Bug#773416: [DEBIAN-LTS] ettercap package

Wed, 24 Dec 2014 05:00:26 -0800 

On Wed, 24 Dec 2014, Nguyen Cong wrote:
> I have done rebuild the ettercap package using quilt patch.
> Could you please give me some comments.

Here they are.

> diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog
> --- ettercap-0.7.3/debian/changelog
> +++ ettercap-0.7.3/debian/changelog
> @@ -1,3 +1,11 @@
> +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Fix CVE-2014-9380 and CVE-2014-9381 using patch file from
> +    Gianfranco Costamagna in Bug#773416 Mes#20
> +
> + -- Nguyen Cong <cong.nguyen...@toshiba-tsdv.com>  Tue, 23 Dec 2014 09:44:32 
> +0700

Please have a look at the changelog of Gianfranco and acknowledge the
origin of the patch as coming from their true author.

> --- ettercap-0.7.3/debian/patches/series
> +++ ettercap-0.7.3/debian/patches/series
> @@ -3,0 +4 @@
> +04_CVE-2014-9380-9381.patch

Why is there no context shown here?

> --- ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch
> +++ ettercap-0.7.3/debian/patches/03_CVE-2013-0722.patch

Why are there changes to this patch file? You should strive to modify the
strict minimum. And AFAIK this patch doesn't have to be updated. It is
applying cleanly.

> --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch
> +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch
> @@ -0,0 +1,30 @@
> +From: Gianfranco Costamagna <costamagnagianfra...@yahoo.it>
> +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3
> +Date: Mon, 22 Dec 2014 10:22:56 +0000 (UTC)
> +
> +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 
> +allows remote attackers to cause a denial of service (out-of-bounds 
> +read) via a packet containing only a CVS_LOGIN signature.
> +
> +See Debian Bug #773416 Message #20

FYI, we like to document new patches with meta-information
that respect this format:
http://dep.debian.net/deps/dep3/

Besides those details, it looks ok.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to