![]() |
|
Message-ID: <CACy=+Dvw4zOn1UVxbMRfS78GDp4jDmiVX918KWXqrCrzrMmsxw@mail.gmail.com> Date: Tue, 1 Jan 2013 01:57:40 +0400 From: Mustapha Rabiu <muztapha@...il.com> To: oss-security@...ts.openwall.com Subject: Charybdis: Improper assumptions in the server handshake code may lead to a remote crash Hi. Can we get a CVE for the following -- Access vector: network Access complexity: low Authentication requirement: none Confidentiality impact: none Integrity impact: none Availability impact: complete CVSSv2 temporal score: 6.4 Exploitability: functional exploit exists Remediation level: official fix Report confidence: confirmed Summary: All versions of Charybdis are vulnerable to a remotely-triggered crash bug caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all versions since ircd-ratbox 2.0 are also vulnerable.) The bug has to do with server capability negotiation. A malformed request will trigger a crash due to invalid assumptions. Mitigation: A patch for all affected versions of ircd-ratbox and charybdis is available from the charybdis GIT repository: https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch To apply the patch, go to your IRCd source tree and run the following commands: $ patch -p1 < /path/to/downloaded/patchfile.patch $ make $ make install Then you may hotfix the IRCd by running /MODRESTART as a server admin. Details: In ratbox-2, the following code was added to m_capab.c: char *t = LOCAL_COPY(parv[i]); The other logic was then modified to make use of that stack-allocated buffer rather than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(), and the bug effectively is caused by this expansion calling strlen(NULL). -- Thanks. Mustapha Rabiu
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.