Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 24860 - Buffer overflow in whois client
Summary: Buffer overflow in whois client
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: Lowest critical (vote)
Assignee: Gentoo Security
: 27849 (view as bug list)
Depends on:
Reported: 2003-07-20 03:09 UTC by Gerardo Di Giacomo
Modified: 2003-09-03 10:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Simple workaround (whois.diff,404 bytes, patch)
2003-07-20 03:16 UTC, Gerardo Di Giacomo
Details | Diff
Simple workaround (whois.diff,404 bytes, patch)
2003-07-20 03:16 UTC, Gerardo Di Giacomo
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gerardo Di Giacomo 2003-07-20 03:09:00 UTC
There's a buffer overflow in whois client 

*  net-misc/whois
      Latest version available: 4.6.6
      Latest version installed: 4.6.6
      Size of downloaded files: 44 kB
      Description: improved Whois Client

astharot@astharot astharot $ whois -g `perl -e "print 'a'x2000"`
Segmentation fault
astharot@astharot astharot $ gdb whois
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)...
(gdb) r -g `perl -e "print 'a'x2000"`
Starting program: /usr/bin/whois -g `perl -e "print 'a'x2000"`
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x400e5cdd in _getopt_internal () from /lib/

Whois is not setuid, so it's not a security problem. But it's a bug :)
Comment 1 Gerardo Di Giacomo 2003-07-20 03:16:36 UTC
Created attachment 14742 [details, diff]
Simple workaround
Comment 2 Gerardo Di Giacomo 2003-07-20 03:16:54 UTC
Created attachment 14743 [details, diff]
Simple workaround
Comment 3 Gerardo Di Giacomo 2003-07-22 04:22:35 UTC
I tested this bug on Slackware and SuSE too, so i think that the original version is bugged too.
Comment 4 solar (RETIRED) gentoo-dev 2003-08-10 23:31:04 UTC
Ok so looking at the whois code, there seems to be quite a few ways to overflow it. I've written a little patch which should address this. I'm also removing all the older exploitable versions of whois from the portage tree.

Comment 5 solar (RETIRED) gentoo-dev 2003-08-10 23:41:54 UTC
fixed in whois-4.6.6-r1
Comment 6 Martin Holzer (RETIRED) gentoo-dev 2003-08-10 23:56:55 UTC
could you send this patch upstream ?
Comment 7 solar (RETIRED) gentoo-dev 2003-08-11 09:36:25 UTC
Patch sent upstream.

Informed that we will wait 36 hrs from 3:30am EST Aug 11 before sending out any GLSA's about this.

If however another distro pops up and all the sudden fixes this then we should not delay.
Comment 8 solar (RETIRED) gentoo-dev 2003-08-11 09:37:22 UTC bounced mail 
resent to
Comment 9 solar (RETIRED) gentoo-dev 2003-08-11 12:13:34 UTC
From: 	Marco d'Itri <md@Linux.IT>
To: 	Ned Ludd <>
Subject: 	Re: Buffer Overflow Vulnerability (whois <=4.6.6)
Date: 	Mon, 11 Aug 2003 18:40:13 +0200	
On Aug 11, Ned Ludd <> wrote:

 >It seems that the whois code 4.6.6 and prior contains some buffer
It's *full* of buffer overflows, there are more reported in the debian
BTS. But whois is not suid and not supposed to be feed untrusted input,
so I do not consider this a security problem. The correct solution would
be to rewrite it to use some dynamically allocated strings package.
I tought this was documented but now I see it's not, so I added a "BUGS"
section to the man page.

ciao, |
Marco | [1249 arQAiFfnnGDUM]
Comment 10 solar (RETIRED) gentoo-dev 2003-08-11 12:19:12 UTC

I'm somewhat disappointed the author does not consider this a security problem. I hate to say it but regardless if the manpage says there is bugs we all know that there are plenty of existing whois.{cgi,php,pl,etc} out there that call whois on the command line.

I've search the debian bug tracking system and came up with this.

whois does not check for memory allocation success

I'll be adding Matt Kraai <> xmalloc,xrealloc patch
Comment 11 solar (RETIRED) gentoo-dev 2003-08-11 13:32:04 UTC
whois also did not check the return values of malloc and realloc to ensure that
they succeeded which can lead to unexpected results including segfaults. So
I merged the last gentoo-security.patch with Matt Kraai's idea from debian
bug report - #135822 to form the gentoo-security-2.patch

whois-4.6.6-r2 is now the current in portage.
I all expect future updates to whois to need auditing before any version bumps.
Comment 12 Martin Holzer (RETIRED) gentoo-dev 2003-08-11 13:34:30 UTC
Marco d'Itri <md@Linux.IT>
should be happy and use this version as base for his next official release
Comment 13 solar (RETIRED) gentoo-dev 2003-08-11 14:03:50 UTC
These bugs have been present in whois from atleast version 4.5.18 to current.

theoretical impact is medium-low as gentoo does not install whois by default and no known exploit exists to take advantage of this.

whois is part of gentoo, slackware, debian, mandrake, suse, PLD and other Linux distributions.

A GLSA can be sent out when we are ready.
Comment 14 solar (RETIRED) gentoo-dev 2003-08-11 14:04:27 UTC
Reassign bug to
Comment 15 Martin Holzer (RETIRED) gentoo-dev 2003-08-26 02:10:29 UTC
closing as fixed
Comment 16 Martin Holzer (RETIRED) gentoo-dev 2003-08-26 02:10:49 UTC
thx 4 great work solar
Comment 17 solar (RETIRED) gentoo-dev 2003-08-29 22:58:42 UTC
Anybody ever see a GLSA go out about this?
Comment 18 solar (RETIRED) gentoo-dev 2003-09-03 10:54:07 UTC
*** Bug 27849 has been marked as a duplicate of this bug. ***