Processed: Re: Bug#855869: dsniff: segfaults on portmapper messages

Hilko Bengen bengen at debian.org
Sat Mar 11 09:25:42 UTC 2017


* Marcos Fouces:

> I pushed a "debian/stretch" branch  [1] to the repo without all
> changes i've made so far bug the patch that fixes this bug.
>
> It is still posible to get sniff in shape for stretch? If so, could
> you sponsor it or tell me what else to do?

I had a look into your commits after I had adjusted the severity of
#855869 and it seems to me that all those fixes may as well be part of
Stretch which would make the separate branch unnecessary:

In my opinion, the bugs reported by the Mayhem project (#715646,
#716355, #716457, #716458) should be classified as grave, for the same
reason.

Another question is: Should Debian still be distributing dsniff at all?
The software hasn't seen any upstream development in 16 years and has
been kept on life-support in Linux distros only by piling on patch after
patch. 

Over the years various people, myself included, have found crashes and
hangs while using the dsniff tools with real-world data and sometimes
they have even tried to fix those problems. The people from th eMayhem
project seems to have been the first who have applied automated fuzzing
to this code base and I am confident that one could find more crashes or
hangs if one used AFL or similar tools.

I would not recommend that users run any of the dsniff tools anywhere
but in lab environments. If I had any need for one of the dsniff tools
today, rewriting them in another language, for example Go and
golang-github-google-gopacket-dev, would seem like a good idea.

Cheers,
-Hilko



More information about the Pkg-security-team mailing list