FreeBSD Ports Security Advisory: FreeBSD-SA-00:78.bitchx [REVISED]

FreeBSD Security Advisories security-advisories at
Fri Dec 29 05:53:25 PST 2000


FreeBSD-SA-00:78                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          bitchx/ko-bitchx allows remote code execution [REVISED]

Category:       ports
Module:         bitchx/ko-bitchx
Announced:      2000-12-20
Reissued:       2000-12-29
Credits:        nimrood <nimrood at ONEBOX.COM>
Affects:        Ports collection prior to the correction date.
Corrected:      2000-12-12
Vendor status:  Updated version released
FreeBSD only:   NO

0.   Revision History

v1.0  2000-12-20  Initial release
v1.1  2000-12-29  Noted the vulnerability of ko-bitchx also

I.   Background

bitchx is a popular IRC client. It is available in a Korean-localized
version as the ko-bitchx package.

II.  Problem Description

The bitchx port, versions prior to 1.0c17_1, and ko-bitchx port,
versions prior to 1.0c16_3, contains a remote vulnerability.  Through
a stack overflow in the DNS parsing code, a malicious remote user in
control of their reverse DNS records may crash a bitchx session, or
cause arbitrary code to be executed by the user running bitchx.

The bitchx/ko-bitchx ports are not installed by default, nor are they
"part of FreeBSD" as such: they are part of the FreeBSD ports
collection, which contains over 4300 third-party applications in a
ready-to-install format.  The ports collections shipped with FreeBSD
3.5.1 and 4.2 contain this problem since it was discovered after the

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Malicious remote users may execute arbitrary code as the user running
If you have not chosen to install the bitchx or ko-bitchx
port/packages, then your system is not vulnerable to this problem.

IV.  Workaround

Deinstall the bitchx and/or ko-bitchx port/packages, if you have
installed them.

V.   Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the bitchx or
ko-bitchx ports.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:



NOTE: It may be several days before updated ko-bitchx packages are

3) download a new port skeleton for the bitchx/ko-bitchx port from:

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see


This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at

To Unsubscribe: send mail to majordomo at
with "unsubscribe freebsd-announce" in the body of the message

More information about the freebsd-announce mailing list