Debian Bug report logs - #443544
CVE-2007-4584 stack based buffer overflow via long MODE command

version graph

Package: ircii-pana; Maintainer for ircii-pana is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 22 Sep 2007 09:30:01 UTC

Severity: grave

Tags: security

Fixed in version 1:1.1-5+rm

Done: Lucas Nussbaum <lucas@lucas-nussbaum.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, William Vera <billy@billy.com.mx>:
Bug#443544; Package ircii-pana. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to William Vera <billy@billy.com.mx>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-4584 stack based buffer overflow via long MODE command
Date: Sat, 22 Sep 2007 11:29:02 +0200
[Message part 1 (text/plain, inline)]
Package: ircii-pana
Severity: grave
Tags: security

Hi,
the following CVE was published for ircii-pana.
CVE-2007-4584[0]:
Stack-based buffer overflow in BitchX 1.1 Final allows 
remote IRC servers to execute arbitrary code via a long 
string in a MODE command, related to the p_mode variable.

If you fix it please include the CVE id in your changelog.

http://www.milw0rm.com/exploits/4321
can be used to test this vulnerability.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4584

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, William Vera <billy@billy.com.mx>:
Bug#443544; Package ircii-pana. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to William Vera <billy@billy.com.mx>. Full text and rfc822 format available.

Message #10 received at 443544@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 443544@bugs.debian.org
Subject: Re: CVE-2007-4584 stack based buffer overflow via long MODE command
Date: Wed, 26 Sep 2007 20:13:40 +0200
[Message part 1 (text/plain, inline)]
hi,
i just want to add if someone is going to fix this it is not 
enough to just use strncpy and append 0 to the buffer since 
it segfaults with and without the patch in screen.c

I currently have no idea why and how to fix this since I am 
lacking of bitchx internals.
Here is a backtrace:

#0  BX_scroll_window (window=0x817e8dc) at ./screen.c:1256
        scroll = 0x1
        i = 0x0
#1  0x080fd083 in rite (window=0x817e8dc, str=0x819be6c "          \026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026\026H\026pM\026U\026"...) at ./screen.c:897
        high = 0x1
        bold = 0x1
        undl = 0x0
        blink = 0x0
        altc = 0x1
#2  0x080fe553 in BX_add_to_window (window=0x817e8dc, str=0x8178424 "\033[1;31m-\033[0m\033[1;37m:\033[1;31m-\033[0m \033[0mmode\033[1;30m/\033[0;36maaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bp"...) at ./screen.c:228
        cols = <value optimized out>
#3  0x080fde8e in BX_add_to_screen (buffer=0x8178424 "\033[1;31m-\033[0m\033[1;37m:\033[1;31m-\033[0m \033[0mmode\033[1;30m/\033[0;36maaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bp"...) at ./screen.c:182
No locals.
#4  0x080f2beb in BX_put_it (format=0x8139e1d "%s") at output.c:190
        args = 0xbfaa1e44 "\f\232\030\b`ê\026\bX7ª¿\2147ª¿\2237ª¿\2357ª¿"
#5  0x080f5698 in p_mode (from=0xbfaa3758 "pM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\b", ArgList=0xbfaa36d4) at parse.c:1482
        channel = 0xbfaa3793 "bannedit"
        line = 0xbfaa379d "aaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bp"...
        flag = 0x2
        chan = <value optimized out>
        chan2 = (ChannelList *) 0x0
        buffer = "aaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bp"...
        smode = 0x0
#6  0x080f7686 in parse_server (orig_line=0xbfaa3757 ":pM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\b") at parse.c:1920
        from = 0xbfaa3758 "pM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\b"
        comm = 0xbfaa378e "MODE"
        end = <value optimized out>
        line = <value optimized out>
        len = 0x7f9
        copy = ":pM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\b  MODE bannedit :aaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025"...
        TrueArgs = {0xbfaa378e "MODE", 0xbfaa3793 "bannedit", 0xbfaa379d "aaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bp"..., 0x0 <repeats 13 times>}
        loc = 0xd
        cnt = 0xffffffff
#7  0x0810652e in do_server (rd=0xbfaa4048, wr=0xbfaa3fc8) at server.c:584
        junk = <value optimized out>
        buffer = ":pM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\bpM\025\b\000 MODE\000bannedit\000:aaapQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025\bpQ\025"...
        des = <value optimized out>
        i = 0x0
        times = 0x1
        last_timeout = 0x0
#8  0x080c72da in BX_io (what=0x8128b2b "main") at ./irc.c:1337
        clock_timeout = <value optimized out>
        timer_timeout = 0x5f5e164
        server_timeout = 0x0
        real_timeout = <value optimized out>
        hold_over = 0x0
        rc = <value optimized out>
        rd = {__fds_bits = {0x40, 0x0 <repeats 31 times>}}
        wd = {__fds_bits = {0x0 <repeats 32 times>}}
        first_time = 0x1
        level = 0x1
        my_now = {tv_sec = 0x46fa9ce3, tv_usec = 0x230d0}
        my_timer = {tv_sec = 0x11, tv_usec = 0x0}
        time_ptr = (struct timeval *) 0x8166290
        old_level = 0x0
        caller = {0x0, 0x8128b2b "main", 0x0 <repeats 49 times>}
        last_warn = 0x0
#9  0x080c8052 in main (argc=0x3, argv=0x1, envp=0x0) at ./irc.c:1705
        s = "/dev/pts/6", '\0' <repeats 75 times>, "¿Ì¡\004\b"

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 443544-done@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: 443544-done@bugs.debian.org
Subject: ircii-pana has been removed from Debian, closing #443544
Date: Sun, 13 Apr 2008 23:16:00 +0200
Version: 1:1.1-5+rm

The ircii-pana package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/451373 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.
-- 
Lucas




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 12 May 2008 09:48:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:08:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.