ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 CVE-2014-9380 CVE-2014-9381

Debian Bug report logs - #773416
ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 CVE-2014-9380 CVE-2014-9381

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 CVE-2014-9380 CVE-2014-9381

Date: Thu, 18 Dec 2014 08:08:11 +0100

Package: ettercap
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
for details and patches.

Cheers,
        Moritz

Message #10 received at 773416-close@bugs.debian.org (full text, mbox, reply):

From: bap@debian.org (Barak A. Pearlmutter)

To: 773416-close@bugs.debian.org

Subject: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Thu, 18 Dec 2014 10:03:59 +0000

Source: ettercap
Source-Version: 1:0.8.1-3

We believe that the bug you reported is fixed in the latest version of
ettercap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Barak A. Pearlmutter <bap@debian.org> (supplier of updated ettercap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 18 Dec 2014 09:07:40 +0000
Source: ettercap
Binary: ettercap-common ettercap-text-only ettercap-graphical ettercap-dbg
Architecture: source amd64
Version: 1:0.8.1-3
Distribution: unstable
Urgency: high
Maintainer: Barak A. Pearlmutter <bap@debian.org>
Changed-By: Barak A. Pearlmutter <bap@debian.org>
Description:
 ettercap-common - Multipurpose sniffer/interceptor/logger for switched LAN
 ettercap-dbg - Debug symbols for Ettercap
 ettercap-graphical - Ettercap GUI-enabled executable
 ettercap-text-only - Ettercap console-mode executable
Closes: 773416
Changes:
 ettercap (1:0.8.1-3) unstable; urgency=high
 .
   * Patch a bunch of security vulnerabilities (closes: #773416)
     - CVE-2014-6395 (Length Parameter Inconsistency)
     - CVE-2014-6396 (Arbitrary write)
     - CVE-2014-9376 (Negative index/underflow)
     - CVE-2014-9377 (Heap overflow)
     - CVE-2014-9378 (Unchecked return value)
     - CVE-2014-9379 (Incorrect cast)
     - CVE-2014-9380 (Buffer over-read)
     - CVE-2014-9381 (Signedness error)
     See: https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
     Patches taken from repo CVE-patch, URL git://github.com/NickSampanis/ettercap.git
     - 88804bd3a900d273215855f7c567ec891d31e547 CVE-patch/589
     - 103f16582ee88341a6a610378011781cdc866b0c CVE-patch/602
     - 3f0c582826095c722ab6fbf91518282a765a0b68 CVE-patch/603
     - cb7b2028dc03c628aa0a1a5130ca41421ddebcb2 CVE-patch/604
     - edd337d5d4f37ab8e330c5e067344dd5b3f10435 CVE-patch/605
     - 37dcfdf79e1ac6dcacd565894cd7717aa0224164 CVE-patch/606
     - c2a3c99af956146570d7883e4b540b9d0c0a3c46 CVE-patch/607
     - 6b196e011fa456499ed4650a360961a2f1323818 CVE-patch/608
     - afe7061948e85f0a0fd417d5e4c681bfaf212f42 CVE-patch/609
     - 9e9fdc7ed1ee8eba01a5a05e000b6c55d2a70923 CVE-patch/610
     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
     both finding and repairing these issues.
Checksums-Sha1:
 035c4a4d0d7f99f7d103556564b3e48cc8812d19 2419 ettercap_0.8.1-3.dsc
 782debc9af21f2c5ac2a84ae8da8629317060ea0 14088 ettercap_0.8.1-3.debian.tar.xz
 36bd7b3b49d603b98013f53b1f1d272abdf316f3 566846 ettercap-common_0.8.1-3_amd64.deb
 5a370b4b6d994280b0597bc07abd330e5bf4f03d 51572 ettercap-text-only_0.8.1-3_amd64.deb
 43e7ed90bc49ee7bb97a49568bfe63c2a60856cc 176376 ettercap-graphical_0.8.1-3_amd64.deb
 417983706125e17f686704925c34507bcaffc239 1544636 ettercap-dbg_0.8.1-3_amd64.deb
Checksums-Sha256:
 cf7c4cd9ed1046146a030e1544b8452ad25012ffc001eec9e5d6204298fec44f 2419 ettercap_0.8.1-3.dsc
 da47bba88577bca989d8a229c9aec16591815e3c1b4f39194ca95357347d100c 14088 ettercap_0.8.1-3.debian.tar.xz
 e79d7e241d95725db03609781cb356795c59f2e04e7ad02861e300b2a134ae1d 566846 ettercap-common_0.8.1-3_amd64.deb
 30c4dcb1c392e3aa823741f5da867ce0d71919a73863f2cc65e9e241e1e53a97 51572 ettercap-text-only_0.8.1-3_amd64.deb
 8f000c9521ce1ac186460032e6eadacb8780abe9f6b434edd95292a85d91deb2 176376 ettercap-graphical_0.8.1-3_amd64.deb
 3a83291c7536518c5d5edf5e6e952dbc219c95c97b7ea66fac51fbf67f6472c2 1544636 ettercap-dbg_0.8.1-3_amd64.deb
Files:
 85be940f45d0b00cefce43e268c1eeb7 2419 net optional ettercap_0.8.1-3.dsc
 0537d1f72670709cd021abedd9f02117 14088 net optional ettercap_0.8.1-3.debian.tar.xz
 f1c33f2bdf393d2916223bfca97b7480 566846 net optional ettercap-common_0.8.1-3_amd64.deb
 e8570bbd11555244e7222de23802446a 51572 net optional ettercap-text-only_0.8.1-3_amd64.deb
 724c66bfbbfbd08fab3b9e04a385bb8e 176376 net optional ettercap-graphical_0.8.1-3_amd64.deb
 112aa7ea7bec86c565b165bbb7e42d6b 1544636 debug extra ettercap-dbg_0.8.1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUkpyaAAoJEBJbV0deGQ0YbgUP+wQONIe158mXbGduJZBytPNk
kP5Ehaa53gKUao69C4CRaHmXY/0XJFpP1cB6vT7ClE+3HUjFaRj4CJ9NDFVPDaAZ
DyW8pY3pqwDsdR88lTefep7iqJOAiSFpmNBboTyqSIBBtdgxyD0v6eVmQWwSzILT
E9jRM+qdJgEyoaoOvCWaH4eiuRMd71Jj5D6RDuUnTd98KzXSGo7Bpv/qqVv5Tfqp
QM21UVsDu2mlmV7/5d32/ZpggmoCTawrWBfIFro86Y+XwHgXWEq70Iy4RPkaGtPb
ABLuB75mMkX1jaUYYq83xa24dUWnhvHh5jvUh87359EgJKOlN0ti8MsTT3Yx2llQ
8w7rFC0GrPM4cltIIZrezch0+47p8p3sPxAE1WSA9si3YX0hiWPlUg2NcIuV1eGR
O0J+7EfZFDe+TENPK+DNMFlUftZKuShHGKuePBfoSOA8LX0anfG183EnkLe9aNAP
itzVt94Bv+PkaJynwJUxoAAG2UZba6+J3DHBAsy+5oiHwWZlNgD1bbQt3AfzeuP4
zlTi6/HDHem+Wjx1P3KmNlgrW+K13f9y4OuGcEXNz9lKpRTfymbxwFTqCW32XGU7
ROp0JuzsQiSrDI33OijKvdWlS4oJv9HoLGkXJtZKQxYMVwQPrOgNXGaL43I9Avyp
t8E7GdF8+BD2g56S3aWi
=sGom
-----END PGP SIGNATURE-----

Message #15 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: "Barak A. Pearlmutter" <bap@debian.org>

Cc: 773416@bugs.debian.org

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Mon, 22 Dec 2014 10:41:02 +0100

Hello Barak,

On Thu, 18 Dec 2014, Barak A. Pearlmutter wrote:
>  ettercap (1:0.8.1-3) unstable; urgency=high
>  .
>    * Patch a bunch of security vulnerabilities (closes: #773416)

Thanks for the prompt reaction. ettercap is also in Squeeze
and thus covered by our LTS initiative.

Do you feel like providing a fixed package for Squeeze?

If yes, please have a look at http://wiki.debian.org/LTS/Development
but note that if you provide the fixed package and send a mail
to debian-lts@lists.debian.org, someone will gladly do the administrative
part of the work for you.

Thanks!
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #20 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Raphael Hertzog <hertzog@debian.org>, "Barak A. Pearlmutter" <bap@debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)

Hi dear Raphael,

fortunately oldstable is almost unaffected by this kind of CVEs, because almost all of them
refers to code written after the squeeze release, anyway here we go, this should be the only
patch useful for squeeze folks


--- ettercap-0.7.3.orig/src/dissectors/ec_cvs.c
+++ ettercap-0.7.3/src/dissectors/ec_cvs.c
@@ -70,7 +70,7 @@
{
DECLARE_DISP_PTR_END(ptr, end);
char tmp[MAX_ASCII_ADDR_LEN];
-   char *p;
+   u_char *p;
size_t i;

/* don't complain about unused var */
@@ -92,6 +92,8 @@

/* move over the cvsroot path */
ptr += strlen(CVS_LOGIN) + 1;
+   if (ptr >= end)
+       return NULL;

/* go until \n */
while(*ptr != '\n' && ptr != end) ptr++;



cheers,

Gianfranco




Il Lunedì 22 Dicembre 2014 10:45, Raphael Hertzog <hertzog@debian.org> ha scritto:
Hello Barak,

On Thu, 18 Dec 2014, Barak A. Pearlmutter wrote:
>  ettercap (1:0.8.1-3) unstable; urgency=high
>  .
>    * Patch a bunch of security vulnerabilities (closes: #773416)

Thanks for the prompt reaction. ettercap is also in Squeeze
and thus covered by our LTS initiative.

Do you feel like providing a fixed package for Squeeze?

If yes, please have a look at http://wiki.debian.org/LTS/Development
but note that if you provide the fixed package and send a mail
to debian-lts@lists.debian.org, someone will gladly do the administrative
part of the work for you.

Thanks!
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #25 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: "Barak A. Pearlmutter" <bap@debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Mon, 22 Dec 2014 12:14:50 +0100

On Mon, 22 Dec 2014, Gianfranco Costamagna wrote:
> Hi dear Raphael,
> 
> fortunately oldstable is almost unaffected by this kind of CVEs, because almost all of them
> refers to code written after the squeeze release, anyway here we go, this should be the only
> patch useful for squeeze folks

Thanks for the info! So the only remaining CVE would be
https://security-tracker.debian.org/tracker/CVE-2014-9380 and
https://security-tracker.debian.org/tracker/CVE-2014-9381 for the CVS
dissector.

BTW, https://security-tracker.debian.org/tracker/CVE-2014-9376 mentions
also ec_dhcp.c which is present in the squeeze version. Do you confirm
that it is also unaffected?

And also https://security-tracker.debian.org/tracker/CVE-2014-9378
mentions ec_imap.c which is present in the squeeze version. Do you also
confirm that it is unaffected?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #30 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Raphael Hertzog <hertzog@debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Cc: "Barak A. Pearlmutter" <bap@debian.org>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Mon, 22 Dec 2014 11:48:15 +0000 (UTC)

Hi Raphael,

>Thanks for the info! So the only remaining CVE would be
>https://security-tracker.debian.org/tracker/CVE-2014-9380 and
>https://security-tracker.debian.org/tracker/CVE-2014-9381 for the CVS
>dissector.


yes, I think yes.

>BTW, https://security-tracker.debian.org/tracker/CVE-2014-9376 mentions
>also ec_dhcp.c which is present in the squeeze version. Do you confirm
>that it is also unaffected?

I don't see the 
(opt = get_dhcp_option(DHCP_OPT_FQDN, options, end)) != NULL)
in the 0.7.3, so I presume the code wasn't yet implemented
(0.7.3 doesn't look for option 81 in dhcp answer)


https://github.com/Ettercap/ettercap/commit/8cda3a8cf00b9d40c50c8b3408782b43d3bea062

(introduced support on 0.7.6, may 2013)
>And also https://security-tracker.debian.org/tracker/CVE-2014-9378
>mentions ec_imap.c which is present in the squeeze version. Do you also
>confirm that it is unaffected?

it shouldn't be, since the 

"if (!strcmp(s->data, "PLAIN")) {"
method seems to be not implemented yet in 0.7.3


https://github.com/Ettercap/ettercap/commit/35289f8789e6c31644954cbdfbe1bdda101e97b3introduced around 29 Sep 2011

and v0.7.5

 introduced around 
29 Sep 2011



HTH

cheers,

Gianfranco

Message #35 received at 773416@bugs.debian.org (full text, mbox, reply):

From: "Barak A. Pearlmutter" <barak@cs.nuim.ie>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Mon, 22 Dec 2014 10:26:58 -0500

[Message part 1 (text/plain, inline)]

> Thanks for the prompt reaction.

My pleasure.

> ettercap is also in Squeeze and thus covered by our LTS initiative.

> Do you feel like providing a fixed package for Squeeze?

> If yes, please have a look at http://wiki.debian.org/LTS/Development
> but note that if you provide the fixed package and send a mail
> to debian-lts@lists.debian.org, someone will gladly do the administrative
> part of the work for you.

The expert here is Gianfranco Costamagna, so I'd trust his determination
as the which patches need to be back-ported.

If he wants to prepare the updates, that would be best.  My direct
involvement wouldn't, I think, add any value.

					Cheers,

					--Barak.

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: "Barak A. Pearlmutter" <barak@cs.nuim.ie>, Raphael Hertzog <hertzog@debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Tue, 23 Dec 2014 08:15:06 +0000 (UTC)

Hi Barak and Raphael,



the patch is already above, I didn't tweak the changelog because I don't even know the best target series, and I don't know where to patch/prepare the upload.

Is that "debdiff" sufficient or not?

I can create a squeeze chroot and prepare a build, if it is enough the above let me know.

I don't even know if mentors allows squeeze as target series.

cheers,

Gianfranco

Message #45 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: "Barak A. Pearlmutter" <barak@cs.nuim.ie>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Tue, 23 Dec 2014 09:19:45 +0100

Hi Gianfranco,

On Tue, 23 Dec 2014, Gianfranco Costamagna wrote:
> the patch is already above, I didn't tweak the changelog because I don't
> even know the best target series, and I don't know where to
> patch/prepare the upload.

The target serie is "squeeze-lts". You can upload the .dsc to mentors if
you want (or just send the debdiff as attachment here).

> Is that "debdiff" sufficient or not?

It was copy/pasted in email and lost spaces so it's best if you can resend
it as proper attachment.

> I can create a squeeze chroot and prepare a build, if it is enough the above let me know.

Don't worry about this, if you have source package ready it's good enough,
someone else can do the test build and upload.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #50 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Raphael Hertzog <hertzog@debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Cc: "Barak A. Pearlmutter" <barak@cs.nuim.ie>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Tue, 23 Dec 2014 11:12:49 +0000 (UTC)

[Message part 1 (text/plain, inline)]

Hi Raphael,

>The target serie is "squeeze-lts". You can upload the .dsc to mentors if

>you want (or just send the debdiff as attachment here).
>It was copy/pasted in email and lost spaces so it's best if you can resend

>it as proper attachment.
>Don't worry about this, if you have source package ready it's good enough,

>someone else can do the test build and upload.

No problem, I corrected the diff, did the build and uploaded on mentors.

Debdiff is also attached, for your best convenience.

cheers,

G.

[debdiff-cve (application/octet-stream, attachment)]

Message #55 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Raphael Hertzog <hertzog@debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Cc: "Barak A. Pearlmutter" <barak@cs.nuim.ie>

Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3

Date: Tue, 23 Dec 2014 11:21:22 +0000 (UTC)

Mentor rejected it

"Hello,

Unfortunately your package "ettercap" was rejected because of the following
reason:

You are not uploading to one of those Debian distributions: experimental jessie jessie-backports jessie-backports-sloppy jessie-security jessie-updates oldstable oldstable-backports oldstable-backports-sloppy oldstable-proposed-updates oldstable-security sid squeeze squeeze-backports squeeze-backports-sloppy squeeze-security squeeze-updates stable stable-backports stable-proposed-updates stable-security testing-proposed-updates testing-security unreleased unstable wheezy wheezy-backports wheezy-backports-sloppy wheezy-security wheezy-updates

Please try to fix it and re-upload. Thanks,
"





So I hope you are ok with the above debdiff :)

cheers,

G.

Message #60 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Thorsten Alteholz <alteholz@debian.org>

Cc: Nguyen Cong <nguyencong.1210@gmail.com>, debian-lts@lists.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, 773416@bugs.debian.org

Subject: Re: [DEBIAN-LTS] ettercap package

Date: Wed, 24 Dec 2014 09:01:40 +0100

Hello,

On Tue, 23 Dec 2014, Thorsten Alteholz wrote:
> On Tue, 23 Dec 2014, Nguyen Cong wrote:
> >I have created .deb file for ettercap package.
> 
> great, thanks alot.
> 
> >Since I'm not DD or DM so I attached debdiff file for review
> >as mentioned in LTS/Development wiki page.
> >Could anyone please check it and tell me if any comments?
> 
> After a first glimpse it seems to be that this package uses quilt, but you
> directly changed the source files. Please don't change the way of the
> original maintainer to handle patches.

It looks like the upstream author made the same mistake when preparing
an upload of his own in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#50

I propose to let Nguyen Cong take care of fixing this so that he can
learn about quilt and have some easy entry into contributing to the LTS
team. Nguyen, feel free to get some inspiration from Gianfranco's more
verbose changelog message though. :)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #65 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>

Cc: Nguyen Cong <nguyencong.1210@gmail.com>, debian-lts@lists.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, 773416@bugs.debian.org

Subject: Re: [DEBIAN-LTS] ettercap package

Date: Wed, 24 Dec 2014 13:56:13 +0100

On Wed, 24 Dec 2014, Nguyen Cong wrote:
> I have done rebuild the ettercap package using quilt patch.
> Could you please give me some comments.

Here they are.

> diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
> --- ettercap-0.7.3/debian/changelog
> +++ ettercap-0.7.3/debian/changelog
> @@ -1,3 +1,11 @@
> +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Fix CVE-2014-9380 and CVE-2014-9381 using patch file from
> +    Gianfranco Costamagna in Bug#773416 Mes#20
> +
> + -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 23 Dec 2014 09:44:32 +0700

Please have a look at the changelog of Gianfranco and acknowledge the
origin of the patch as coming from their true author.

> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
> @@ -3,0 +4 @@
> +04_CVE-2014-9380-9381.patch

Why is there no context shown here?

> --- ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch
> +++ ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch

Why are there changes to this patch file? You should strive to modify the
strict minimum. And AFAIK this patch doesn't have to be updated. It is
applying cleanly.

> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
> @@ -0,0 +1,30 @@
> +From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
> +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
> +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
> +
> +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 
> +allows remote attackers to cause a denial of service (out-of-bounds 
> +read) via a packet containing only a CVS_LOGIN signature.
> +
> +See Debian Bug #773416 Message #20

FYI, we like to document new patches with meta-information
that respect this format:
http://dep.debian.net/deps/dep3/

Besides those details, it looks ok.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #70 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>, Raphael Hertzog <hertzog@debian.org>, Thorsten Alteholz <alteholz@debian.org>, Nguyen Cong <nguyencong.1210@gmail.com>, "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: [DEBIAN-LTS] ettercap package

Date: Thu, 25 Dec 2014 09:34:47 +0000 (UTC)

Hi *,

nope, you seems to be modifying other patches rather than the strict necessary to fix this bug.

Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the
description mentions only one)

(there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) )

also the patch "subject" might be not really needed, I leave Raphael to review the rest :)


I propose something like this instead.
(note the patch might not apply at all, I manually changed it)

diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
--- ettercap-0.7.3/debian/changelog
+++ ettercap-0.7.3/debian/changelog
@@ -1,3 +1,16 @@
+ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
+
+  * Non-maintainer upload.
+   * Patch a bunch of security vulnerabilities (closes: #773416)
+     - CVE-2014-9380 (Buffer over-read)
+     - CVE-2014-9381 (Signedness error)
+     See:
+     https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
+     Patches taken from upstream
+     - 6b196e011fa456499ed4650a360961a2f1323818 pull/608
+     - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609
+     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
+     both finding and repairing these issues.
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 23 Dec 2014 09:44:32 +0700
+
ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high

* Quilt patch for CVE-2013-0722, a stack-based buffer overflow when
diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series
--- ettercap-0.7.3/debian/patches/series
+++ ettercap-0.7.3/debian/patches/series
@@ -3,0 +4 @@
+04_CVE-2014-9380-9381.patch
--- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
+++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
@@ -0,0 +1,35 @@
+From: Nick Sampanis <n.sampanis@obrela.com> 
+Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
+Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
+
+The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 
+allows remote attackers to cause a denial of service (out-of-bounds 
+read) via a packet containing only a CVS_LOGIN signature.
+
+Integer signedness error in the dissector_cvs function in
+dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause
+a denial of service (crash) via a crafted password, which triggers
+a large memory allocation. 
+See Debian Bug #773416#20
+
+--- a/src/dissectors/ec_cvs.c
++++ b/src/dissectors/ec_cvs.c
+@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs)
+ {
+    DECLARE_DISP_PTR_END(ptr, end);
+    char tmp[MAX_ASCII_ADDR_LEN];
+-   char *p;
++   u_char *p;
+    size_t i;
+ 
+    /* don't complain about unused var */
+@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs)
+ 
+    /* move over the cvsroot path */
+    ptr += strlen(CVS_LOGIN) + 1;
++	if (ptr >= end)
++		return NULL;
+ 
+    /* go until \n */
+    while(*ptr != '\n' && ptr != end) ptr++;


cheers,

and Merry XMas,

Gianfranco

Message #75 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>, Raphael Hertzog <hertzog@debian.org>, Thorsten Alteholz <alteholz@debian.org>, "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: [DEBIAN-LTS] ettercap package

Date: Fri, 26 Dec 2014 07:29:43 +0000 (UTC)

Hi Nguyen,

for me (note: I don't have any upload power, so my opinion counts less than 0 here) :)
--- ettercap-0.7.3/debian/changelog
+++ ettercap-0.7.3/debian/changelog
[snip]

fine for me, do not need to mention me at all :)


--- ettercap-0.7.3/debian/patches/series
+++ ettercap-0.7.3/debian/patches/series

[snip]

fine

only in patch4:
unchanged:

I would remove the two lines above, don't know why there are here, but they seems to be not useful at all

--- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
+++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch

should be fine even if usually newly created files should be something like
--- /dev/null

+++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch

[snip]

+Subject: Twelve vulnerabilities exist on ettercap-ng which 


I would say "two" here, because the other vulnerabilities are not available here




the other looks good to me :)

cheers,

G.

(sorry for top posting)

Il Giovedì 25 Dicembre 2014 11:26, Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> ha scritto:
Hello Gianfranco Costamagna and Raphael Hertzog,

Many thanks for your comments, especially Raphael :).
> I propose something like this instead.
> (note the patch might not apply at all, I manually changed it)
Yes. Sorry for my mistake, I changed it. Please tell me if
I had to set the name in changelog to you, Gianfranco Costamagna.

I have re-built it with care. But not sure it's good enough
since I have troubled with DEP3. I ended up with upstream patch style.
> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
> @@ -3,0 +4 @@
> +04_CVE-2014-9380-9381.patch
> Why is there no context shown here?
>
And this one also. I don't really get it.

Could you please review it and give me some comments.

Many thanks and Merry Christmas :)
Cong

On 25/12/2014 16:34, Gianfranco Costamagna wrote:
> Hi *,
>
> nope, you seems to be modifying other patches rather than the strict necessary to fix this bug.
>
> Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the
> description mentions only one)
>
> (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) )
>
> also the patch "subject" might be not really needed, I leave Raphael to review the rest :)
>
>
> I propose something like this instead.
> (note the patch might not apply at all, I manually changed it)
>
> diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
> --- ettercap-0.7.3/debian/changelog
> +++ ettercap-0.7.3/debian/changelog
> @@ -1,3 +1,16 @@
> +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
> +
> +  * Non-maintainer upload.
> +   * Patch a bunch of security vulnerabilities (closes: #773416)
> +     - CVE-2014-9380 (Buffer over-read)
> +     - CVE-2014-9381 (Signedness error)
> +     See:
> +    https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
> +     Patches taken from upstream
> +     - 6b196e011fa456499ed4650a360961a2f1323818 pull/608
> +     - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609
> +     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
> +     both finding and repairing these issues.
> +
> + -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 23 Dec 2014 09:44:32 +0700
> +
> ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high
>
> * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when
> diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series
> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
> @@ -3,0 +4 @@
> +04_CVE-2014-9380-9381.patch
> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
> @@ -0,0 +1,35 @@
> +From: Nick Sampanis <n.sampanis@obrela.com>
> +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
> +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
> +
> +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1
> +allows remote attackers to cause a denial of service (out-of-bounds
> +read) via a packet containing only a CVS_LOGIN signature.
> +
> +Integer signedness error in the dissector_cvs function in
> +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause
> +a denial of service (crash) via a crafted password, which triggers
> +a large memory allocation.
> +See Debian Bug #773416#20
> +
> +--- a/src/dissectors/ec_cvs.c
> ++++ b/src/dissectors/ec_cvs.c
> +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs)
> + {
> +    DECLARE_DISP_PTR_END(ptr, end);
> +    char tmp[MAX_ASCII_ADDR_LEN];
> +-   char *p;
> ++   u_char *p;
> +    size_t i;
> +
> +    /* don't complain about unused var */
> +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs)
> +
> +    /* move over the cvsroot path */
> +    ptr += strlen(CVS_LOGIN) + 1;
> ++    if (ptr >= end)
> ++        return NULL;
> +
> +    /* go until \n */
> +    while(*ptr != '\n' && ptr != end) ptr++;
>
>
> cheers,
>
> and Merry XMas,
>
> Gianfranco
>
>

-- 
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel:    +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyenthe@toshiba-tsdv.com
=====================================================================

Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.


-- 
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com

Message #80 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>, Raphael Hertzog <hertzog@debian.org>, Thorsten Alteholz <alteholz@debian.org>, "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Cc: Nguyen Cong <nguyencong.1210@gmail.com>

Subject: Re: [DEBIAN-LTS] ettercap package

Date: Sat, 27 Dec 2014 09:22:39 +0000 (UTC)

Hi dear Nguyen,

for me if it applies to ettercap/squeeze cleanly it is fine :)

Let's wait for Raphael, I don't have any more issues!

Cheers,

G.





Il Sabato 27 Dicembre 2014 5:04, Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> ha scritto:
Dear Gianfranco Costamagna,

Many thanks for your comments.
> I would say "two" here, because the other vulnerabilities are not available here
Yes. My bad, stupid mistake :(. It has been corrected.
> only in patch4:
> unchanged:
>
> I would remove the two lines above, don't know why there are here, but they seems to be not useful at all
I don't understand also. Could anyone please give me idea for fixing
this problem.

I attached newest debdiff file. Hope this nearly good enough.

Thanks and best regards
Cong

On 26/12/2014 14:29, Gianfranco Costamagna wrote:
> Hi Nguyen,
>
> for me (note: I don't have any upload power, so my opinion counts less than 0 here) :)
> --- ettercap-0.7.3/debian/changelog
> +++ ettercap-0.7.3/debian/changelog
> [snip]
>
> fine for me, do not need to mention me at all :)
>
>
> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
>
> [snip]
>
> fine
>
> only in patch4:
> unchanged:
>
> I would remove the two lines above, don't know why there are here, but they seems to be not useful at all
>
> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
>
> should be fine even if usually newly created files should be something like
> --- /dev/null
>
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
>
> [snip]
>
> +Subject: Twelve vulnerabilities exist on ettercap-ng which
>
>
> I would say "two" here, because the other vulnerabilities are not available here
>
>
>
>
> the other looks good to me :)
>
> cheers,
>
> G.
>
> (sorry for top posting)
>
> Il Giovedì 25 Dicembre 2014 11:26, Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> ha scritto:
> Hello Gianfranco Costamagna and Raphael Hertzog,
>
> Many thanks for your comments, especially Raphael :).
>> I propose something like this instead.
>> (note the patch might not apply at all, I manually changed it)
> Yes. Sorry for my mistake, I changed it. Please tell me if
> I had to set the name in changelog to you, Gianfranco Costamagna.
>
> I have re-built it with care. But not sure it's good enough
> since I have troubled with DEP3. I ended up with upstream patch style.
>> --- ettercap-0.7.3/debian/patches/series
>> +++ ettercap-0.7.3/debian/patches/series
>> @@ -3,0 +4 @@
>> +04_CVE-2014-9380-9381.patch
>> Why is there no context shown here?
>>
> And this one also. I don't really get it.
>
> Could you please review it and give me some comments.
>
> Many thanks and Merry Christmas :)
> Cong
>
> On 25/12/2014 16:34, Gianfranco Costamagna wrote:
>> Hi *,
>>
>> nope, you seems to be modifying other patches rather than the strict necessary to fix this bug.
>>
>> Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the
>> description mentions only one)
>>
>> (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) )
>>
>> also the patch "subject" might be not really needed, I leave Raphael to review the rest :)
>>
>>
>> I propose something like this instead.
>> (note the patch might not apply at all, I manually changed it)
>>
>> diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
>> --- ettercap-0.7.3/debian/changelog
>> +++ ettercap-0.7.3/debian/changelog
>> @@ -1,3 +1,16 @@
>> +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
>> +
>> +  * Non-maintainer upload.
>> +   * Patch a bunch of security vulnerabilities (closes: #773416)
>> +     - CVE-2014-9380 (Buffer over-read)
>> +     - CVE-2014-9381 (Signedness error)
>> +     See:
>> +    https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
>> +     Patches taken from upstream
>> +     - 6b196e011fa456499ed4650a360961a2f1323818 pull/608
>> +     - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609
>> +     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
>> +     both finding and repairing these issues.
>> +
>> + -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 23 Dec 2014 09:44:32 +0700
>> +
>> ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high
>>
>> * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when
>> diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series
>> --- ettercap-0.7.3/debian/patches/series
>> +++ ettercap-0.7.3/debian/patches/series
>> @@ -3,0 +4 @@
>> +04_CVE-2014-9380-9381.patch
>> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
>> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
>> @@ -0,0 +1,35 @@
>> +From: Nick Sampanis <n.sampanis@obrela.com>
>> +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
>> +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
>> +
>> +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1
>> +allows remote attackers to cause a denial of service (out-of-bounds
>> +read) via a packet containing only a CVS_LOGIN signature.
>> +
>> +Integer signedness error in the dissector_cvs function in
>> +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause
>> +a denial of service (crash) via a crafted password, which triggers
>> +a large memory allocation.
>> +See Debian Bug #773416#20
>> +
>> +--- a/src/dissectors/ec_cvs.c
>> ++++ b/src/dissectors/ec_cvs.c
>> +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs)
>> + {
>> +    DECLARE_DISP_PTR_END(ptr, end);
>> +    char tmp[MAX_ASCII_ADDR_LEN];
>> +-   char *p;
>> ++   u_char *p;
>> +    size_t i;
>> +
>> +    /* don't complain about unused var */
>> +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs)
>> +
>> +    /* move over the cvsroot path */
>> +    ptr += strlen(CVS_LOGIN) + 1;
>> ++    if (ptr >= end)
>> ++        return NULL;
>> +
>> +    /* go until \n */
>> +    while(*ptr != '\n' && ptr != end) ptr++;
>>
>>
>> cheers,
>>
>> and Merry XMas,
>>
>> Gianfranco
>>
>>

-- 
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel:    +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyenthe@toshiba-tsdv.com
=====================================================================

Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.

Message #85 received at 773416@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>

Cc: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, Thorsten Alteholz <alteholz@debian.org>, "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "773416@bugs.debian.org" <773416@bugs.debian.org>

Subject: Re: [DEBIAN-LTS] ettercap package

Date: Sun, 28 Dec 2014 11:46:14 +0100

Hi Nguyen,

On Fri, 26 Dec 2014, Nguyen Cong wrote:
> Yes. Sorry for my mistake, I changed it. Please tell me if
> I had to set the name in changelog to you, Gianfranco Costamagna.
> 
> I have re-built it with care. But not sure it's good enough
> since I have troubled with DEP3. I ended up with upstream patch style.

This debdiff looks mostly fine, thanks. I'm not at home and can't really
handle the upload + announce for now though.

If anyone else on this list can take care of it, please go ahead.
Otherwise I'll take care of it early next year.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #90 received at 773416-close@bugs.debian.org (full text, mbox, reply):

From: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>

To: 773416-close@bugs.debian.org

Subject: Bug#773416: fixed in ettercap 1:0.7.3-2.1+squeeze2

Date: Mon, 29 Dec 2014 19:03:26 +0000

Source: ettercap
Source-Version: 1:0.7.3-2.1+squeeze2

We believe that the bug you reported is fixed in the latest version of
ettercap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> (supplier of updated ettercap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Dec 2014 15:43:59 +0700
Source: ettercap
Binary: ettercap-common ettercap ettercap-gtk
Architecture: source i386
Version: 1:0.7.3-2.1+squeeze2
Distribution: squeeze-lts
Urgency: medium
Maintainer: Murat Demirten <murat@debian.org>
Changed-By: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>
Description: 
 ettercap   - Multipurpose sniffer/interceptor/logger for switched LAN
 ettercap-common - Common support files and plugins for ettercap
 ettercap-gtk - Multipurpose sniffer/interceptor/logger for switched LAN
Closes: 773416
Changes: 
 ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload.
   * Patch a bunch of security vulnerabilities (closes: #773416)
     - CVE-2014-9380 (Buffer over-read)
     - CVE-2014-9381 (Signedness error)
     See:
     https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
     Patches taken from upstream
     - 6b196e011fa456499ed4650a360961a2f1323818 pull/608
     - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609
     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
     both finding and repairing these issues.
Checksums-Sha1: 
 6c40fc591d18aeb8bec8920f46755349a143061b 1941 ettercap_0.7.3-2.1+squeeze2.dsc
 0a6f1c7f14a63bdc15b7674c14f4c5b165e6d5b1 1148766 ettercap_0.7.3.orig.tar.gz
 e192944698c029921867f4e968b89ea066b0de9c 7308 ettercap_0.7.3-2.1+squeeze2.diff.gz
 38948f0989354608c1c56fb76445f0546e5b6db4 303832 ettercap-common_0.7.3-2.1+squeeze2_i386.deb
 8a9112eb34fc03f3398d36531dfb0403990ee54e 190786 ettercap_0.7.3-2.1+squeeze2_i386.deb
 e68d2cdc1a0378e3b2374c59415e2c0c1f8d39e6 226626 ettercap-gtk_0.7.3-2.1+squeeze2_i386.deb
Checksums-Sha256: 
 15205df7151afffff0d1ef7ac8ede256adf80c2ca985e44eb6c4a34a7dc8619b 1941 ettercap_0.7.3-2.1+squeeze2.dsc
 588f500bf42f006793320b9f7781ac8b13f480e320481a309658d346ff5a3cb3 1148766 ettercap_0.7.3.orig.tar.gz
 49110fb5a4b24b7c0b6b96ccf5d40ee6998f2b38feb75bba9009e1109adc5e4a 7308 ettercap_0.7.3-2.1+squeeze2.diff.gz
 3dad7b38273928364effc4050ab24e7bc57df9462ac643190f65a02021b0e33e 303832 ettercap-common_0.7.3-2.1+squeeze2_i386.deb
 2ed6e776463e3c0fc94d5c8b92f54b20bc3069ce61989b9c8ed9e7af387e3514 190786 ettercap_0.7.3-2.1+squeeze2_i386.deb
 d9fc559999a9e4a85f84f4e442eacd1e5955fa0d017df238febc601b8d69c50d 226626 ettercap-gtk_0.7.3-2.1+squeeze2_i386.deb
Files: 
 dd9a93b464e8f399815a3b877515ced1 1941 net optional ettercap_0.7.3-2.1+squeeze2.dsc
 3683c0512485cc1badc562815fbdd373 1148766 net optional ettercap_0.7.3.orig.tar.gz
 08b0c7a2ecfe6681ef507c7b043e9124 7308 net optional ettercap_0.7.3-2.1+squeeze2.diff.gz
 f7987d5ae3b8d5c7f39f4a21e3a225cc 303832 net optional ettercap-common_0.7.3-2.1+squeeze2_i386.deb
 ef9900e8a7674d852ae9775996162588 190786 net optional ettercap_0.7.3-2.1+squeeze2_i386.deb
 5013f78341f9630de2858a13eaf71b7c 226626 net optional ettercap-gtk_0.7.3-2.1+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUoaHnXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHySYP/j8uq1wX2jpswm8nhmwnm3Sk
IALr5OF+wfkNfqGdSqduFqe0aHJjgObY+n19fzExEFx0GE1DCaFM+2uFZwee1Rd2
Hgo1cs9jGQb9g/UqWkWFUNNJ60e/4PRmNT4Ua2QdjqsUF0Ob7VP7QArkyHqkmd13
nZHCuJ4rogmGXwy54zSaSQky+/6HPsKL/Wj6imfN4JwYbhtyqMTY+OI0jWONTcfn
3Dqh4/4YvpX0sTs1HSmFkXptlccHI3dpfRplbHHWxHSG3kUr5dtHgKyCD8S+lzMx
Nn9BcxOK4Nvu+9dkXfwfej0/cS/MJr5Tjq94myLuS28glm+QzCTW6JNgYok3mFLr
U7f79j9UIUecmiWMjG6xstCmOkZdpx1FArf0nrALPgYNzYWwQqXbIrHTOnObhXGT
RL4NnZvqSvR/stwJhEGggd9gfNiS/8V7E69FyFaqCsoVR7JVruwVEzM3NVtDRY9l
uF979oJbwEMejFNH2bCbfXPqxEOXasK5y1i+qjjaSK6JZSOPvDyYVjFvLWP5W0Dz
g5WlUXjLI5UCi0YAu4aFwZwhE4Z5Ps4bT8MBcif7mcJzhP5mJ4ah4yTDIfgSj/wF
H7xb/lKd1Ri7R9XL/1yLdGrysIpV9IPLJwnXth7H1wSboCxosEjA1rnml2zWG0dx
ffOtGRBam1v54+aECqK4
=w60e
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.