PublicDateAtUSN: 2019-11-19 16:15:00 UTC
Candidate: CVE-2014-5439
PublicDate: 2019-11-19 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5439
 http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html
 https://ubuntu.com/security/notices/USN-4652-1
Description:
 Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit
 prior to 0.3.7 via a crafted configuration file that will bypass
 Non-eXecutable bit NX, stack smashing protector SSP, and address space
 layout randomization ASLR protection mechanisms, which could let a
 malicious user execute arbitrary code.
Ubuntu-Description:
 It was discovered that SniffIt incorrectly handled certain configuration
 files. An attacker could possibly use this issue to execute arbitrary
 code.
Notes:
 sbeattie> sniffit is not setuid, so this issue only affects
   configurations where a user is only permitted to run a subset of
   administrative (e.g. using a sudo configuration that only allows a
   user to run sniffit).
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_sniffit:
upstream_sniffit: released (0.3.7.beta-20)
precise_sniffit: ignored (reached end-of-life)
precise/esm_sniffit: DNE (precise was needs-triage)
trusty_sniffit: released (0.3.7.beta-17+deb8u1build0.14.04.1)
trusty/esm_sniffit: DNE (trusty was released [0.3.7.beta-17+deb8u1build0.14.04.1])
vivid/stable-phone-overlay_sniffit: DNE
vivid/ubuntu-core_sniffit: DNE
xenial_sniffit: released (0.3.7.beta-19ubuntu0.1)
yakkety_sniffit: ignored (reached end-of-life)
zesty_sniffit: not-affected (0.3.7.beta-20)
artful_sniffit: not-affected (0.3.7.beta-20)
bionic_sniffit: not-affected (0.3.7.beta-20)
cosmic_sniffit: not-affected (0.3.7.beta-20)
disco_sniffit: not-affected (0.3.7.beta-20)
eoan_sniffit: not-affected (0.3.7.beta-20)
focal_sniffit: not-affected (0.3.7.beta-20)
groovy_sniffit: not-affected (0.3.7.beta-20)
devel_sniffit: not-affected (0.3.7.beta-20)