183149 – net-irc/bitchx < 1.1 Hooks command execution (CVE-2007-3360)

Bug 183149 - net-irc/bitchx < 1.1 Hooks command execution (CVE-2007-3360)

Summary: net-irc/bitchx < 1.1 Hooks command execution (CVE-2007-3360)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://milw0rm.com/exploits/4087
Whiteboard:	B3 [noglsa] aetius
Keywords:

Depends on:
Blocks:

Reported:	2007-06-25 14:22 UTC by Matt Drew (RETIRED)
Modified:	2007-07-22 18:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Drew (RETIRED) gentoo-dev

2007-06-25 14:22:10 UTC

http://secunia.com/advisories/25759/

bitchx allows the server to execute some commands on the client that could be exploited via a bounds-checking error to execute shell code on the client.

Comment 1 Matt Drew (RETIRED) gentoo-dev

2007-06-25 14:26:15 UTC

Technically this would rate a B2, but how many people could really be enticed to visit unknown IRC servers?  Setting Status and rating B3 to force a vote.

Comment 2 Luca Barbato gentoo-dev

2007-07-17 10:52:16 UTC

fixed in -r4

Comment 3 Raúl Porcel (RETIRED) gentoo-dev

2007-07-17 11:34:24 UTC

Don't close security bugs

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-07-17 18:05:32 UTC

This one is ready for GLSA vote. I tend to vote NO.

Comment 5 Matt Drew (RETIRED) gentoo-dev

2007-07-20 02:54:34 UTC

I also vote no.

Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-22 18:52:47 UTC

voting no and closing. feel free to reopen if you disagree.