Debian GNU/Linux Advisories: lftp, ethereal

---

Debian Security Advisory DSA 406-1	security@debian.org
http://www.debian.org/security/	Martin Schulze
January 5th, 2004	http://www.debian.org/security/faq

---

Package	:	lftp
Vulnerability	:	buffer overflow
Problem-Type	:	remote
Debian-specific	:	no
CVE ID	:	CAN-2003-0963

Ulf Harnhammar discovered a buffer overflow in lftp, a set of
sophisticated command-line FTP/HTTP client programs. An attacker
could create a carefully crafted directory on a website so that the
execution of an ‘ls’ or ‘rels’ command would lead to the execution
of arbitrary code on the client machine.

For the stable distribution (woody) this problem has been fixed
in version 2.4.9-1woody2.

For the unstable distribution (sid) this problem has been fixed
in version 2.6.10-1.

Upgrade Instructions

---

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

---

Source archives:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.dsc

Size/MD5 checksum: 604 f5daa8b9ca0b4a3dd775ece1d5d90dbc

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.diff.gz

Size/MD5 checksum: 23483 9f2005abc309b9e44c09e4518063f811

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9.orig.tar.gz

Size/MD5 checksum: 1479880 53ce980339e1adb0c4ec7135950d2055

Alpha architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_alpha.deb

Size/MD5 checksum: 506612 8c0580626371c756c0a0c62eeb5128f0

ARM architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_arm.deb

Size/MD5 checksum: 443624 8b2393f949aeca43699e27527d4e3179

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_i386.deb

Size/MD5 checksum: 441070 96b40a457747a309b72e240bf88f1dcd

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_ia64.deb

Size/MD5 checksum: 602626 bbc526e8b9212b5b1e80558958677299

HP Precision architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_hppa.deb

Size/MD5 checksum: 499616 8ad2c1349fe16284b8f904d88177e9ee

Motorola 680×0 architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_m68k.deb

Size/MD5 checksum: 423600 652c35b149e1ce3bb6602ed17430e1a2

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mips.deb

Size/MD5 checksum: 472524 7545ec21b6a423373538ecd941848e5a

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mipsel.deb

Size/MD5 checksum: 470934 3153069a5cd81582d270bb0341b30c08

PowerPC architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_powerpc.deb

Size/MD5 checksum: 457702 4d58d1f70d75f8a8f173f5d966ced97a

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_s390.deb

Size/MD5 checksum: 452260 149e1fbbc06fdad45b0cf64cb3d43350

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_sparc.deb

Size/MD5 checksum: 445716 07b1e6b07e9a4a7f47bddebf82c5f372

These files will probably be moved into the stable distribution
on its next revision.

---

Debian Security Advisory DSA 407-1	security@debian.org
http://www.debian.org/security/	Martin Schulze
January 5th, 2004	http://www.debian.org/security/faq

---

Package	:	ethereal
Vulnerability	:	buffer overflows
Problem-Type	:	remote
Debian-specific	:	no
CVE IDs	:	CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013

Several vulnerabilities were discovered upstream in ethereal, a
network traffic analyzer. The Common Vulnerabilities and Exposures
project identifies the following problems:

CAN-2003-0925

A buffer overflow allows remote attackers to cause a denial of
service and possibly execute arbitrary code via a malformed GTP
MSISDN string.

CAN-2003-0926

Via certain malformed ISAKMP or MEGACO packets remote attackers
are able to cause a denial of service (crash).

CAN-2003-0927

A heap-based buffer overflow allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via
the SOCKS dissector.

CAN-2003-1012

The SMB dissector allows remote attackers to cause a denial of
service via a malformed SMB packet that triggers a segmentation
fault during processing of selected packets.

CAN-2003-1013

The Q.931 dissector allows remote attackers to cause a denial of
service (crash) via a malformed Q.931, which triggers a null
dereference.

For the stable distribution (woody) this problem has been fixed
in version 0.9.4-1woody6.

For the unstable distribution (sid) this problem has been fixed
in version 0.10.0-1.

We recommend that you upgrade your ethereal and tethereal
packages.

Upgrade Instructions

---

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

---

Source archives:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6.dsc

Size/MD5 checksum: 679 6c3d2beab693578b827bc0c2ecc13eb2

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6.diff.gz

Size/MD5 checksum: 37597 7456c1b4708a869295bb71480300370d

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz

Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_alpha.deb

Size/MD5 checksum: 1940256 e8a45a24a24a145f2870d65b26fdda20

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_alpha.deb

Size/MD5 checksum: 334238 0035322af1972fa6c1547e881b5b27fa

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_alpha.deb

Size/MD5 checksum: 222006 da4e9538a37ac5dd740010b828afed8b

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_alpha.deb

Size/MD5 checksum: 1706878 3c2e6c03f6383f3ae8d599a01853c344

ARM architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_arm.deb

Size/MD5 checksum: 1634664 f5f5d2aeba5fa26ac8d6b722f4d52b39

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_arm.deb

Size/MD5 checksum: 297294 267317a8d6f43f009673f3e9864e0308

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_arm.deb

Size/MD5 checksum: 205964 fe0528d0ee4b0922d1a449f9c12c0b81

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_arm.deb

Size/MD5 checksum: 1439166 390f1e6d9173454162195c47a10c6a0e

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_i386.deb

Size/MD5 checksum: 1512408 b9efde468cca1ddd6b731a3b343bd51d

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_i386.deb

Size/MD5 checksum: 286370 c618774e3718d11d94347b0d66f72af4

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_i386.deb

Size/MD5 checksum: 198298 a7c01d2560880e783e899cd623a27e7a

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_i386.deb

Size/MD5 checksum: 1325838 a7706f7f82b44a30d4a99b299c58b4ca

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_ia64.deb

Size/MD5 checksum: 2150174 e2aba915304534ac4fbb060a2552d9c6

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_ia64.deb

Size/MD5 checksum: 373042 f06169aeefd918e4e5b809393edb8dc2

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_ia64.deb

Size/MD5 checksum: 233630 e7f788d020319a8147beb4172cdc736f

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_ia64.deb

Size/MD5 checksum: 1860802 6c8ef685b4e61f34a0146eb6fc666fdb

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_hppa.deb

Size/MD5 checksum: 1803668 213d7f4221de714ee5c4ef938d0bae54

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_hppa.deb

Size/MD5 checksum: 322334 b6ebeeb39d2d57c0ed664f65389e55a2

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_hppa.deb

Size/MD5 checksum: 216804 fd2e27b35aedd419a12db17bee96c596

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_hppa.deb

Size/MD5 checksum: 1575270 f3ed65cc62fb1155e8e38a25320d0614

Motorola 680×0 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_m68k.deb

Size/MD5 checksum: 1424112 69cccce7cf5ead38369e6d508031d821

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_m68k.deb

Size/MD5 checksum: 282604 e5c3264948cd2cad0c159893173f0748

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_m68k.deb

Size/MD5 checksum: 195028 647f483dbf79dc47a95d48d105d6a7c4

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_m68k.deb

Size/MD5 checksum: 1248072 8085433927ed54f1c1c8196d7c835709

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_mips.deb

Size/MD5 checksum: 1616398 9a41bb228b9b33894825d6cfd2bba741

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_mips.deb

Size/MD5 checksum: 305168 b4a94497386ab45e0494c7980def8e3e

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_mips.deb

Size/MD5 checksum: 213590 20a3ad3d4b5126890aa23179c1730f1a

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_mips.deb

Size/MD5 checksum: 1421550 ad0decba7ea5907e6a3149cacbc178f8

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_mipsel.deb

Size/MD5 checksum: 1596866 0321997c79a03298c65548bb5687e87d

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_mipsel.deb

Size/MD5 checksum: 304676 9a3fad3fe8394ae63f79d09580b41b39

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_mipsel.deb

Size/MD5 checksum: 213222 28bfeefdf54278545c2c132fe381dc12

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_mipsel.deb

Size/MD5 checksum: 1405698 182282caefb7aaf8025559894d7b9801

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_powerpc.deb

Size/MD5 checksum: 1617784 38000a653b7da7552904e66b8c736ecc

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_powerpc.deb

Size/MD5 checksum: 301846 70dede9038a6098642119765c87f6f80

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_powerpc.deb

Size/MD5 checksum: 208786 d69f6942493800fd491e90605d0be931

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_powerpc.deb

Size/MD5 checksum: 1418638 9394c10dff060a961329382c7a3433ad

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_s390.deb

Size/MD5 checksum: 1574214 a21cbd59b1d36e14da777da012768f21

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_s390.deb

Size/MD5 checksum: 300674 49a6af1c59fe07065267ebc5deecc8b8

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_s390.deb

Size/MD5 checksum: 203854 077f9492da7509958c890e598edadf14

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_s390.deb

Size/MD5 checksum: 1386518 d99962a50a8fafc9c509a67adb3399be

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_sparc.deb

Size/MD5 checksum: 1582634 d0a792b3c2428ac28476799e888cef98

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_sparc.deb

Size/MD5 checksum: 317982 936008ca75fecdec66519475f8466525

http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_sparc.deb

Size/MD5 checksum: 204626 2633099c059446cff5d41703718fb7bf

http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_sparc.deb

Size/MD5 checksum: 1388944 ede08f8bc62f1a5141a0bb2ed2ceea1d

These files will probably be moved into the stable distribution
on its next revision.

---

For apt-get: deb http://security.debian.org/
stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>;