Your message dated Mon, 13 Mar 2017 18:18:36 +0000
with message-id <e1cnuyg-0002z7...@fasolo.debian.org>
and subject line Bug#855869: fixed in dsniff 2.4b1+debian-24
has caused the Debian Bug report #855869,
regarding dsniff: segfaults on portmapper messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
855869: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855869
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dsniff
Version: 2.4b1+debian-23
Severity: important
Hi,
dsniff segfaults when receiving any RPC portmapper messages.
To generate such messages, I used:
rpcinfo -l <hostname of server with NFS running> 100021 4
But I expect any rpcinfo -l command will cause this to happen.
> Program received signal SIGSEGV, Segmentation fault.
> __memmove_sse2_unaligned_erms () at
> ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:294
> 294
> ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No
> such file or directory.
> (gdb) bt full
> #0 __memmove_sse2_unaligned_erms () at
> ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:294
> No locals.
> #1 0x00007ffff655ce24 in _IO_new_file_xsputn (f=0x7fffffffe0f0,
> data=0x555555797bd4, n=140737326206416) at fileops.c:1327
> s = 0x555555797bd4 ""
> to_do = 140737326206416
> n = 140737326206416
> data = 0x555555797bd4
> f = 0x7fffffffe0f0
> s = 0x555555797bd4 ""
> to_do = 140737326206416
> #2 0x000055555555983e in rpc_decode (buf=buf@entry=0x555555797bd0 "6]T\275",
> len=88, len@entry=92, msg=msg@entry=0x7fffffffe1c0) at ./rpc.c:129
> xdrs = {x_op = (unknown: 4136102144), x_ops = 0x7ffff687f440
> <_IO_file_jumps>, x_public = 0x7ffff68835a3 <_IO_2_1_stderr_+131> "\n",
> x_private = 0x7ffff655bb32 <new_do_write+98>
> "H\205\300H\211\305\017\267\273\200", x_base = 0x2525252525252525 <error:
> Cannot access memory at address 0x2525252525252525>, x_handy = 1}
> fraghdr = <optimized out>
> p = 0x555555797bd4 ""
> tmp = <optimized out>
> stat = 0
> tmplen = <optimized out>
> #3 0x000055555555ec71 in decode_portmap (buf=0x555555797bd0 "6]T\275",
> len=92, obuf=<optimized out>, olen=<optimized out>) at ./decode_portmap.c:35
> xdrs = {x_op = (unknown: 4294959712), x_ops = 0x7fffffffe1a0,
> x_public = 0x6f00000063 <error: Cannot access memory at address 0x6f00000063>,
> x_private = 0x6f <error: Cannot access memory at address 0x6f>,
> x_base = 0x5555555617df "portmap", x_handy = 1}
> msg = {rm_xid = 0, rm_direction = CALL, ru = {RM_cmb = {cb_rpcvers =
> 0, cb_prog = 0, cb_vers = 0, cb_proc = 0, cb_cred = {oa_flavor = 0, oa_base =
> 0x0, oa_length = 0}, cb_verf = {oa_flavor = 0,
> oa_base = 0x0, oa_length = 0}}, RM_rmb = {rp_stat =
> MSG_ACCEPTED, ru = {RP_ar = {ar_verf = {oa_flavor = 0, oa_base = 0x0,
> oa_length = 0}, ar_stat = SUCCESS, ru = {AR_versions = {low = 0,
> high = 0}, AR_results = {where = 0x0, proc = 0x0}}},
> RP_dr = {rj_stat = RPC_MISMATCH, ru = {RJ_versions = {low = 0, high = 0},
> RJ_why = AUTH_OK}}}}}}
> pm = <optimized out>
> pmap = {pm_prog = 93824994606032, pm_vers = 140737326678332, pm_prot
> = 64, pm_port = 206158430232}
> xm = <optimized out>
> hdrlen = <optimized out>
> #4 0x000055555555a524 in trigger_tcp_half (addr=addr@entry=0x7ffff7fa0010,
> hs=hs@entry=0x7ffff7fa0088, t=0x55555577f470 <tcp_triggers+656>) at
> ./trigger.c:377
> buf = 0x555555797bd0 "6]T\275"
> len = 92
> #5 0x000055555555afaa in trigger_tcp (ts=0x7ffff7fa0010,
> conn_save=<optimized out>) at ./trigger.c:430
> tr = <optimized out>
> #6 0x00007ffff77a7f68 in process_tcp () from /usr/lib/libnids.so.1.21
> No symbol table info available.
> #7 0x00007ffff77a5f35 in ?? () from /usr/lib/libnids.so.1.21
> No symbol table info available.
> #8 0x00007ffff77a60ae in ?? () from /usr/lib/libnids.so.1.21
> No symbol table info available.
> #9 0x00007ffff77a621b in nids_pcap_handler () from /usr/lib/libnids.so.1.21
> No symbol table info available.
> #10 0x00007ffff7565646 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
> No symbol table info available.
> #11 0x00007ffff75662d7 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
> No symbol table info available.
> #12 0x00007ffff756e26d in pcap_loop () from
> /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
> No symbol table info available.
> #13 0x00007ffff77a58f6 in nids_run () from /usr/lib/libnids.so.1.21
> No symbol table info available.
> #14 0x0000555555556dc3 in main (argc=<optimized out>, argv=<optimized out>)
> at ./dsniff.c:269
> services = 0x555555561958 "/usr/share/dsniff/dsniff.services"
> savefile = 0x0
> triggers = 0x0
> c = <optimized out>
A few things I notice looking at rpc_decode...
> int
> rpc_decode(u_char *buf, int len, struct rpc_msg *msg)
> {
[...]
> /* Decode RPC message. */
> memset(msg, 0, sizeof(*msg));
>
> if (ntohl(((struct rpc_msg *)buf)->rm_direction) == CALL) {
This:
- Almost certainly breaks the strict aliasing rule and is thus undefined
behavior.
- Will fail on 64-bit systems since struct rpc_msg::xid is 64-bits, but
the RPC xid field in buf is only 32-bits.
- I expect the check for REPLY below fails on big-endian systems.
> xdrmem_create(&xdrs, buf, len, XDR_DECODE);
>
> if (!xdr_callmsg(&xdrs, msg)) {
> xdr_destroy(&xdrs);
> return (0);
> }
> }
> else if (ntohl(((struct rpc_msg *)buf)->rm_direction) == REPLY) {
> msg->acpted_rply.ar_results.proc = (xdrproc_t) xdr_void;
> xdrmem_create(&xdrs, buf, len, XDR_DECODE);
>
> if (!xdr_replymsg(&xdrs, msg)) {
> xdr_destroy(&xdrs);
> return (0);
> }
> }
> stat = xdr_getpos(&xdrs);
> xdr_destroy(&xdrs);
Both these calls try to read / free garbage memory if both if statements
above fail.
Thanks,
James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: dsniff
Source-Version: 2.4b1+debian-24
We believe that the bug you reported is fixed in the latest version of
dsniff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 855...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marcos Fouces <mfou...@yahoo.es> (supplier of updated dsniff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Mar 2017 18:34:19 +0100
Source: dsniff
Binary: dsniff
Architecture: source
Version: 2.4b1+debian-24
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools Packaging Team
<pkg-security-t...@lists.alioth.debian.org>
Changed-By: Marcos Fouces <mfou...@yahoo.es>
Description:
dsniff - Various tools to sniff network traffic for cleartext insecurities
Closes: 715646 716355 716457 716458 852360 855869
Changes:
dsniff (2.4b1+debian-24) unstable; urgency=medium
.
* Fix FTCBFS: Pass triplet-prefixed CC to configure.
Thanks to Helmut Grohne (Closes: #852360).
* Add four patches from Fedora:
(Closes: #715646, #716355, #716457, #716458)
+ 29_libnet_name2addr4.patch
+ 30_pntohl_shift.patch
+ 31_sysconf_clocks.patch
+ 32_rpc_segfault.patch (Closes: #855869)
* Polish, reorder and refresh patches.
* Add 33_sshcrypto_DES.patch
* Improve dep3 description in 33_sshcrypto_DES.patch
(as request by Stretch release team)
Checksums-Sha1:
3abeb4b6125953ae2f6b3e3f8f8a2235a87cf195 2058 dsniff_2.4b1+debian-24.dsc
61b38a3d87ab34564364a494b77486e4cb4f64b8 27700
dsniff_2.4b1+debian-24.debian.tar.xz
cc8cd42b8a2ee60c77d82b6940a1463ec5f4aecb 5985
dsniff_2.4b1+debian-24_source.buildinfo
Checksums-Sha256:
d9979d9ca8092a7595454a1056f715291ef48e632aa74aa037a7b5b92a45317c 2058
dsniff_2.4b1+debian-24.dsc
ee34e80fa8cafffa29310273fa21afdea3a58af8a98544bda14473b9f4af97af 27700
dsniff_2.4b1+debian-24.debian.tar.xz
d698c731168b44c649e770788e11ae094591ca331b431049e4a93a5f75c60b9e 5985
dsniff_2.4b1+debian-24_source.buildinfo
Files:
c2bc4cd858ad4eda6d860fd0855d9ce4 2058 net optional dsniff_2.4b1+debian-24.dsc
064f9c3f46be033110f74613ed748300 27700 net optional
dsniff_2.4b1+debian-24.debian.tar.xz
76793281780fb37c03b64de1e6afd6ed 5985 net optional
dsniff_2.4b1+debian-24_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAljG3ooACgkQdbcQY1wh
On7x7xAAtMj79oiMXNBC/zx963WXbdl1f0GJm/hueEj45OSvyvwUpMMEfTJwQ3eC
Z9bSIy+Z8D0q+DvN8JfuCvS//95JkHVSuzGt461DZLRxx67gH38vYgzNq6n+2MfA
NyiIZ5gZRjJt1iBJ3TFm2WrMWbLxnUUqKg3aPJI5zQBgHjyqaBHYjmRTQy20emIu
hDLnnzazgj4+SPZunZG8laMEHH6sWNWcsCxK+UJTNUK/P0xeX2DJHBNY8F6TFerN
NKIS8WQDF8cie6qYl63vhrqKfJRsTIEDTWUtzJBr4HQyiP9eiZ1nMCQ+RGqQRfgj
k1QwJjtI9PnU9psEhpm41RsUdWXzWirc0l1cwO1OrvSAl5125GznaV8ex2xtFQUJ
TktzPejdYZdRAV65r15elL6HJp3Ep2v76L6Y+LBvsAol9KNvD/ig1PGADLEhnoM0
djzKzk7LVwQE48JZkR4eZ996Rqk7kYeqZSubi6nPEgWc1QH0AklSq49HFfBYU6oe
IuoQr2KfhHMAdzlIppfB06PiVIFVtEfNvwAbiwtsBd53Xz8yaRM9HQaqWunLebGG
9WKGc4WN2cInhBgfqJGL3DRFTAOxxVgr+LcspmHY0S9X1UxSwqqs78CRmKk3S7MG
SpAlhPVsD6hB+94EPY+7FNF7WibwgYaslxnLae3nXq0TMhWFee8=
=0fWu
-----END PGP SIGNATURE-----
--- End Message ---
