Bug#188225: marked as done (Buffer overflows in EPIC)

To: Peter Palfrader <weasel@debian.org>
Cc: Debian QA Group <packages@qa.debian.org>
Subject: Bug#188225: marked as done (Buffer overflows in EPIC)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 18 Nov 2003 21:18:06 -0600
Message-id: <[🔎] handler.188225.D188225.10692117741111.ackdone@bugs.debian.org>
In-reply-to: <20031119031611.GB6050@marvin.sbg.palfrader.org>
References: <20031119031611.GB6050@marvin.sbg.palfrader.org> <20030408172230.GQ6592@finlandia.infodrom.north.de>
Your message dated Wed, 19 Nov 2003 04:16:11 +0100
with message-id <20031119031611.GB6050@marvin.sbg.palfrader.org>
and subject line appears to already have been fixed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Apr 2003 17:27:17 +0000
>From joey@infodrom.org Tue Apr 08 12:27:16 2003
Return-path: <joey@infodrom.org>
Received: from luonnotar.infodrom.org [195.124.48.78] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 192wsO-0006FK-00; Tue, 08 Apr 2003 12:27:16 -0500
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
	id 161F4366B55; Tue,  8 Apr 2003 19:27:15 +0200 (CEST)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
	from infodrom.org by finlandia.Infodrom.North.DE
	via smail from stdin
	id <m192wnm-000ofxC@finlandia.Infodrom.North.DE>
	for submit@bugs.debian.org; Tue, 8 Apr 2003 19:22:30 +0200 (CEST) 
Date: Tue, 8 Apr 2003 19:22:30 +0200
From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: Buffer overflows in EPIC
Message-ID: <20030408172230.GQ6592@finlandia.infodrom.north.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-5.2 required=4.0
	tests=HAS_PACKAGE,PATCH_UNIFIED_DIFF,SIGNATURE_SHORT_SPARSE,
	      SPAM_PHRASE_01_02,USER_AGENT,USER_AGENT_MUTT
	version=2.44
X-Spam-Level: 

Package: epic
Version: 3.004-18
Severity: important
Tags: security patch
Bugtraq: http://www.securityfocus.com/archive/1/315057

Timo Sirainen discovered several problems in EPIC, a popular client
for Internet Relay Chat (IRC).  A malicious server could craft special
reply strings, triggering the client to write beyond buffer
boundaries.  This could lead to a denial of service if the client only
crashes, but may also lead to executing of arbitrary code under the
user id of the chatting user.

Below please find the patch I'm going to use for the version in stable.
Please apply it to the package in unstable or use a newer upstream
version which fixes them as well.  Please let me know which version
contains the fixes in sid so I can include it in the advisory.

 - numbers.c: predifined strings written past boundary
 - server.c: overflow in create_server_list()
 - status.c: overflow during statusbar drawing

Regards,

	Joey



diff -u epic-3.004/source/numbers.c epic-3.004/source/numbers.c
--- epic-3.004/source/numbers.c
+++ epic-3.004/source/numbers.c
@@ -295,19 +295,19 @@
 	switch(-current_numeric)
 	{
 	case 471:
-		strcat(buffer, " (Channel is full)");
+		strmcat(buffer, " (Channel is full)", BIG_BUFFER_SIZE);
 		break;
 	case 473:
-		strcat(buffer, " (You must be invited)");
+		strmcat(buffer, " (You must be invited)", BIG_BUFFER_SIZE);
 		break;
 	case 474:
-		strcat(buffer, " (You are banned)");
+		strmcat(buffer, " (You are banned)", BIG_BUFFER_SIZE);
 		break;
 	case 475:
-		strcat(buffer, " (You must give the correct key)");
+		strmcat(buffer, " (You must give the correct key)", BIG_BUFFER_SIZE);
 		break;
 	case 476:
-		strcat(buffer, " (Bad channel mask)");
+		strmcat(buffer, " (Bad channel mask)", BIG_BUFFER_SIZE);
 		break;
 	}
 	put_it("%s %s", numeric_banner(), buffer);
diff -u epic-3.004/source/server.c epic-3.004/source/server.c
--- epic-3.004/source/server.c
+++ epic-3.004/source/server.c
@@ -1877,8 +1877,8 @@
 		{
 			if (server_list[i].itsname)
 			{
-				strcat(buffer, server_list[i].itsname);
-				strcat(buffer, space);
+				strncat(buffer, server_list[i].itsname, BIG_BUFFER_SIZE - strlen(buffer));
+				strncat(buffer, space, BIG_BUFFER_SIZE - strlen(buffer));
 			}
 			else
 				yell("Warning: server_list[%d].itsname is null and it shouldnt be", i);
diff -u epic-3.004/debian/changelog epic-3.004/debian/changelog
--- epic-3.004/debian/changelog
+++ epic-3.004/debian/changelog
@@ -1,3 +1,12 @@
+epic (3.004-17.1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied upstream ircII patch partially to fix problems reported by
+    Timo Sirainen <tss@iki.fi>
+  * Added build dependencies
+
+ -- Martin Schulze <joey@infodrom.org>  Mon,  7 Apr 2003 09:57:05 +0200
+
 epic (3.004-17) unstable; urgency=low
 
   * Upload to woody.
diff -u epic-3.004/debian/control epic-3.004/debian/control
--- epic-3.004/debian/control
+++ epic-3.004/debian/control
@@ -2,6 +2,7 @@
 Section: net
 Priority: extra
 Maintainer: David N. Welton <davidw@efn.org>
+Build-Depends: debhelper, libncurses5-dev
 Standards-Version: 2.5.0
 
 Package: epic
only in patch2:
unchanged:
--- epic-3.004.orig/source/status.c
+++ epic-3.004/source/status.c
@@ -1481,7 +1481,7 @@
 
 	/*bzero(buffer, BIG_BUFFER_SIZE);*/
 	*buffer = 0;
-	for (pos = 0, s = str; s && pos < BIG_BUFFER_SIZE && pos < n; s++)
+	for (pos = 0, s = str; s && pos < (BIG_BUFFER_SIZE - 4) && pos < n; s++)
 	{
 		if (translation)
 			*s = transToClient[*s];

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.

---------------------------------------
Received: (at 188225-done) by bugs.debian.org; 19 Nov 2003 03:16:14 +0000
>From weasel@debian.org Tue Nov 18 21:16:13 2003
Return-path: <weasel@debian.org>
Received: from nautilus.3node.com [62.245.184.18] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AMIpB-0000Hb-00; Tue, 18 Nov 2003 21:16:13 -0600
Received: from marvin.palfrader.org (leviathan.campus-sbg.at [195.70.114.210])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "marvin.palfrader.org", Issuer "Peter Palfrader" (verified OK))
	by nautilus.3node.com (Postfix) with ESMTP id 99C55122DFA
	for <188225-done@bugs.debian.org>; Wed, 19 Nov 2003 04:16:12 +0100 (CET)
Received: from valiant.palfrader.org (valiant.sbg.palfrader.org [172.22.118.2])
	by marvin.palfrader.org (Postfix) with ESMTP id 8BA436E56E
	for <188225-done@bugs.debian.org>; Wed, 19 Nov 2003 04:16:11 +0100 (CET)
Received: by valiant.palfrader.org (Postfix, from userid 1000)
	id 6497FBE16; Wed, 19 Nov 2003 04:16:11 +0100 (CET)
Date: Wed, 19 Nov 2003 04:16:11 +0100
From: Peter Palfrader <weasel@debian.org>
To: 188225-done@bugs.debian.org
Subject: appears to already have been fixed
Message-ID: <20031119031611.GB6050@marvin.sbg.palfrader.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="gj572EiMnwbLXET9"
Content-Disposition: inline
X-PGP: 1024D/94C09C7F 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
X-Request-PGP: http://www.palfrader.org/keys/94C09C7F.asc
X-Accept-Language: de, en
User-Agent: Mutt/1.5.4i
Delivered-To: 188225-done@bugs.debian.org
X-Spam-Status: No, hits=1.0 required=4.0
	tests=BAYES_70
	version=2.53-bugs.debian.org_2003_11_15
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_11_15 (1.174.2.15-2003-03-30-exp)


--gj572EiMnwbLXET9
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

The problem described in this bug report appears to have been fixed in
3.004-19.

epic (3.004-19) unstable; urgency=3Dhigh

  * Non-maintainer upload by the Security Team
  * MU-versioning since I used to be part of the QA team as well
  * Applied upstream ircII patch partially to fix problems reported by
    Timo Sirainen <tss@iki.fi>
  * Added build dependencies

 -- Martin Schulze <joey@infodrom.org>  Wed,  9 Apr 2003 20:38:55 +0200

The path attached to the bug report is at least in 3.004-20.

Peter
--=20
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/

--gj572EiMnwbLXET9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/uuB6z/ccs6+kS90RAnKeAJsHHTVsdw8SfKG53SXTpXrXnkvUogCfanC7
DhNL8UEqTFxqHR/4jlEgxh0=
=fEOp
-----END PGP SIGNATURE-----

--gj572EiMnwbLXET9--
Reply to:
Prev by Date: Bug#221567: x-ttcidfont-conf should not use debconf warnings
Next by Date: cce_0.36-2_i386.changes ACCEPTED
Previous by thread: Bug#221567: x-ttcidfont-conf should not use debconf warnings
Next by thread: cce_0.36-2_i386.changes ACCEPTED
Index(es):
- Date
- Thread