CVE request: ettercap GTK

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

The GTK version of ettercap uses a global settings file at
/tmp/.ettercap_gtk and does not verify ownership of this file before
reading it. When parsing this file for settings in gtkui_conf_read()
(src/interfaces/gtk/ec_gtk_conf.c), an unchecked sscanf() call can
result in a stack-based buffer overflow.  Local users can place
maliciously crafted settings files at this location to exploit other
users who run ettercap.  On most distributions, stack-smashing
protection will mitigate the impact.  I'm unclear as to whether there
are settings that could be forced upon other users that make ettercap
misbehave in a dangerous way.

There are two issues here (insecure temporary file usage and
stack-based buffer overflow), but they're probably only
security-relevant when exploited in conjunction.  Not sure if it
should get one CVE or two.

Reference:
https://bugs.launchpad.net/ubuntu/+source/ettercap/+bug/656347


-Dan