Package: ngrep
Version: 1.44-2
Severity: important
Tags: security
ngrep's signal handler, clean_exit(), calls free() and other cleanup
functions in a non-idempotent way. There is an easy way to trigger the
bug by running "ngrep . | cat", then pressing Ctrl-C. ngrep will get a
SIGINT signal from the shell, and a SIGPIPE signal from the dying cat
process, resulting in clean_exit() being called twice.
Adding some code like this at the beginning of clean_exit() probably
fixes the issue:
static volatile int cleaned = 0;
if(cleaned++) exit(sig);
This is probably a security issue, too, because the data ngrep is
handling comes from the network, but it does not seem to be easily
exploitable (famous last words, I know). Feel free to remove the
security tag if you disagree, but a process running as root dumping
core does not seem right to me in any case.
Also the argument for clean_exit seems wrong to me, signal(2) says
int, not int32_t.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (50, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.11
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages ngrep depends on:
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libpcap0.8 0.9.5-1 System interface for user-level pa
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ngrep recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
