Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 ettercap (1:0.8.1-3) unstable; urgency=high
 .
   * Patch a bunch of security vulnerabilities (closes: #773416)
     - CVE-2014-6395 (Length Parameter Inconsistency)
     - CVE-2014-6396 (Arbitrary write)
     - CVE-2014-9376 (Negative index/underflow)
     - CVE-2014-9377 (Heap overflow)
     - CVE-2014-9378 (Unchecked return value)
     - CVE-2014-9379 (Incorrect cast)
     - CVE-2014-9380 (Buffer over-read)
     - CVE-2014-9381 (Signedness error)
     See: https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
     Patches taken from repo CVE-patch, URL git://github.com/NickSampanis/ettercap.git
     - 88804bd3a900d273215855f7c567ec891d31e547 CVE-patch/589
     - 103f16582ee88341a6a610378011781cdc866b0c CVE-patch/602
     - 3f0c582826095c722ab6fbf91518282a765a0b68 CVE-patch/603
     - cb7b2028dc03c628aa0a1a5130ca41421ddebcb2 CVE-patch/604
     - edd337d5d4f37ab8e330c5e067344dd5b3f10435 CVE-patch/605
     - 37dcfdf79e1ac6dcacd565894cd7717aa0224164 CVE-patch/606
     - c2a3c99af956146570d7883e4b540b9d0c0a3c46 CVE-patch/607
     - 6b196e011fa456499ed4650a360961a2f1323818 CVE-patch/608
     - afe7061948e85f0a0fd417d5e4c681bfaf212f42 CVE-patch/609
     - 9e9fdc7ed1ee8eba01a5a05e000b6c55d2a70923 CVE-patch/610
     Thanks to Nick Sampanis <n.sampanis@obrela.com> who is responsible for
     both finding and repairing these issues.
Author: Barak A. Pearlmutter <bap@debian.org>
Bug-Debian: https://bugs.debian.org/773416

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- ettercap-0.8.1.orig/plug-ins/mdns_spoof/mdns_spoof.c
+++ ettercap-0.8.1/plug-ins/mdns_spoof/mdns_spoof.c
@@ -309,7 +309,8 @@ static int parse_line (const char *str,
     for (x = 0; x < mdns->questions; x++) {
 
       name_len = dn_expand((u_char*)mdns, end, q, name, sizeof(name));
-
+      if (name_len == -1)
+          return;
       q = data + name_len;
 
       if (q >= end || name_len == 0)
--- ettercap-0.8.1.orig/plug-ins/nbns_spoof/nbns_spoof.c
+++ ettercap-0.8.1/plug-ins/nbns_spoof/nbns_spoof.c
@@ -390,6 +390,10 @@ static void nbns_spoof(struct packet_obj
 
 	SAFE_CALLOC(response, NBNS_MSGLEN_QUERY_RESPONSE, sizeof(u_char));
 
+   if (po->DATA.len > 70) {
+       SAFE_FREE(response);
+       return;
+   }
 	memset(response, 0, NBNS_MSGLEN_QUERY_RESPONSE);
 
 	memcpy(response, po->DATA.data, po->DATA.len);
--- ettercap-0.8.1.orig/src/dissectors/ec_TN3270.c
+++ ettercap-0.8.1/src/dissectors/ec_TN3270.c
@@ -117,6 +117,8 @@ FUNC_DECODER(dissector_TN3270)
 		 username[511] = 0; /* Boundary */
 
                  int l = strlen(username);
+                 if (l < 2)
+                     return NULL;
                  username[l-2] = 0;
                  DISSECT_MSG("%s:%d <= z/OS TSO Username : %s\n", ip_addr_ntoa(&PACKET->L3.dst, tmp), ntohs(PACKET->L4.dst), username);
          }
@@ -125,6 +127,8 @@ FUNC_DECODER(dissector_TN3270)
                  strncpy(password, &output[i + 6], 512);
 		 password[511] = 0; /* Boundary */
                  int l = strlen(password);
+                 if (l < 2)
+                     return NULL;
                  password[l-2] = 0;
                  DISSECT_MSG("%s:%d <= z/OS TSO Password : %s\n", ip_addr_ntoa(&PACKET->L3.dst, tmp), ntohs(PACKET->L4.dst), password);
          }
--- ettercap-0.8.1.orig/src/dissectors/ec_cvs.c
+++ ettercap-0.8.1/src/dissectors/ec_cvs.c
@@ -69,7 +69,7 @@ FUNC_DECODER(dissector_cvs)
 {
    DECLARE_DISP_PTR_END(ptr, end);
    char tmp[MAX_ASCII_ADDR_LEN];
-   char *p;
+   u_char *p;
    size_t i;
 
    /* don't complain about unused var */
@@ -96,16 +96,16 @@ FUNC_DECODER(dissector_cvs)
    /* move over the cvsroot path */
    ptr += strlen(CVS_LOGIN) + 1;
 
+   if (ptr >= end) 
+       return NULL;
    /* go until \n */
    while(*ptr != '\n' && ptr != end) ptr++;
    if (ptr == end) return NULL;
-
    PACKET->DISSECTOR.user = strdup((const char*)++ptr);
    
    /* cut the username on \n */
    if ( (p = strchr(PACKET->DISSECTOR.user, '\n')) != NULL )
       *p = '\0';
-   
    /* go until \n */
    while(*ptr != '\n' && ptr != end) ptr++;
    if (ptr == end) return NULL;
--- ettercap-0.8.1.orig/src/dissectors/ec_dhcp.c
+++ ettercap-0.8.1/src/dissectors/ec_dhcp.c
@@ -256,7 +256,7 @@ FUNC_DECODER(dissector_dhcp)
                 (opt = get_dhcp_option(DHCP_OPT_FQDN, options, end)) != NULL)
             {
                 u_char size = opt[0];
-                if ((opt + size + 2) > end)
+                if ((opt + size + 2) > end || size < 3)
                 {
                     // the +2 accounts for a-rr and ptr-rr
                     return NULL;
--- ettercap-0.8.1.orig/src/dissectors/ec_gg.c
+++ ettercap-0.8.1/src/dissectors/ec_gg.c
@@ -358,6 +358,8 @@ FUNC_DECODER(dissector_gg)
 if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
    gg_get_status(gg_login50->status,tbuf);
    gg_get_version(gg_login50->version,tbuf3);
+   if ((int)gg->len-22 < 0)
+       return NULL;
    strncpy(tbuf2,gg_login50->description, (gg->len)-22);
    tbuf2[(gg->len)-22]='\0';
    sprintf(user,"%u",gg_login50->uin);
@@ -378,6 +380,8 @@ if ((gg->type == GG_LOGIN50_CMD) && !FRO
 else if (gg->type == GG_LOGIN60_CMD) {
    gg_get_status(gg_login60->status,tbuf);
    gg_get_version(gg_login60->version,tbuf3);
+   if ((int)gg->len-31 < 0)
+       return NULL;
    strncpy(tbuf2,gg_login60->description, (gg->len)-31);
    tbuf2[(gg->len)-31]='\0';
    sprintf(user,"%u",gg_login60->uin);
@@ -400,6 +404,8 @@ else if (gg->type == GG_LOGIN60_CMD) {
 else if (gg->type == GG_LOGIN70_CMD) {
    gg_get_status(gg_login70->status,tbuf);
    gg_get_version(gg_login70->version,tbuf3);
+   if ((int)gg->len-92 < 0)
+       return NULL;
    strncpy(tbuf2,gg_login70->description, (gg->len)-92);
    tbuf2[(gg->len)-92]='\0';
    sprintf(user,"%u",gg_login70->uin);
@@ -447,6 +453,8 @@ else if (gg->type == GG_WELCOME_CMD) {
 #ifdef GG_CONTACTS_STATUS_CHANGES
 else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
     gg_get_status(gg_status->status,tbuf);
+    if ((int)gg->len-8 < 0)
+        return NULL;
     strncpy(tbuf2,gg_status->description, (gg->len)-8);
     tbuf2[(gg->len)-8]='\0';
     DISSECT_MSG("GG : %s:%d -> %s:%d - STATUS CHANGED  UIN: %u  STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -459,6 +467,8 @@ else if ((gg->type == GG_STATUS_CMD) &&
 #endif
 else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
       gg_get_status(gg_new_status->status,tbuf);
+      if ((int)gg->len-4 < 0)
+          return NULL;
       strncpy(tbuf2,gg_new_status->description, (gg->len)-4);
       tbuf2[(gg->len)-4]='\0';
       DISSECT_MSG("GG : %s:%d -> %s:%d - NEW STATUS  STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -471,6 +481,8 @@ else if ((gg->type == GG_NEW_STATUS_CMD)
 else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
       gg_get_status(gg_status50->status,tbuf);
       gg_get_version(gg_status50->version,tbuf3);
+      if ((int)gg->len-20 < 0)
+          return NULL;
       strncpy(tbuf2,gg_status50->description, (gg->len)-20);
       tbuf2[(gg->len)-20]='\0';
       DISSECT_MSG("GG4/5 : %s:%d -> %s:%d - STATUS CHANGED  UIN: %u  STATUS: %s (%s)  VERSION: %s  RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -486,6 +498,8 @@ else if ((gg->type == GG_STATUS50_CMD) &
 else if (gg->type == GG_STATUS60_CMD) {
       gg_get_status(gg_status60->status,tbuf);
       gg_get_version(gg_status60->version,tbuf3);
+      if ((int)gg->len-14 < 0)
+          return NULL;
       strncpy(tbuf2,gg_status60->description, (gg->len)-14);
       tbuf2[(gg->len)-14]='\0';
       DISSECT_MSG("GG6 : %s:%d -> %s:%d - STATUS CHANGED  UIN: %u  STATUS: %s (%s)  VERSION: %s  RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -500,6 +514,8 @@ else if (gg->type == GG_STATUS60_CMD) {
 }
 else if (gg->type == GG_STATUS70_CMD) {
       gg_get_status(gg_status70->status,tbuf);
+      if ((int)gg->len-18 < 0)
+          return NULL;
       gg_get_version(gg_status70->version,tbuf3);
       strncpy(tbuf2,gg_status70->description, (gg->len)-18);
       tbuf2[(gg->len)-18]='\0';
--- ettercap-0.8.1.orig/src/dissectors/ec_imap.c
+++ ettercap-0.8.1/src/dissectors/ec_imap.c
@@ -232,8 +232,6 @@ FUNC_DECODER(dissector_imap)
      
       DEBUG_MSG("\tDissector_imap AUTHENTICATE LOGIN USER");
       
-      //SAFE_CALLOC(user, strlen((const char*)ptr), sizeof(char));
-     
       /* username is encoded in base64 */
       i = base64decode((const char*)ptr, &user);
      
@@ -284,12 +282,15 @@ FUNC_DECODER(dissector_imap)
      
       DEBUG_MSG("\tDissector_imap AUTHENTICATE PLAIN USER/PASS");
       
-      //SAFE_CALLOC(cred, strlen((const char*)ptr), sizeof(char));
-      
       /* password is encoded in base64 */
       i = base64decode((const char *)ptr, &cred);
       p = cred;
       cred_end = cred+i;
+      if (p > cred_end) {
+          SAFE_FREE(cred);
+          dissect_wipe_session(PACKET, DISSECT_CODE(dissector_imap));
+          return NULL;
+      }
       /* move to the username right after the first \0  */
       while(*p && p!=cred_end) p++;
       if (p!=cred_end) p++;
--- ettercap-0.8.1.orig/src/dissectors/ec_postgresql.c
+++ ettercap-0.8.1/src/dissectors/ec_postgresql.c
@@ -158,7 +158,7 @@ FUNC_DECODER(dissector_postgresql)
                DEBUG_MSG("\tDissector_postgresql RESPONSE type is clear-text!");
                GET_ULONG_BE(length, ptr, 1);
                length -= 4;
-               if (length > 65 || PACKET->DATA.len < length+5) {
+               if (length < 0 || length > 65 || PACKET->DATA.len < length+5) {
                    dissect_wipe_session(PACKET, DISSECT_CODE(dissector_postgresql));
                    return NULL;
                }
--- ettercap-0.8.1.orig/src/dissectors/ec_radius.c
+++ ettercap-0.8.1/src/dissectors/ec_radius.c
@@ -203,7 +203,7 @@ static u_char * radius_get_attribute(u_i
    while (begin < end) {
 
       /* get the len of the attribute and subtract the header len */
-      *attr_len = *(begin + 1) - 2;
+      *attr_len = (u_char)*(begin + 1) - 2;
      
       /* we have found our attribute */
       if (*begin == attr) {
--- ettercap-0.8.1.orig/src/ec_utils.c
+++ ettercap-0.8.1/src/ec_utils.c
@@ -243,6 +243,10 @@ void drop_privs(void)
 int get_decode_len(const char *b64_str) {
    int len = strlen(b64_str);
    int padding = 0;
+
+   if (len < 2)
+       return 0;
+
    if (b64_str[len-1] == '=' && b64_str[len-2] == '=')
       padding = 2;
    else if (b64_str[len-1] == '=')
