lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87u137422h.fsf@windlord.stanford.edu>
Date: Wed, 07 Jan 2004 18:16:38 -0800
From: Russ Allbery <rra@....org>
To: inn-announce@....org, bugtraq@...urityfocus.com
Subject: [SECURITY] INN: Buffer overflow in control message handling


A buffer overflow has been discovered in a portion of the control message
handling code introduced in INN 2.4.0.  It is fairly likely that this
overflow could be remotely exploited to gain access to the user innd runs
as.  INN 2.3.x and earlier are not affected.  The INN CURRENT tree is
affected.

So far as we know, there are no current exploits in the wild for this
vulnerability.

INN 2.4.1 has just been released with a fix for this issue and various
other accumulated patches.  We strongly urge anyone running INN 2.4.0 or
any STABLE snapshot to upgrade to this version, or apply the attached
patch to their source tree and reinstall with make update.  There should
be no incompatibilities between INN 2.4.1 and INN 2.4.0 or STABLE
snapshots.

INN 2.4.1 is available at:

    <ftp://ftp.isc.org/isc/inn/inn-2.4.1.tar.gz>

The MD5 checksum of this release is:

    bec635b6e70188071fdb539cd374f2ba

A PGP signature will be available in the same directory shortly.

We apologize for this problem, which was caused by misuse of static
buffers and a dangerous internal INN function that we intend to remove
completely in the next stable release.  The current development branch has
already been converted almost entirely to strlcpy, strlcat, and other safe
string handling routines and that conversion should be complete in the INN
2.5.0 release.

Following is a patch against INN 2.4.0.  It should also apply to a current
STABLE or CURRENT snapshot if you use patch -l to apply it.

--- inn-2.4.0/innd/art.c.orig	2003-05-04 15:10:14.000000000 -0700
+++ inn-2.4.0/innd/art.c	2004-01-07 15:25:08.000000000 -0800
@@ -1773,7 +1773,7 @@
 bool
 ARTpost(CHANNEL *cp)
 {
-  char		*p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+  char		*p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
   int		i, j, *isp, hopcount, oerrno, canpost;
   NEWSGROUP	*ngp, **ngptr;
   SITE		*sp;
@@ -2185,9 +2185,10 @@
    * or control. */
   if (IsControl && Accepted && !ToGroup) {
     ControlStore = true;
-    FileGlue(tmpbuff, "control", '.', ControlWord);
-    if ((ngp = NGfind(tmpbuff)) == NULL)
+    controlgroup = concat("control.", ControlWord, (char *) 0);
+    if ((ngp = NGfind(controlgroup)) == NULL)
       ngp = NGfind(ARTctl);
+    free(controlgroup);
     ngp->PostCount = 0;
     ngptr = GroupPointers;
     *ngptr++ = ngp;

Thanks to Dan Riley for his prompt and detailed report and debugging
assistance.

                                        Russ Allbery
                                        Katsuhiro Kondou
                                        inn@....org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ