| <?xml version="1.0" encoding="utf-8"?> |
| <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> |
| <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="200406-01"> |
| <title>Ethereal: Multiple security problems</title> |
| <synopsis> |
| Multiple vulnerabilities including one buffer overflow exist in Ethereal, |
| which may allow an attacker to run arbitrary code or crash the program. |
| </synopsis> |
| <product type="ebuild">Ethereal</product> |
| <announced>June 04, 2004</announced> |
| <revised>May 22, 2006: 02</revised> |
| <bug>51022</bug> |
| <access>remote</access> |
| <affected> |
| <package name="net-analyzer/ethereal" auto="yes" arch="*"> |
| <unaffected range="ge">0.10.4</unaffected> |
| <vulnerable range="le">0.10.3</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| Ethereal is a feature rich network protocol analyzer. |
| </p> |
| </background> |
| <description> |
| <p> |
| There are multiple vulnerabilities in versions of Ethereal earlier than |
| 0.10.4, including: |
| </p> |
| <ul> |
| <li>A buffer overflow in the MMSE dissector.</li> |
| <li>Under specific conditions a SIP packet could make Ethereal |
| crash.</li> |
| <li>The AIM dissector could throw an assertion, causing Ethereal to |
| crash.</li> |
| <li>The SPNEGO dissector could dereference a null pointer, causing a |
| crash.</li> |
| </ul> |
| </description> |
| <impact type="high"> |
| <p> |
| An attacker could use these vulnerabilities to crash Ethereal or even |
| execute arbitrary code with the permissions of the user running |
| Ethereal, which could be the root user. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| For a temporary workaround you can disable all affected protocol |
| dissectors by selecting Analyze->Enabled Protocols... and deselecting |
| them from the list. However, it is strongly recommended to upgrade to |
| the latest stable release. |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All Ethereal users should upgrade to the latest stable version: |
| </p> |
| <code> |
| # emerge sync |
| |
| # emerge -pv ">=net-analyzer/ethereal-0.10.4" |
| # emerge ">=net-analyzer/ethereal-0.10.4"</code> |
| </resolution> |
| <references> |
| <uri link="http://www.ethereal.com/appnotes/enpa-sa-00014.html">Ethereal enpa-sa-00014</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0504">CVE-2004-0504</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0505">CVE-2004-0505</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0506">CVE-2004-0506</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0507">CVE-2004-0507</uri> |
| </references> |
| <metadata tag="submitter"> |
| jaervosz |
| </metadata> |
| </glsa> |