Bug#188225: Buffer overflows in EPIC
Package: epic
Version: 3.004-18
Severity: important
Tags: security patch
Bugtraq: http://www.securityfocus.com/archive/1/315057
Timo Sirainen discovered several problems in EPIC, a popular client
for Internet Relay Chat (IRC). A malicious server could craft special
reply strings, triggering the client to write beyond buffer
boundaries. This could lead to a denial of service if the client only
crashes, but may also lead to executing of arbitrary code under the
user id of the chatting user.
Below please find the patch I'm going to use for the version in stable.
Please apply it to the package in unstable or use a newer upstream
version which fixes them as well. Please let me know which version
contains the fixes in sid so I can include it in the advisory.
- numbers.c: predifined strings written past boundary
- server.c: overflow in create_server_list()
- status.c: overflow during statusbar drawing
Regards,
Joey
diff -u epic-3.004/source/numbers.c epic-3.004/source/numbers.c
--- epic-3.004/source/numbers.c
+++ epic-3.004/source/numbers.c
@@ -295,19 +295,19 @@
switch(-current_numeric)
{
case 471:
- strcat(buffer, " (Channel is full)");
+ strmcat(buffer, " (Channel is full)", BIG_BUFFER_SIZE);
break;
case 473:
- strcat(buffer, " (You must be invited)");
+ strmcat(buffer, " (You must be invited)", BIG_BUFFER_SIZE);
break;
case 474:
- strcat(buffer, " (You are banned)");
+ strmcat(buffer, " (You are banned)", BIG_BUFFER_SIZE);
break;
case 475:
- strcat(buffer, " (You must give the correct key)");
+ strmcat(buffer, " (You must give the correct key)", BIG_BUFFER_SIZE);
break;
case 476:
- strcat(buffer, " (Bad channel mask)");
+ strmcat(buffer, " (Bad channel mask)", BIG_BUFFER_SIZE);
break;
}
put_it("%s %s", numeric_banner(), buffer);
diff -u epic-3.004/source/server.c epic-3.004/source/server.c
--- epic-3.004/source/server.c
+++ epic-3.004/source/server.c
@@ -1877,8 +1877,8 @@
{
if (server_list[i].itsname)
{
- strcat(buffer, server_list[i].itsname);
- strcat(buffer, space);
+ strncat(buffer, server_list[i].itsname, BIG_BUFFER_SIZE - strlen(buffer));
+ strncat(buffer, space, BIG_BUFFER_SIZE - strlen(buffer));
}
else
yell("Warning: server_list[%d].itsname is null and it shouldnt be", i);
diff -u epic-3.004/debian/changelog epic-3.004/debian/changelog
--- epic-3.004/debian/changelog
+++ epic-3.004/debian/changelog
@@ -1,3 +1,12 @@
+epic (3.004-17.1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied upstream ircII patch partially to fix problems reported by
+ Timo Sirainen <tss@iki.fi>
+ * Added build dependencies
+
+ -- Martin Schulze <joey@infodrom.org> Mon, 7 Apr 2003 09:57:05 +0200
+
epic (3.004-17) unstable; urgency=low
* Upload to woody.
diff -u epic-3.004/debian/control epic-3.004/debian/control
--- epic-3.004/debian/control
+++ epic-3.004/debian/control
@@ -2,6 +2,7 @@
Section: net
Priority: extra
Maintainer: David N. Welton <davidw@efn.org>
+Build-Depends: debhelper, libncurses5-dev
Standards-Version: 2.5.0
Package: epic
only in patch2:
unchanged:
--- epic-3.004.orig/source/status.c
+++ epic-3.004/source/status.c
@@ -1481,7 +1481,7 @@
/*bzero(buffer, BIG_BUFFER_SIZE);*/
*buffer = 0;
- for (pos = 0, s = str; s && pos < BIG_BUFFER_SIZE && pos < n; s++)
+ for (pos = 0, s = str; s && pos < (BIG_BUFFER_SIZE - 4) && pos < n; s++)
{
if (translation)
*s = transToClient[*s];
--
If you come from outside of Finland, you live in wrong country.
-- motd of irc.funet.fi
Please always Cc to me when replying to me on the lists.
Reply to: