bannedit has reported a vulnerability in BitchX, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error when handling IRC MODE messages. This can be exploited to cause a buffer overflow by sending a MODE message with an overly long parameter to an affected IRC client.
Successful exploitation may allow the execution of arbitrary code, but requires that the user is tricked into connecting to a malicious server.
The vulnerability is reported in BitchX 1.1. Other versions may also be affected.
Do not connect to untrusted IRC servers.
setting status, and waiting for upstream to provide a fix.
This is CVE-2007-4584.
Hmm, what's the status here? jokey talked of masking it few days ago, but lu_zero you wanted to keep it since you fixed the last security issue (bug 183149). So what do we do now?
keep it please.
Created attachment 131832 [details, diff]
fix for the p_mode overflow
Here's a proposed fix. But:
1) could someone confirm that my fix is correct and complete? I don't want to screw up like last time with eggdrop. bannedit, since you wrote the exploit, maybe you can?
2) There's good chances that bitchx contains other vulnerabilities, this is old unmaintained code (generates lots of warnings when compiling it).
In the end, I don't know if it really is a good idea to keep it. lu_zero, unless you *really* want to keep this, in which case I guess you should become the maintainer, I think we should just p.mask the thing.
According to nion from Debian who reviewed this patch, it does not fix all the issues. His tries at fixing this were unsuccessful, too:
Lu, please advise.
I'd recommend to mask and possibly last-rite it afterwards, since it does not look like this issue will be resolved by anyone.
Sorry, I'm back alive, I'd p.mask the package for now. I do not have time to check if the fix is ok, bx sadly it's quite good for a number of people and I couldn't find valid replacements yet.
(In reply to comment #8)
> Sorry, I'm back alive, I'd p.mask the package for now. I do not have time to
> check if the fix is ok, bx sadly it's quite good for a number of people and I
> couldn't find valid replacements yet.
Nion reviewed the patch and the bx code and did not find an appropriate fix yet and I did not see anyone but him and us struggling with the package any more. Please p.mask for now or deal with the unfortunate task of doing the upstream work here.
Another issue just popped up.
Secunia -- BitchX "e_hostname()" Insecure Temporary File Creation:
A security issue has been reported in BitchX, which can be exploited by malicious, local users to perform certain actions with escalated privileges.
The security issue is caused due to the "e_hostname()" function creating a temporary file insecurely using the "tmpnam()" function when the user issues the "HOSTNAME" or the "IRCHOST" command. This can be exploited to overwrite arbitrary files on the local system with the privileges of the user running BitchX.
net-irc/lu_zero, could you please p.mask this until we have a fix?
(In reply to comment #11)
> net-irc/lu_zero, could you please p.mask this until we have a fix?
net-irc/lu_zero please mask it, as I don't think a patch which suddenly appeared
This long of a delay is actually not acceptable.
Package is masked now, sorry for the delay
We need a mask glsa for this one; request filed.
GLSA 200807-12, sorry for the delay