u1_amd64.deb
 c6dceda0b794a93b872148b0f4f694ce 176418 net optional ettercap-graphical_0.8.1-3+deb8u1_amd64.deb
 4a5bafc1f8e00da0325bb40ee0e20bb1 1543056 debug extra ettercap-dbg_0.8.1-3+deb8u1_amd64.deb
 cdbbc13f86ba214b7068c9da6546ca95 1021449 net optional ettercap_0.8.1.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZOS0FAAoJEPNPCXROn13Z0YoQAMdJeWMGBhgzP82qlAbzs7Ou
DJre91Es2/c7vXS9Ib7PyAyyIAnHdbq0raqO5qDBKRLrOIYerU3PJuAVi8oKaPQM
E8oPooUMrHtsEfdjGOwxja8rLP+P0tHINMnN+FGqTN2tCGLzuaE0EVZUukSppezE
PQt/aAgZEcHdwpTtkAeNJJIK5bTDep1CUqxgSnO7E8ZpUz+SL1puXLMMmtaF3QK7
1L9jCPSKZhfNUDZB2boW6Vbo9Nea5HlmTqn49pRwMo0jMe/3Bh4qmk//AFs/K33J
UVFg6SODwMO3TH/nBtzEevCCrJ8Bb7dBXgs9z3uL8J8ViXwMm07Ybiuh45fKi3bj
qoLgyJyD8W1yVLwr7MlxYhGhlIFj8tgmYtx8j7JW/MK/S7MlOyDaUzvWPaJGxOpm
OKVKhOlkjIJf6ilScaNUQOY0lowrSwK/7X9wO0YeeLUiD+gaNPwi3DLtvy9+ytzP
etf+RF2EUl0/qpk8U4Qxn4MhJGCTsgkZ2EDqhqhdmIXs4KTmqfSGE5DoCCFCs0p/
Pq8wRfxO7XgQQ9n3HBQdRMwvhR720uengVykrT456LIx505aQnBKXbVK9jmwHErl
MMmuPYfaE5QXN/x4UqNmYZUrf0TH72WdVX5hgO8nMxEhcM66UIhaLOsq9hVAYHOd
uCU3zlg3+u4J0tb6nwtz
=haHK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.