GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Jul 28, 2005 5:58 am Post subject: [ GLSA 200507-27 ] Ethereal: Multiple vulnerabilities |
|
|
Gentoo Linux Security Advisory
Title: Ethereal: Multiple vulnerabilities (GLSA 200507-27)
Severity: high
Exploitable: remote
Date: July 28, 2005
Bug(s): #100316
ID: 200507-27
Synopsis
Ethereal is vulnerable to numerous vulnerabilities potentially resulting in the execution of arbitrary code or abnormal termination.
Background
Ethereal is a feature-rich network protocol analyzer.
Affected Packages
Package: net-analyzer/ethereal
Vulnerable: < 0.10.12
Unaffected: >= 0.10.12
Architectures: All supported architectures
Description
There are numerous vulnerabilities in versions of Ethereal prior to 0.10.12, including: - The SMB dissector could overflow a buffer or exhaust memory (CAN-2005-2365).
- iDEFENSE discovered that several dissectors are vulnerable to format string overflows (CAN-2005-2367).
- Additionally multiple potential crashes in many dissectors have been fixed, see References for further details.
Impact
An attacker might be able to use these vulnerabilities to crash Ethereal or execute arbitrary code with the permissions of the user running Ethereal, which could be the root user.
Workaround
There is no known workaround at this time.
Resolution
All Ethereal users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.12" |
References
Ethereal enpa-sa-00020
CAN-2005-2360
CAN-2005-2361
CAN-2005-2362
CAN-2005-2363
CAN-2005-2364
CAN-2005-2365
CAN-2005-2366
CAN-2005-2367
Last edited by GLSA on Sun May 07, 2006 4:58 pm; edited 1 time in total |
|