Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190667 (CVE-2007-4584) - net-irc/bitchx <= 1.1 "mode" buffer overflow, Insecure file creation (CVE-2007-{4584,5839})
Summary: net-irc/bitchx <= 1.1 "mode" buffer overflow, Insecure file creation (CVE-200...
Alias: CVE-2007-4584
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Keywords: PMASKED
Depends on:
Reported: 2007-08-29 16:27 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2010-03-28 00:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

fix for the p_mode overflow (bitchx-1.1-p_mode-overflow.patch,440 bytes, patch)
2007-09-25 08:59 UTC, Pierre-Yves Rofes (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 16:27:47 UTC
bannedit has reported a vulnerability in BitchX, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when handling IRC MODE messages. This can be exploited to cause a buffer overflow by sending a MODE message with an overly long parameter to an affected IRC client.

Successful exploitation may allow the execution of arbitrary code, but requires that the user is tricked into connecting to a malicious server.

The vulnerability is reported in BitchX 1.1. Other versions may also be affected.

Do not connect to untrusted IRC servers.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 16:29:15 UTC
setting status, and waiting for upstream to provide a fix.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-09-23 13:41:01 UTC
This is CVE-2007-4584.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-24 18:48:38 UTC
Hmm, what's the status here? jokey talked of masking it few days ago, but lu_zero you wanted to keep it since you fixed the last security issue (bug 183149). So what do we do now? 
Comment 4 Luca Barbato gentoo-dev 2007-09-24 23:03:43 UTC
keep it please.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-25 08:59:57 UTC
Created attachment 131832 [details, diff]
fix for the p_mode overflow

Here's a proposed fix. But:
1) could someone confirm that my fix is correct and complete? I don't want to screw up like last time with eggdrop. bannedit, since you wrote the exploit, maybe you can?
2) There's good chances that bitchx contains other vulnerabilities, this is old unmaintained code (generates lots of warnings when compiling it).
In the end, I don't know if it really is a good idea to keep it. lu_zero, unless you *really* want to keep this, in which case I guess you should become the maintainer, I think we should just p.mask the thing.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-10-09 22:31:06 UTC
According to nion from Debian who reviewed this patch, it does not fix all the issues. His tries at fixing this were unsuccessful, too:

Lu, please advise.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 00:56:12 UTC
I'd recommend to mask and possibly last-rite it afterwards, since it does not look like this issue will be resolved by anyone.
Comment 8 Luca Barbato gentoo-dev 2007-11-05 15:40:51 UTC
Sorry, I'm back alive, I'd p.mask the package for now. I do not have time to check  if the fix is ok, bx sadly it's quite good for a number of people and I couldn't find valid replacements yet.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 18:52:22 UTC
(In reply to comment #8)
> Sorry, I'm back alive, I'd p.mask the package for now. I do not have time to
> check  if the fix is ok, bx sadly it's quite good for a number of people and I
> couldn't find valid replacements yet.

Nion reviewed the patch and the bx code and did not find an appropriate fix yet and I did not see anyone but him and us struggling with the package any more. Please p.mask for now or deal with the unfortunate task of doing the upstream work here.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 03:41:21 UTC
Another issue just popped up.

Secunia -- BitchX "e_hostname()" Insecure Temporary File Creation:
A security issue has been reported in BitchX, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "e_hostname()" function creating a temporary file insecurely using the "tmpnam()" function when the user issues the "HOSTNAME" or the "IRCHOST" command. This can be exploited to overwrite arbitrary files on the local system with the privileges of the user running BitchX.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-14 22:32:29 UTC
net-irc/lu_zero, could you please p.mask this until we have a fix?
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 22:51:16 UTC
(In reply to comment #11)
> net-irc/lu_zero, could you please p.mask this until we have a fix?

Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 18:30:35 UTC
net-irc/lu_zero please mask it, as I don't think a patch which suddenly appeared

This long of a delay is actually not acceptable.
Comment 14 Markus Ullmann (RETIRED) gentoo-dev 2008-07-07 21:31:40 UTC
Package is masked now, sorry for the delay
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 22:27:45 UTC
Danke Markus.

We need a mask glsa for this one; request filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-21 22:07:12 UTC
GLSA 200807-12, sorry for the delay