Summary: | Buffer overflow in whois client | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Gerardo Di Giacomo <gerardo> |
Component: | Current packages | Assignee: | Gentoo Security <security> |
Status: | VERIFIED FIXED | ||
Severity: | critical | CC: | raimund, security, solar |
Priority: | Lowest | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Simple workaround
Simple workaround |
Description
Gerardo Di Giacomo
2003-07-20 03:09:00 UTC
Created attachment 14742 [details, diff]
Simple workaround
Created attachment 14743 [details, diff]
Simple workaround
I tested this bug on Slackware and SuSE too, so i think that the original version is bugged too. Ok so looking at the whois code, there seems to be quite a few ways to overflow it. I've written a little patch which should address this. I'm also removing all the older exploitable versions of whois from the portage tree. fixed in whois-4.6.6-r1 could you send this patch upstream ? Patch sent upstream. Informed md@toglimi.linux.it that we will wait 36 hrs from 3:30am EST Aug 11 before sending out any GLSA's about this. If however another distro pops up and all the sudden fixes this then we should not delay. md@toglimi.linux.it bounced mail resent to md@linux.it From: Marco d'Itri <md@Linux.IT> To: Ned Ludd <solar@gentoo.org> Cc: mholzer@gentoo.org, gerardo@gife.org Subject: Re: Buffer Overflow Vulnerability (whois <=4.6.6) Date: Mon, 11 Aug 2003 18:40:13 +0200 On Aug 11, Ned Ludd <solar@gentoo.org> wrote: >It seems that the whois code 4.6.6 and prior contains some buffer >overflows. It's *full* of buffer overflows, there are more reported in the debian BTS. But whois is not suid and not supposed to be feed untrusted input, so I do not consider this a security problem. The correct solution would be to rewrite it to use some dynamically allocated strings package. I tought this was documented but now I see it's not, so I added a "BUGS" section to the man page. -- ciao, | Marco | [1249 arQAiFfnnGDUM] UNRESOLVING FIXED STATUS ON THIS BUG I'm somewhat disappointed the author does not consider this a security problem. I hate to say it but regardless if the manpage says there is bugs we all know that there are plenty of existing whois.{cgi,php,pl,etc} out there that call whois on the command line. I've search the debian bug tracking system and came up with this. whois does not check for memory allocation success http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=135822 I'll be adding Matt Kraai <kraai@debian.org> xmalloc,xrealloc patch http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=135822&msg=3&att=0 whois also did not check the return values of malloc and realloc to ensure that they succeeded which can lead to unexpected results including segfaults. So I merged the last gentoo-security.patch with Matt Kraai's idea from debian bug report - #135822 to form the gentoo-security-2.patch whois-4.6.6-r2 is now the current in portage. I all expect future updates to whois to need auditing before any version bumps. Marco d'Itri <md@Linux.IT> should be happy and use this version as base for his next official release These bugs have been present in whois from atleast version 4.5.18 to current. theoretical impact is medium-low as gentoo does not install whois by default and no known exploit exists to take advantage of this. whois is part of gentoo, slackware, debian, mandrake, suse, PLD and other Linux distributions. A GLSA can be sent out when we are ready. Reassign bug to security@gentoo.org closing as fixed thx 4 great work solar Anybody ever see a GLSA go out about this? *** Bug 27849 has been marked as a duplicate of this bug. *** |