Bug 52723 - [Security Update] irc/epic4 patch
Summary: [Security Update] irc/epic4 patch
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs mailing list
Depends on:
Reported: 2003-05-27 16:30 UTC by Anders Andersson
Modified: 2003-06-01 10:29 UTC (History)
1 user (show)

See Also:

file.diff (127 bytes, patch)
2003-05-27 16:30 UTC, Anders Andersson
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anders Andersson 2003-05-27 16:30:14 UTC
	Security Update:
Advisory -- Possible remote exploit from rogue server, exploit exists.
Summary -- ircII clients generally trust the server not to send it garbage.
        Validity checking on data coming from the server tends to be weak.
        If a rogue server sends us a ctcp request from an extremely large
        nickname (over about 512 bytes), epic may attempt to alloca() a  
        negative value, which under gcc will return a invalid pointer the       
        contents of which will then be overwritten.

Extent -- All versions of epic4, before epic4pre2.002 are not vulnerable
        to this attack.  All versions of epic4, since and including
        epic4pre2.003 are vulnerable and this patch should be applied.
        Future versions of epic will include this patch.

Cause-for-alarm -- If you connect to a rogue server which has been carefully
        crafted to send a CTCP request from an extremely large nickname,
        EPIC may attempt to overwrite the stack, yielding a remote exploit
        for whatever user id you are running as.

Disclaimer -- All non-trivial software has bugs, of varying degrees.  EPIC
        is no exception.  All remote exploits are serious, but this is more
        serious because there is an exploit for this bug floating around.
        You should never connect to a server you do not trust.

Fix: Bumped PORTREVISION and note the new added file, patch-ctcp.c that
	should go into epic4/files/

== files/patch-ctcp.c ==

/* Make sure that the final \001 doesnt get truncated */
-	len = IRCD_BUFFER_SIZE - (12 + strlen(to));
+	if ((len = IRCD_BUFFER_SIZE - (12 + strlen(to))) < 0)
+		return;
 	putbuf2 = alloca(len);
 	if (format)--TlZiwI0YPQbo4tYkkOE8Zl6CVcGC5SeByndDQZkiagqaOuXR
Content-Type: text/plain; name="epic4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="epic4.patch"

Index: epic4/Makefile
RCS file: /home/ncvs/ports/irc/epic4/Makefile,v
retrieving revision 1.45
diff -u -r1.45 Makefile
--- epic4/Makefile	23 Mar 2003 06:21:54 -0000	1.45
+++ epic4/Makefile	27 May 2003 15:00:36 -0000
@@ -8,7 +8,7 @@
 PORTNAME=	epic4
 # Make these variables overridable for slave ports
 CATEGORIES?=	irc ipv6
 MASTER_SITES=	http://ftp.prbh.org/pub/epic/EPIC4-PRODUCTION/ \
 		ftp://ftp.icm.edu.pl/vol/rzm0/irc/EPIC/%SUBDIR%/ \
Comment 1 Yen-Ming Lee freebsd_committer 2003-06-01 10:29:17 UTC
State Changed
From-To: open->closed

Committed, thanks.