Bugtraq mailing list archives
Re: NEW ircii/bitchx(/epic?) overflow
From: forcer () MINDLESS COM (forcer)
Date: Tue, 2 Jun 1998 00:07:49 +0200
On Sat, May 30, 1998 at 06:48:07PM +0200, Paul Boehm wrote:
Hi, i think i've found a new (exploitable) bug in ircii and the likes.
[...]
Special thanks go out to forcer from #linux.de who helped me testing the bug and currently is working on a patch for it.
Patch is done, available under http://webserver.de/forcer/code/patch-ircii-4.4+noinfect and appended. The problem also showed up in the ssfe frontend to sirc http://webserver.de/forcer/code/patch-sirc-2.211+noinfect EPIC and tirc are secure as it seems In short, the IRC clients do not expect a long, non-terminated line, as RFC1459 (IRC protocl) specifies a maximal line length of 511 bytes plus the newline. The ircII maintainers notified me that the patch won't go into the client as it is, since not many unices have the snprintf() function. Patch follows: diff -urN ircii-4.4/source/hook.c ircii-4.4-noinfect/source/hook.c --- ircii-4.4/source/hook.c Mon Apr 21 08:34:00 1997 +++ ircii-4.4-noinfect/source/hook.c Sat May 30 20:11:28 1998 @@ -431,7 +431,7 @@ #ifdef HAVE_STDARG_H va_start(vl, format); - vsprintf(buffer, format, vl); + vsnprintf(buffer, BIG_BUFFER_SIZE+1, format, vl); va_end(vl); #else sprintf(buffer, format, arg1, arg2, arg3, arg4, arg5, arg6); -forcer -- /* Never make any mistaeks. */ /* email: forcer () mindless com skip -><- www: http://mailserver.de/forcer/ */ /* IRC: forcer (#StarWars@IRCnet) -><- PGP: mail with subject "send pgp" */
Current thread:
- NEW ircii/bitchx(/epic?) overflow Paul Boehm (May 30)
- Re: NEW ircii/bitchx(/epic?) overflow forcer (Jun 01)