ports/52723: [Security Update] irc/epic4 patch

Anders Andersson anders at andersa.net
Tue May 27 15:30:17 UTC 2003 

>Number:         52723
>Category:       ports
>Synopsis:       [Security Update] irc/epic4 patch
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 27 08:30:14 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Anders Andersson <anders at andersa.net>
>Release:        FreeBSD 5.1-BETA i386
>Organization:
>Environment:
System: FreeBSD sushi.andersa.net 5.1-BETA FreeBSD 5.1-BETA #0: Thu May 22 09:12:43 CEST 2003 toor at sushi.andersa.net:/usr/obj/usr/src/sys/SUSHI i386


	
>Description:
	Security Update:
Advisory -- Possible remote exploit from rogue server, exploit exists.
    
Summary -- ircII clients generally trust the server not to send it garbage.
        Validity checking on data coming from the server tends to be weak.
        If a rogue server sends us a ctcp request from an extremely large
        nickname (over about 512 bytes), epic may attempt to alloca() a  
        negative value, which under gcc will return a invalid pointer the       
        contents of which will then be overwritten.

Extent -- All versions of epic4, before epic4pre2.002 are not vulnerable
        to this attack.  All versions of epic4, since and including
        epic4pre2.003 are vulnerable and this patch should be applied.
        Future versions of epic will include this patch.

Cause-for-alarm -- If you connect to a rogue server which has been carefully
        crafted to send a CTCP request from an extremely large nickname,
        EPIC may attempt to overwrite the stack, yielding a remote exploit
        for whatever user id you are running as.

Disclaimer -- All non-trivial software has bugs, of varying degrees.  EPIC
        is no exception.  All remote exploits are serious, but this is more
        serious because there is an exploit for this bug floating around.
        You should never connect to a server you do not trust.

>How-To-Repeat:
	
>Fix:

	Bumped PORTREVISION and note the new added file, patch-ctcp.c that
	should go into epic4/files/

--- epic4.patch begins here ---
Index: epic4/Makefile
===================================================================
RCS file: /home/ncvs/ports/irc/epic4/Makefile,v
retrieving revision 1.45
diff -u -r1.45 Makefile
--- epic4/Makefile	23 Mar 2003 06:21:54 -0000	1.45
+++ epic4/Makefile	27 May 2003 15:00:36 -0000
@@ -8,7 +8,7 @@
 PORTNAME=	epic4
 PORTVERSION=	1.0.1
 # Make these variables overridable for slave ports
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES?=	irc ipv6
 MASTER_SITES=	http://ftp.prbh.org/pub/epic/EPIC4-PRODUCTION/ \
 		ftp://ftp.icm.edu.pl/vol/rzm0/irc/EPIC/%SUBDIR%/ \
--- epic4.patch ends here ---

== files/patch-ctcp.c ==

--- source/ctcp.c.orig  Tue Dec  5 01:11:56 2000
+++ source/ctcp.c       Tue May 27 16:55:04 2003
@@ -897,7 +897,8 @@
	int	len;

 	/* Make sure that the final \001 doesnt get truncated */
-	len = IRCD_BUFFER_SIZE - (12 + strlen(to));
+	if ((len = IRCD_BUFFER_SIZE - (12 + strlen(to))) < 0)
+		return;
 	putbuf2 = alloca(len);
 
 	if (format)

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list