| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Dec 2012 21:59:15 GMT From: muztapha@...il.com To: bugtraq@...urityfocus.com Subject: Charybdis: Improper assumptions in the server handshake code may lead to a remote crash Access vector: network Access complexity: low Authentication requirement: none Confidentiality impact: none Integrity impact: none Availability impact: complete CVSSv2 temporal score: 6.4 Exploitability: functional exploit exists Remediation level: official fix Report confidence: confirmed Summary: All versions of Charybdis are vulnerable to a remotely-triggered crash bug caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all versions since ircd-ratbox 2.0 are also vulnerable.) The bug has to do with server capability negotiation. A malformed request will trigger a crash due to invalid assumptions. Mitigation: A patch for all affected versions of ircd-ratbox and charybdis is available from the charybdis GIT repository: https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch To apply the patch, go to your IRCd source tree and run the following commands: $ patch -p1 < /path/to/downloaded/patchfile.patch $ make $ make install Then you may hotfix the IRCd by running /MODRESTART as a server admin. Details: In ratbox-2, the following code was added to m_capab.c: char *t = LOCAL_COPY(parv[i]); The other logic was then modified to make use of that stack-allocated buffer rather than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(), and the bug effectively is caused by this expansion calling strlen(NULL).
Powered by blists - more mailing lists