Package: ethereal
Version: 0.10.11-1
Severity: wishlist
Tags: security patch
The attached patch reduces the impact of undiscovered security
vulnerabilities in ethereal by dropping all capabilities (t)ethereal doesn't
need for its operation, keeping only the capability to sniff sockets. A
version of this patch has been sent to the ethereal-dev list and while there
have been some responses, the patch so far has not been committed to
ethereal SVN. Still, I think this is a very sensible patch and I would like
to see it included in Debian's ethereal package.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (800, 'unstable'), (750, 'experimental'), (500,
'testing-proposed-updates'), (500, 'oldstable'), (500, 'testing'), (500,
'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.11.11
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages ethereal depends on:
ii ethereal-common 0.10.11-1 network traffic analyser (common f
ii libadns1 1.0-8.3 Asynchronous-capable DNS client li
ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcomerr2 1.37+1.38-WIP-0620-1 common error description library
ii libglib2.0-0 2.6.5-1 The GLib library of C routines
ii libgtk2.0-0 2.6.8-1 The GTK+ graphical user interface
ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
ii libpango1.0-0 1.8.1-1 Layout and rendering of internatio
ii libpcap0.8 0.8.3-6 System interface for user-level pa
ii libpcre3 5.0-1.1 Perl 5 Compatible Regular Expressi
ii zlib1g 1:1.2.2-4 compression library - runtime
Versions of packages ethereal recommends:
ii gksu 1.3.0-1 graphical frontend to su
-- no debconf information
--
Obsig: developing a new sig
Index: configure.in
===================================================================
--- configure.in (revision 14745)
+++ configure.in (working copy)
@@ -737,6 +738,47 @@
fi
+dnl libcap check
+AC_MSG_CHECKING(whether to use libcap to improve security)
+
+AC_ARG_WITH(cap,
+[ --with-cap[[=DIR]] use libcap (located in directory DIR, if supplied)
to improve security. [[default=yes, if available]]],
+[
+ if test $withval = no
+ then
+ want_cap=no
+ elif test $withval = yes
+ then
+ want_cap=yes
+ else
+ want_cap=yes
+ cap_dir=$withval
+ fi
+],[
+ #
+ # Use libcap if it's present, otherwise don't.
+ #
+ want_cap=ifavailable
+ cap_dir=
+])
+if test "x$want_cap" = "xno" ; then
+ AC_MSG_RESULT(no)
+ cap_message="no (disabled by explicit request)"
+else
+ AC_MSG_RESULT(yes)
+ AC_CHECK_LIB(cap, cap_init, [
+ AC_DEFINE(HAVE_LIBCAP, 1, [
+ Define if libcap is available to restrict process
capabilities
+ ])
+ LIBS="$LIBS -lcap"
+ cap_message="yes"
+ ], [
+ AC_MSG_WARN([libcap check failed])
+ cap_message="no (check failed)"
+ ])
+fi
+
+
dnl Check if ethereal should be installed setuid
AC_ARG_ENABLE(setuid-install,
[ --enable-setuid-install install ethereal as setuid. DANGEROUS!!!
[default=no]],enable_setuid_install=$enableval,enable_setuid_install=no)
@@ -1322,3 +1364,4 @@
echo " Use SSL crypto library : $ssl_message"
echo " Use IPv6 name resolution : $enable_ipv6"
echo " Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
+echo " Use cap library : $cap_message"
Index: gtk/main.c
===================================================================
--- gtk/main.c (revision 14745)
+++ gtk/main.c (working copy)
@@ -1637,6 +1637,9 @@
char optstring[sizeof(OPTSTRING_INIT) + sizeof(OPTSTRING_CHILD) +
sizeof(OPTSTRING_WIN32) - 2] =
OPTSTRING_INIT OPTSTRING_WIN32;
+#ifdef HAVE_LIBCAP
+ dropexcesscapabilities();
+#endif
/*** create the compile and runtime version strings ***/
#ifdef _WIN32
Index: tethereal.c
===================================================================
--- tethereal.c (revision 14745)
+++ tethereal.c (working copy)
@@ -659,6 +659,10 @@
capture_opts_init(&capture_opts, NULL /* cfile */);
#endif
+#ifdef HAVE_LIBCAP
+ dropexcesscapabilities();
+#endif
+
set_timestamp_setting(TS_RELATIVE);
/* Register all dissectors; we must do this before checking for the
Index: util.c
===================================================================
--- util.c (revision 14745)
+++ util.c (working copy)
@@ -69,6 +69,10 @@
#include <windows.h>
#endif
+#ifdef HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
+
#include "util.h"
/*
@@ -311,3 +315,30 @@
}
return "";
}
+
+
+#ifdef HAVE_LIBCAP
+void dropexcesscapabilities(void)
+{
+ cap_t cap_d = cap_init();
+ cap_value_t cap_values[] = {
+ /* capabilities we need to keep */
+ CAP_NET_RAW
+ };
+
+ if (!cap_d) {
+ fprintf(stderr, "Could not alloc cap struct\n");
+ exit(-1);
+ }
+
+ cap_clear(cap_d);
+ cap_set_flag(cap_d, CAP_PERMITTED, 1, cap_values, CAP_SET);
+ cap_set_flag(cap_d, CAP_EFFECTIVE, 1, cap_values, CAP_SET);
+
+ if (cap_set_proc(cap_d) != 0) {
+ fprintf(stderr, "Could not set capabilities: %s\n",
strerror(errno));
+ exit(1);
+ }
+ cap_free(&cap_d);
+}
+#endif /* HAVE_LIBCAP */
Index: util.h
===================================================================
--- util.h (revision 14745)
+++ util.h (working copy)
@@ -43,6 +43,15 @@
/* Create a capture filter for the connection */
char *get_conn_cfilter(void);
+#ifdef HAVE_LIBCAP
+/*
+ * Limit the potential impact of undiscovered security vulnerabilities by
+ * dropping all capabilities except the sniffer capability we need to do our
+ * job.
+ */
+void dropexcesscapabilities(void);
+#endif /* HAVE_LIBCAP */
+
#ifdef __cplusplus
}
#endif /* __cplusplus */
