Created attachment 14742 [details, diff]
Simple workaround

Created attachment 14743 [details, diff]
Simple workaround

I tested this bug on Slackware and SuSE too, so i think that the original version is bugged too.

Comment 4 solar (RETIRED) 2003-08-10 23:31:04 UTC

Ok so looking at the whois code, there seems to be quite a few ways to overflow it. I've written a little patch which should address this. I'm also removing all the older exploitable versions of whois from the portage tree.

Comment 5 solar (RETIRED) 2003-08-10 23:41:54 UTC

fixed in whois-4.6.6-r1

Comment 6 Martin Holzer (RETIRED) 2003-08-10 23:56:55 UTC

could you send this patch upstream ?

Comment 7 solar (RETIRED) 2003-08-11 09:36:25 UTC

Patch sent upstream.

Informed md@toglimi.linux.it that we will wait 36 hrs from 3:30am EST Aug 11 before sending out any GLSA's about this.

If however another distro pops up and all the sudden fixes this then we should not delay.

Comment 8 solar (RETIRED) 2003-08-11 09:37:22 UTC

md@toglimi.linux.it bounced mail 
resent to md@linux.it

Comment 9 solar (RETIRED) 2003-08-11 12:13:34 UTC

From: 	Marco d'Itri <md@Linux.IT>
To: 	Ned Ludd <solar@gentoo.org>
Cc: 	mholzer@gentoo.org, gerardo@gife.org
Subject: 	Re: Buffer Overflow Vulnerability (whois <=4.6.6)
Date: 	Mon, 11 Aug 2003 18:40:13 +0200	
On Aug 11, Ned Ludd <solar@gentoo.org> wrote:

 >It seems that the whois code 4.6.6 and prior contains some buffer
 >overflows.
It's *full* of buffer overflows, there are more reported in the debian
BTS. But whois is not suid and not supposed to be feed untrusted input,
so I do not consider this a security problem. The correct solution would
be to rewrite it to use some dynamically allocated strings package.
I tought this was documented but now I see it's not, so I added a "BUGS"
section to the man page.

-- 
ciao, |
Marco | [1249 arQAiFfnnGDUM]

Comment 10 solar (RETIRED) 2003-08-11 12:19:12 UTC

UNRESOLVING FIXED STATUS ON THIS BUG

I'm somewhat disappointed the author does not consider this a security problem. I hate to say it but regardless if the manpage says there is bugs we all know that there are plenty of existing whois.{cgi,php,pl,etc} out there that call whois on the command line.

I've search the debian bug tracking system and came up with this.

whois does not check for memory allocation success
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=135822

I'll be adding Matt Kraai <kraai@debian.org> xmalloc,xrealloc patch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=135822&msg=3&att=0

Comment 11 solar (RETIRED) 2003-08-11 13:32:04 UTC

whois also did not check the return values of malloc and realloc to ensure that
they succeeded which can lead to unexpected results including segfaults. So
I merged the last gentoo-security.patch with Matt Kraai's idea from debian
bug report - #135822 to form the gentoo-security-2.patch

whois-4.6.6-r2 is now the current in portage.
I all expect future updates to whois to need auditing before any version bumps.

Comment 12 Martin Holzer (RETIRED) 2003-08-11 13:34:30 UTC

Marco d'Itri <md@Linux.IT>
should be happy and use this version as base for his next official release

Comment 13 solar (RETIRED) 2003-08-11 14:03:50 UTC

These bugs have been present in whois from atleast version 4.5.18 to current.

theoretical impact is medium-low as gentoo does not install whois by default and no known exploit exists to take advantage of this.

whois is part of gentoo, slackware, debian, mandrake, suse, PLD and other Linux distributions.

A GLSA can be sent out when we are ready.

Comment 14 solar (RETIRED) 2003-08-11 14:04:27 UTC

Reassign bug to security@gentoo.org

Comment 15 Martin Holzer (RETIRED) 2003-08-26 02:10:29 UTC

closing as fixed

Comment 16 Martin Holzer (RETIRED) 2003-08-26 02:10:49 UTC

thx 4 great work solar

Comment 17 solar (RETIRED) 2003-08-29 22:58:42 UTC

Anybody ever see a GLSA go out about this?

Comment 18 solar (RETIRED) 2003-09-03 10:54:07 UTC

*** Bug 27849 has been marked as a duplicate of this bug. ***