Debian Security Advisory

DSA-130-1 ethereal -- remotely triggered memory allocation error

Date Reported:
01 Jun 2002
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 4604, BugTraq ID 4806, BugTraq ID 4805, BugTraq ID 4807, BugTraq ID 4808.
In Mitre's CVE dictionary: CVE-2002-0353, CVE-2002-0401, CVE-2002-0402, CVE-2002-0403, CVE-2002-0404.
More information:

Ethereal versions prior to 0.9.3 were vulnerable to an allocation error in the ASN.1 parser. This can be triggered when analyzing traffic using the SNMP, LDAP, COPS, or Kerberos protocols in ethereal. This vulnerability was announced in the ethereal security advisory enpa-sa-00003. This issue has been corrected in ethereal version 0.8.0-3potato for Debian 2.2 (potato).

Additionally, a number of vulnerabilities were discussed in ethereal security advisory enpa-sa-00004; the version of ethereal in Debian 2.2 (potato) is not vulnerable to the issues raised in this later advisory. Users of the not-yet-released woody distribution should ensure that they are running ethereal 0.9.4-1 or a later version.

We recommend you upgrade your ethereal package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Intel IA-32:
Motorola 680x0:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.