Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Jan 2013 01:57:40 +0400
From: Mustapha Rabiu <>
Subject: Charybdis: Improper assumptions in the server handshake code may lead
 to a remote crash


Can we get a CVE for the following


Access vector: network
Access complexity: low
Authentication requirement: none

Confidentiality impact: none
Integrity impact: none
Availability impact: complete

CVSSv2 temporal score: 6.4

Exploitability: functional exploit exists
Remediation level: official fix
Report confidence: confirmed


All versions of Charybdis are vulnerable to a remotely-triggered crash bug
caused by code originating from ircd-ratbox 2.0.  (Incidentally, this means all
versions since ircd-ratbox 2.0 are also vulnerable.)

The bug has to do with server capability negotiation.  A malformed request will
trigger a crash due to invalid assumptions.


A patch for all affected versions of ircd-ratbox and charybdis is available from
the charybdis GIT repository:

To apply the patch, go to your IRCd source tree and run the following commands:
  $ patch -p1 < /path/to/downloaded/patchfile.patch
  $ make
  $ make install

Then you may hotfix the IRCd by running /MODRESTART as a server admin.


In ratbox-2, the following code was added to m_capab.c:
  char *t = LOCAL_COPY(parv[i]);

The other logic was then modified to make use of that stack-allocated
buffer rather
than the original.  LOCAL_COPY() is a macro which expands to alloca()
and strlcpy(),
and the bug effectively is caused by this expansion calling strlen(NULL).



Mustapha Rabiu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.