Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
There's a buffer overflow in whois client * net-misc/whois Latest version available: 4.6.6 Latest version installed: 4.6.6 Size of downloaded files: 44 kB Homepage: http://www.linux.it/~md/software/ Description: improved Whois Client astharot@astharot astharot $ whois -g `perl -e "print 'a'x2000"` Segmentation fault astharot@astharot astharot $ gdb whois GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... (no debugging symbols found)... (gdb) r -g `perl -e "print 'a'x2000"` Starting program: /usr/bin/whois -g `perl -e "print 'a'x2000"` (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x400e5cdd in _getopt_internal () from /lib/libc.so.6 Whois is not setuid, so it's not a security problem. But it's a bug :)
Created an attachment (id=14742) [details] Simple workaround
Created an attachment (id=14743) [details] Simple workaround
I tested this bug on Slackware and SuSE too, so i think that the original version is bugged too.
Ok so looking at the whois code, there seems to be quite a few ways to overflow it. I've written a little patch which should address this. I'm also removing all the older exploitable versions of whois from the portage tree.
fixed in whois-4.6.6-r1
could you send this patch upstream ?
Patch sent upstream. Informed md@toglimi.linux.it that we will wait 36 hrs from 3:30am EST Aug 11 before sending out any GLSA's about this. If however another distro pops up and all the sudden fixes this then we should not delay.
md@toglimi.linux.it bounced mail resent to md@linux.it
From: Marco d'Itri <md@Linux.IT> To: Ned Ludd <solar@gentoo.org> Cc: mholzer@gentoo.org, gerardo@gife.org Subject: Re: Buffer Overflow Vulnerability (whois <=4.6.6) Date: Mon, 11 Aug 2003 18:40:13 +0200 On Aug 11, Ned Ludd <solar@gentoo.org> wrote: >It seems that the whois code 4.6.6 and prior contains some buffer >overflows. It's *full* of buffer overflows, there are more reported in the debian BTS. But whois is not suid and not supposed to be feed untrusted input, so I do not consider this a security problem. The correct solution would be to rewrite it to use some dynamically allocated strings package. I tought this was documented but now I see it's not, so I added a "BUGS" section to the man page. -- ciao, | Marco | [1249 arQAiFfnnGDUM]
UNRESOLVING FIXED STATUS ON THIS BUG I'm somewhat disappointed the author does not consider this a security problem. I hate to say it but regardless if the manpage says there is bugs we all know that there are plenty of existing whois.{cgi,php,pl,etc} out there that call whois on the command line. I've search the debian bug tracking system and came up with this. whois does not check for memory allocation success http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=135822 I'll be adding Matt Kraai <kraai@debian.org> xmalloc,xrealloc patch http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=135822&msg=3&att=0
whois also did not check the return values of malloc and realloc to ensure that they succeeded which can lead to unexpected results including segfaults. So I merged the last gentoo-security.patch with Matt Kraai's idea from debian bug report - #135822 to form the gentoo-security-2.patch whois-4.6.6-r2 is now the current in portage. I all expect future updates to whois to need auditing before any version bumps.
Marco d'Itri <md@Linux.IT> should be happy and use this version as base for his next official release
These bugs have been present in whois from atleast version 4.5.18 to current. theoretical impact is medium-low as gentoo does not install whois by default and no known exploit exists to take advantage of this. whois is part of gentoo, slackware, debian, mandrake, suse, PLD and other Linux distributions. A GLSA can be sent out when we are ready.
Reassign bug to security@gentoo.org
closing as fixed
thx 4 great work solar
Anybody ever see a GLSA go out about this?
*** Bug 27849 has been marked as a duplicate of this bug. ***
