There seems to be an exploit to xchat-2.0.6 that makes it possible to close an xchat-client version 2.0.6 from remote by sending a malformed dcc. Look at: http://sourceforge.net/tracker/index.php?func=detail&atid=100239&aid=858539&group_id=239 This should be a good reason to hardmask this package until the bug is resolved.
hard masking
just so we know: the exploit was discovered by lloydbates in #gentoo/#gentoo.de: Martin Wienold University of Dortmund - Germany
Created attachment 22105 [details] New ebuild to fix crash, requires patch..also attached. Fixes the crash
Created attachment 22106 [details] digest file for the ebuild. Another part of the fix.
Created attachment 22107 [details, diff] Patch to xchat-2.0.6 to fix crash. Patch to fix crash.
Created attachment 22110 [details, diff] Another patch option This way would consider the exploit a malformed dcc request and process accordingly.
Comment on attachment 22105 [details] New ebuild to fix crash, requires patch..also attached. Change MIME type so file is viewable online.
2.0.6-r1 with fix commited to portage. (should hit rsync mirrors in 20 mins) Leaving hardmasked till some testing can be done. If patch works then please report and submit patch upstream.
Mailed upstream author zed at xchat
Please wait till the 15th before sending any GLSA's out about this one in order to allow upstream to fix and announce to other distros.
rac provided me with instructions on how to unmask the hard mask or whatever. With my permission he tried the exploit on me with 2.0.6 unpatched, and my client immediately died. After the update in portage (2.0.6-r1), he tried it on me, and I got the malformed packet message. This works for me. Keep up the great work people! Here's to the speed of Open Source security. # emerge info Portage 2.0.49-r7 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23) ================================================================= System uname: 2.4.23 i686 AMD Athlon(TM) XP 1800+ distcc 2.11 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.2 [enabled] ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -funroll-loops -fprefetch-loop -arrays -pipe -mmmx -msse -m3dnow -mfpmath=sse,387" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi g /usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/co nfig" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -funroll-loops -fprefetch-lo op-arrays -pipe -mmmx -msse -m3dnow -mfpmath=sse,387" DISTDIR="/usr/portage/distfiles" FEATURES="sandbox autoaddcvs buildpkg ccache notitles" GENTOO_MIRRORS="http://gentoo.noved.org/ http://mirrors.tds.net/gentoo http://cu dlug.cudenver.edu/gentoo/ http://mirror.tucdemonic.org/gentoo/ http://www.gtlib. cc.gatech.edu/pub/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="x86 oss apm avi crypt cups foomaticdb gif jpeg libg++ libwww mad mikmod mpe g ncurses nls png quicktime spell xml2 xv zlib alsa gdbm berkdb slang readline a alib svga java sdl tcpd pam ssl python imlib qt motif opengl mozilla ldap X gtk gtk2 gpm gnome 3dnow cdr encode kde mmx oggvorbis pdflib perl sse tiff truetype xmms -arts -esd -ipv6"
Now from xchat website. ----------------------------------------------------------------------- Latest News - 13-DEC-2003 A bug discovered in 2.0.6 allows a remote user to crash the client. All users should upgrade to a patched 2.0.6 immediately. If you compiled from source, a patch is available here. If you used a binary, look for an updated version from your distribution. ------------------------------------------------------------------------ We can GLSA this one now. -solar
glsa sent by klieber as: --------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-06 --------------------------------------------------------------------------- GLSA: 200312-06 Package: net-irc/xchat Summary: Malformed dcc send requests in xchat-2.0.6 lead to a denial of service Severity: medium Gentoo bug: 35623 Date: 2003-12-14 CVE: none Exploit: remote Affected: =2.0.6 Fixed: >=2.0.6-r1 DESCRIPTION: There is a remotely exploitable bug in xchat 2.0.6 that could lead to a denial of service attack. This is caused by sending a malformed DCC packet to xchat 2.0.6, causing it to crash. Versions prior to 2.0.6 do not appear to be affected by this bug. For more information, please see: http://mail.nl.linux.org/xchat-announce/2003-12/msg00000.html SOLUTION: For Gentoo users, xchat-2.0.6 was marked ~arch (unstable) for most architectures. Since it was never marked as stable in the portage tree, only xchat users who have explictly added the unstable keyword to ACCEPT_KEYWORDS are affected. Users may updated affected machines to the patched version of xchat using the following commands: emerge sync emerge -pv '>=net-irc/xchat-2.0.6-r1' emerge '>=net-irc/xchat-2.0.6-r1' emerge clean
i wanted to mention that i'm impressed by the responsive reaction of the security team here. good job to ya all.