http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html (patch available) XChat's Socks-5 proxy code is vulnerable to a remote exploit. To successfully exploit the code, you would need to enable socks5 traversal (default off) and connect to the attacker's own custom proxy server. If you never intend to use a Socks5 proxy, you are not affected at all by this issue.
net-irc herd -- can you patch/bump as appropriate? security: This sounds like a very low-risk vuln.
Done
Setting component to Security as this is a vulnerability.
Socks5 proxy usage is prety common I'd raise the risk factor up a little as this bug leads to a stack overflowed remotely.
The patch was applied without version bumping the xchat packages. Thus, users who have xchat installed already will not necessarily install this new version. Please version bump things so users will pick them up as a normal part of 'emerge -u world'
changed to p1/blocker since this is preventing us from issuing the GLSA.
Apparently zul has provided the requested ebuilds : x86, sparc, hppa, ia64 should upgrade to 2.0.7-r1 ppc should upgrade to 2.0.1-r1 amd64 should upgrade to 2.0.6-r2 affected 2.0.1, 2.0.6 and 2.0.7 should be removed. Ready for the GLSA.
For simplicity's sake (and glsa-check compatibility), it would be better if the latest (2.0.8-r1) was marked stable on all arches. Let's try :) Arches: please test the latest and mark stable if it works Thanks in advance, -K
2.0.8-r1 marked stable on sparc.
Stable on AMD64.
Stable on ppc too
Stable on mips.
Stable on Alpha.
Still waiting on x86 stable before GLSA release. For all it's worth, it works for me (2.0.8-r1 / x86) :) -K
Stable on x86.
All arches that provide the the gtk1 version (1.8) also need to mark the 1.8.11-r1 release stable. These are ppc & sparc. Both version (gtk 1 & 2) apparently are vulnerable, i assume Zul did test this when he added the patch. This also needs to be noted in the GLSA .
foser: On ppc and sparc, as far as I can tell, 1.8.* was always ~. The only arches where it has been marked stable are x86 and alpha, and on these arches 1.8.11-r1 is stable. Please correct me if I miss something, but if I'm right then this bug is ready for a GLSA. We will add something about the gtk1 version. -K
2.0.8-r1 stable on hppa
ebuilds should not be 'always ~', this whould be a good time to mark them stable (finally i assume). It avoids confusion : all stable versions (gtk1&2) on all arches are safe (if someone cleans up the older ones).
GLSA 200404-15 is out -- closing
I actually think that this GLSA lacks, because it sais xchat-2.0.x all over the place, while it's also a 1.8.x bug . That only gets a a short note. Someone with 1.8 probably skipped over this report just be reading the subject. It's not even in the affected packages bit. I'm a bit dissapointed that while i raised this issue 2 times here, it hardly got any serious attention.
You're right, the title is misleading, it would have been much better to talk about "xchat" rather than "xchat 2.0.x". On a more general note, we had to balance glsa-check compatibility and gtk1 specific information, and since the gtk1 version is ~ (and we don't issue GLSA for ~) I decided on the short note in resolution form. This brings a bigger problem, which is current GLSA with glsa-check compatibility do not allow for complex per-version resolution paths. For this one we would have needed something like : affected : (v <= 1.8.11) OR (2.0.0 <= v <= 2.0.8) unaffected : (1.8.11-r1 <= v < 2.0.0) OR (2.0.8-r1 < v) This is not supported. The only way to do it with the current GLSA/glsa-check system is to have to separate packages : xchat1 and xchat2. I will bring up the problem on the security list to have a better solution the next time we have such a problem.
