| Summary: | malformed dcc send requests in xchat-2.0.6 lead to a denial of service | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Nicolai Lissner <nlissne> |
| Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | gnome |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://sourceforge.net/tracker/index.php?func=detail&atid=100239&aid=858539&group_id=239 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
New ebuild to fix crash, requires patch..also attached.
digest file for the ebuild. Patch to xchat-2.0.6 to fix crash. Another patch option |
||
|
Description
Nicolai Lissner
2003-12-11 13:41:31 UTC
hard masking just so we know: the exploit was discovered by lloydbates in #gentoo/#gentoo.de: Martin Wienold University of Dortmund - Germany Created attachment 22105 [details]
New ebuild to fix crash, requires patch..also attached.
Fixes the crash
Created attachment 22106 [details]
digest file for the ebuild.
Another part of the fix.
Created attachment 22107 [details, diff]
Patch to xchat-2.0.6 to fix crash.
Patch to fix crash.
Created attachment 22110 [details, diff]
Another patch option
This way would consider the exploit a malformed dcc request and process
accordingly.
Comment on attachment 22105 [details]
New ebuild to fix crash, requires patch..also attached.
Change MIME type so file is viewable online.
2.0.6-r1 with fix commited to portage. (should hit rsync mirrors in 20 mins) Leaving hardmasked till some testing can be done. If patch works then please report and submit patch upstream. Mailed upstream author zed at xchat Please wait till the 15th before sending any GLSA's out about this one in order to allow upstream to fix and announce to other distros. rac provided me with instructions on how to unmask the hard mask or whatever. With my permission he tried the exploit on me with 2.0.6 unpatched, and my client immediately died. After the update in portage (2.0.6-r1), he tried it on me, and I got the malformed packet message. This works for me. Keep up the great work people! Here's to the speed of Open Source security. # emerge info Portage 2.0.49-r7 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23) ================================================================= System uname: 2.4.23 i686 AMD Athlon(TM) XP 1800+ distcc 2.11 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.2 [enabled] ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -funroll-loops -fprefetch-loop -arrays -pipe -mmmx -msse -m3dnow -mfpmath=sse,387" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi g /usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/co nfig" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -funroll-loops -fprefetch-lo op-arrays -pipe -mmmx -msse -m3dnow -mfpmath=sse,387" DISTDIR="/usr/portage/distfiles" FEATURES="sandbox autoaddcvs buildpkg ccache notitles" GENTOO_MIRRORS="http://gentoo.noved.org/ http://mirrors.tds.net/gentoo http://cu dlug.cudenver.edu/gentoo/ http://mirror.tucdemonic.org/gentoo/ http://www.gtlib. cc.gatech.edu/pub/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="x86 oss apm avi crypt cups foomaticdb gif jpeg libg++ libwww mad mikmod mpe g ncurses nls png quicktime spell xml2 xv zlib alsa gdbm berkdb slang readline a alib svga java sdl tcpd pam ssl python imlib qt motif opengl mozilla ldap X gtk gtk2 gpm gnome 3dnow cdr encode kde mmx oggvorbis pdflib perl sse tiff truetype xmms -arts -esd -ipv6" Now from xchat website. ----------------------------------------------------------------------- Latest News - 13-DEC-2003 A bug discovered in 2.0.6 allows a remote user to crash the client. All users should upgrade to a patched 2.0.6 immediately. If you compiled from source, a patch is available here. If you used a binary, look for an updated version from your distribution. ------------------------------------------------------------------------ We can GLSA this one now. -solar glsa sent by klieber as:
---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-06
---------------------------------------------------------------------------
GLSA: 200312-06
Package: net-irc/xchat
Summary: Malformed dcc send requests in xchat-2.0.6 lead to a denial of
service
Severity: medium
Gentoo bug: 35623
Date: 2003-12-14
CVE: none
Exploit: remote
Affected: =2.0.6
Fixed: >=2.0.6-r1
DESCRIPTION:
There is a remotely exploitable bug in xchat 2.0.6 that could lead to a denial
of service attack. This is caused by sending a malformed DCC packet to xchat
2.0.6, causing it to crash. Versions prior to 2.0.6 do not appear to be
affected by this bug.
For more information, please see:
http://mail.nl.linux.org/xchat-announce/2003-12/msg00000.html
SOLUTION:
For Gentoo users, xchat-2.0.6 was marked ~arch (unstable) for most
architectures. Since it was never marked as stable in the portage tree, only
xchat users who have explictly added the unstable keyword to ACCEPT_KEYWORDS
are affected. Users may updated affected machines to the patched version of
xchat using the following commands:
emerge sync
emerge -pv '>=net-irc/xchat-2.0.6-r1'
emerge '>=net-irc/xchat-2.0.6-r1'
emerge clean
i wanted to mention that i'm impressed by the responsive reaction of the security team here. good job to ya all. |
