diff -Nru ettercap-0.8.0/debian/changelog ettercap-0.8.0/debian/changelog --- ettercap-0.8.0/debian/changelog 2014-12-03 07:35:24.000000000 +0100 +++ ettercap-0.8.0/debian/changelog 2017-06-04 13:04:09.000000000 +0200 @@ -1,3 +1,17 @@ +ettercap (1:0.8.0-11ubuntu0.2) trusty-security; urgency=medium + + * SECURITY UPDATE (LP: #1695722): + * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch: + - upstream fix fox CVE-2017-6430 (Closes: #857035) + (crash fix when a corrupted filter is used) + * debian/patches/803.patch: + - fix buffer overflow/underflow with bad filters (Closes: #861604). + CVE-2017-8366 (Buffer overflow/underflow issue) + - CVE-2017-6430 + - CVE-2017-8366 + + -- Gianfranco Costamagna Sun, 04 Jun 2017 12:50:30 +0200 + ettercap (1:0.8.0-11ubuntu0.1) trusty-proposed; urgency=medium * Fix a crash when scanning for hosts. (LP: #1382871) diff -Nru ettercap-0.8.0/debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch ettercap-0.8.0/debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch --- ettercap-0.8.0/debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch 1970-01-01 01:00:00.000000000 +0100 +++ ettercap-0.8.0/debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch 2017-06-04 13:03:53.000000000 +0200 @@ -0,0 +1,69 @@ +From 626dc56686f15f2dda13c48f78c2a666cb6d8506 Mon Sep 17 00:00:00 2001 +From: Gianfranco Costamagna +Date: Thu, 9 Feb 2017 16:01:30 +0100 +Subject: [PATCH] Exit gracefully in case of corrupted filters (Closes issue + #782) + +--- + utils/etterfilter/ef_compiler.c | 4 +++- + utils/etterfilter/ef_main.c | 9 +++++++-- + utils/etterfilter/ef_output.c | 3 +++ + 3 files changed, 13 insertions(+), 3 deletions(-) + +Index: ettercap-0.8.0/utils/etterfilter/ef_compiler.c +=================================================================== +--- ettercap-0.8.0.orig/utils/etterfilter/ef_compiler.c ++++ ettercap-0.8.0/utils/etterfilter/ef_compiler.c +@@ -253,7 +253,9 @@ + struct filter_op *array = NULL; + struct unfold_elm *ue; + +- BUG_IF(tree_root == NULL); ++ // invalid file ++ if (tree_root == NULL) ++ return 0; + + fprintf(stdout, " Unfolding the meta-tree "); + fflush(stdout); +Index: ettercap-0.8.0/utils/etterfilter/ef_main.c +=================================================================== +--- ettercap-0.8.0.orig/utils/etterfilter/ef_main.c ++++ ettercap-0.8.0/utils/etterfilter/ef_main.c +@@ -41,7 +41,7 @@ + + int main(int argc, char *argv[]) + { +- ++ int ret_value = 0; + /* etterfilter copyright */ + fprintf(stdout, "\n" EC_COLOR_BOLD "%s %s" EC_COLOR_END " copyright %s %s\n\n", + GBL_PROGRAM, EC_VERSION, EC_COPYRIGHT, EC_AUTHORS); +@@ -85,8 +85,12 @@ + fprintf(stdout, "\n\nThe script contains errors...\n\n"); + + /* write to file */ +- if (write_output() != ESUCCESS) +- FATAL_ERROR("Cannot write output file (%s)", GBL_OPTIONS.output_file); ++ ret_value = write_output(); ++ if (ret_value == -ENOTHANDLED) ++ FATAL_ERROR("Cannot write output file (%s): the filter is not correctly handled.", GBL_OPTIONS.output_file); ++ else if (ret_value == -EINVALID) ++ FATAL_ERROR("Cannot write output file (%s): the filter format is not correct. ", GBL_OPTIONS.output_file); ++ + + return 0; + } +Index: ettercap-0.8.0/utils/etterfilter/ef_output.c +=================================================================== +--- ettercap-0.8.0.orig/utils/etterfilter/ef_output.c ++++ ettercap-0.8.0/utils/etterfilter/ef_output.c +@@ -52,6 +52,9 @@ + if (fop == NULL) + return -ENOTHANDLED; + ++ if (ninst == 0) ++ return -EINVALID; ++ + /* create the file */ + fd = open(GBL_OPTIONS.output_file, O_CREAT | O_RDWR | O_TRUNC | O_BINARY, 0644); + ON_ERROR(fd, -1, "Can't create file %s", GBL_OPTIONS.output_file); diff -Nru ettercap-0.8.0/debian/patches/803.patch ettercap-0.8.0/debian/patches/803.patch --- ettercap-0.8.0/debian/patches/803.patch 1970-01-01 01:00:00.000000000 +0100 +++ ettercap-0.8.0/debian/patches/803.patch 2017-06-04 12:59:52.000000000 +0200 @@ -0,0 +1,221 @@ +From d14d2558da14a33abf7baab28957488a75d16af1 Mon Sep 17 00:00:00 2001 +From: Alexander Koeppe +Date: Thu, 1 Jun 2017 08:56:23 +0200 +Subject: [PATCH 1/4] Add ASAN compiler flags in DEBUG build type + +--- + CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: ettercap-0.8.0/CMakeLists.txt +=================================================================== +--- ettercap-0.8.0.orig/CMakeLists.txt ++++ ettercap-0.8.0/CMakeLists.txt +@@ -107,7 +107,27 @@ + set(ICON_DIR ${INSTALL_PREFIX}/share/pixmaps CACHE PATH "Binary files installation directory") + set(MAN_INSTALLDIR ${INSTALL_PREFIX}/share/man CACHE PATH "Path for manual pages") + ++ ++# set general build flags for debug build-type + set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign -pg" CACHE STRING "" FORCE) ++# append ASAN build flags if compiler version has support ++if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") ++ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE) ++ message("Building with ASAN support (GNU compiler)") ++ else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++ message("Building without ASAN support (GNU compiler)") ++ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang") ++ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE) ++ message("Building with ASAN support (Clang compiler)") ++ elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++ message("Building without ASAN support (Clang compiler)") ++ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") ++ ++# set build flags for release build-type + set(CMAKE_C_FLAGS_RELEASE "-O2 -w" CACHE STRING "" FORCE) + + if(OS_DARWIN) +Index: ettercap-0.8.0/include/ec_strings.h +=================================================================== +--- ettercap-0.8.0.orig/include/ec_strings.h ++++ ettercap-0.8.0/include/ec_strings.h +@@ -30,7 +30,7 @@ + + EC_API_EXTERN int match_pattern(const char *s, const char *pattern); + EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded); +-EC_API_EXTERN int strescape(char *dst, char *src); ++EC_API_EXTERN int strescape(char *dst, char *src, size_t len); + EC_API_EXTERN int str_replace(char **text, const char *s, const char *d); + EC_API_EXTERN size_t strlen_utf8(const char *s); + EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr); +Index: ettercap-0.8.0/src/ec_strings.c +=================================================================== +--- ettercap-0.8.0.orig/src/ec_strings.c ++++ ettercap-0.8.0/src/ec_strings.c +@@ -173,13 +173,14 @@ + /* + * convert the escaped string into a binary one + */ +-int strescape(char *dst, char *src) ++int strescape(char *dst, char *src, size_t len) + { + char *olddst = dst; ++ char *oldsrc = src; + int c; + int val; + +- while ((c = *src++) != '\0') { ++ while ((c = *src++) != '\0' && (size_t)(src - oldsrc) <= len) { + if (c == '\\') { + switch ((c = *src++)) { + case '\0': +@@ -224,9 +225,11 @@ + if (c >= '0' && c <= '7') + val = (val << 3) | (c - '0'); + else +- --src; ++ if (src > oldsrc) /* protect against buffer underflow */ ++ --src; + } else +- --src; ++ if (src > oldsrc) /* protect against buffer underflow */ ++ --src; + *dst++ = (char) val; + break; + +@@ -238,15 +241,17 @@ + c = hextoint(*src++); + if (c >= 0) + val = (val << 4) + c; +- else +- --src; +- } else +- --src; ++ else if (src > oldsrc) /* protect against buffer underflow */ ++ --src; ++ } else if (src > oldsrc) /* protect against buffer underflow */ ++ --src; + *dst++ = (char) val; + break; + } +- } else if (c == 8 || c == 263) /* the backspace */ +- dst--; ++ } else if (c == 8 || c == 263) { /* the backspace */ ++ if (dst > oldsrc) /* protect against buffer underflow */ ++ dst--; ++ } + else + *dst++ = (char) c; + } +Index: ettercap-0.8.0/src/ec_encryption.c +=================================================================== +--- ettercap-0.8.0.orig/src/ec_encryption.c ++++ ettercap-0.8.0/src/ec_encryption.c +@@ -228,7 +228,7 @@ + + if (type == 's') { + /* escape the string and check its length */ +- if (strescape((char *)tmp_wkey, p) != (int)tmp_wkey_len) ++ if (strescape((char *)tmp_wkey, p, strlen(tmp_wkey)+1) != (int)tmp_wkey_len) + SEMIFATAL_ERROR("Specified WEP key length does not match the given string"); + } else if (type == 'p') { + /* create the key from the passphrase */ +Index: ettercap-0.8.0/src/interfaces/curses/ec_curses_view_connections.c +=================================================================== +--- ettercap-0.8.0.orig/src/interfaces/curses/ec_curses_view_connections.c ++++ ettercap-0.8.0/src/interfaces/curses/ec_curses_view_connections.c +@@ -584,7 +584,7 @@ + size_t len; + + /* escape the sequnces in the buffer */ +- len = strescape((char*)injectbuf, (char*)injectbuf); ++ len = strescape((char*)injectbuf, (char*)injectbuf, strlen(injectbuf)+1); + + /* check where to inject */ + if (wdg_c1->flags & WDG_OBJ_FOCUSED) { +Index: ettercap-0.8.0/src/interfaces/gtk/ec_gtk_view_connections.c +=================================================================== +--- ettercap-0.8.0.orig/src/interfaces/gtk/ec_gtk_view_connections.c ++++ ettercap-0.8.0/src/interfaces/gtk/ec_gtk_view_connections.c +@@ -1239,7 +1239,7 @@ + size_t len; + + /* escape the sequnces in the buffer */ +- len = strescape(injectbuf, injectbuf); ++ len = strescape(injectbuf, injectbuf, strlen(injectbuf)+1); + + /* check where to inject */ + if (side == 1 || side == 2) { +Index: ettercap-0.8.0/utils/etterfilter/ef_encode.c +=================================================================== +--- ettercap-0.8.0.orig/utils/etterfilter/ef_encode.c ++++ ettercap-0.8.0/utils/etterfilter/ef_encode.c +@@ -117,7 +117,8 @@ + fop->op.test.string = (u_char*)strdup(string + 1); + + /* escape it in the structure */ +- fop->op.test.slen = strescape((char*)fop->op.test.string, (char*)fop->op.test.string); ++ fop->op.test.slen = strescape((char*)fop->op.test.string, ++ (char*)fop->op.test.string, strlen(fop->op.test.string)+1); + + return ESUCCESS; + +@@ -165,7 +166,8 @@ + fop->opcode = FOP_FUNC; + fop->op.func.op = FFUNC_SEARCH; + fop->op.func.string = (u_char*)strdup(dec_args[1]); +- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string); ++ fop->op.func.slen = strescape((char*)fop->op.func.string, ++ (char*)fop->op.func.string, strlen(fop->op.func.string)+1); + ret = ESUCCESS; + } + } else +@@ -182,7 +184,8 @@ + fop->opcode = FOP_FUNC; + fop->op.func.op = FFUNC_REGEX; + fop->op.func.string = (u_char*)strdup(dec_args[1]); +- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string); ++ fop->op.func.slen = strescape((char*)fop->op.func.string, ++ (char*)fop->op.func.string, strlen(fop->op.func.string)+1); + ret = ESUCCESS; + } + +@@ -250,9 +253,11 @@ + /* replace always operate at DATA level */ + fop->op.func.level = 5; + fop->op.func.string = (u_char*)strdup(dec_args[0]); +- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string); ++ fop->op.func.slen = strescape((char*)fop->op.func.string, ++ (char*)fop->op.func.string, strlen(fop->op.func.string)+1); + fop->op.func.replace = (u_char*)strdup(dec_args[1]); +- fop->op.func.rlen = strescape((char*)fop->op.func.replace, (char*)fop->op.func.replace); ++ fop->op.func.rlen = strescape((char*)fop->op.func.replace, ++ (char*)fop->op.func.replace, strlen(fop->op.func.replace)+1); + ret = ESUCCESS; + } else + SCRIPT_ERROR("Wrong number of arguments for function \"%s\" ", name); +@@ -295,7 +300,8 @@ + if (nargs == 1) { + fop->op.func.op = FFUNC_MSG; + fop->op.func.string = (u_char*)strdup(dec_args[0]); +- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string); ++ fop->op.func.slen = strescape((char*)fop->op.func.string, ++ (char*)fop->op.func.string, strlen(fop->op.func.string)+1); + ret = ESUCCESS; + } else + SCRIPT_ERROR("Wrong number of arguments for function \"%s\" ", name); +--- ettercap-0.8.0.orig/src/ec_strings.c ++++ ettercap-0.8.0/src/ec_strings.c +@@ -31,7 +31,7 @@ + int match_pattern(const char *s, const char *pattern); + int base64_decode(char *bufplain, const char *bufcoded); + static int hextoint(int c); +-int strescape(char *dst, char *src); ++int strescape(char *dst, char *src, size_t len); + int str_replace(char **text, const char *s, const char *d); + size_t strlen_utf8(const char *s); + char * ec_strtok(char *s, const char *delim, char **ptrptr); diff -Nru ettercap-0.8.0/debian/patches/series ettercap-0.8.0/debian/patches/series --- ettercap-0.8.0/debian/patches/series 2014-12-01 10:48:06.000000000 +0100 +++ ettercap-0.8.0/debian/patches/series 2017-06-04 13:00:06.000000000 +0200 @@ -1,2 +1,4 @@ debian-changes fix-host-crash.patch +626dc56686f15f2dda13c48f78c2a666cb6d8506.patch +803.patch