Security Update: Advisory -- Possible remote exploit from rogue server, exploit exists. Summary -- ircII clients generally trust the server not to send it garbage. Validity checking on data coming from the server tends to be weak. If a rogue server sends us a ctcp request from an extremely large nickname (over about 512 bytes), epic may attempt to alloca() a negative value, which under gcc will return a invalid pointer the contents of which will then be overwritten. Extent -- All versions of epic4, before epic4pre2.002 are not vulnerable to this attack. All versions of epic4, since and including epic4pre2.003 are vulnerable and this patch should be applied. Future versions of epic will include this patch. Cause-for-alarm -- If you connect to a rogue server which has been carefully crafted to send a CTCP request from an extremely large nickname, EPIC may attempt to overwrite the stack, yielding a remote exploit for whatever user id you are running as. Disclaimer -- All non-trivial software has bugs, of varying degrees. EPIC is no exception. All remote exploits are serious, but this is more serious because there is an exploit for this bug floating around. You should never connect to a server you do not trust. Fix: Bumped PORTREVISION and note the new added file, patch-ctcp.c that should go into epic4/files/ == files/patch-ctcp.c == /* Make sure that the final \001 doesnt get truncated */ - len = IRCD_BUFFER_SIZE - (12 + strlen(to)); + if ((len = IRCD_BUFFER_SIZE - (12 + strlen(to))) < 0) + return; putbuf2 = alloca(len); if (format)--TlZiwI0YPQbo4tYkkOE8Zl6CVcGC5SeByndDQZkiagqaOuXR Content-Type: text/plain; name="epic4.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="epic4.patch" Index: epic4/Makefile =================================================================== RCS file: /home/ncvs/ports/irc/epic4/Makefile,v retrieving revision 1.45 diff -u -r1.45 Makefile --- epic4/Makefile 23 Mar 2003 06:21:54 -0000 1.45 +++ epic4/Makefile 27 May 2003 15:00:36 -0000 @@ -8,7 +8,7 @@ PORTNAME= epic4 PORTVERSION= 1.0.1 # Make these variables overridable for slave ports -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES?= irc ipv6 MASTER_SITES= http://ftp.prbh.org/pub/epic/EPIC4-PRODUCTION/ \ ftp://ftp.icm.edu.pl/vol/rzm0/irc/EPIC/%SUBDIR%/ \
State Changed From-To: open->closed Committed, thanks.