[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security] 2.0.6 crashable from remote

To: xchat-announce@nl.linux.org
Subject: [security] 2.0.6 crashable from remote
From: Peter Zelezny <zed@xchat.org>
Date: Sat, 13 Dec 2003 21:52:50 +1100
Cc: xchat-discuss@nl.linux.org
List-archive: <http://mail.nl.linux.org/xchat-announce/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:xchat-announce@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:xchat-announce-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:xchat-announce-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;xchat-announce-archive@nl.linux.org
Reply-to: xchat-discuss@nl.linux.org
Sender: xchat-announce-bounce@nl.linux.org


Due to a bug, version 2.0.6 can be crashed from remote. All users of 2.0.6
should upgrade immediately. 2.0.5 and earlier is not affected.

Explanation:
	When receiving a "passive" dcc request with an invalid ID number, the client
	will dereference NULL. As far as I know, this isn't exploitable other than
	crashing the client (it tries to write to address 0x00000008).

Cause:
	A patch accepted around Nov 18 (dcc psend patch) introduced this bug by
	neglecting to check for a NULL pointer returned from a function.
	(Don't blame me, I didn't write it! :) )

Solution:
	Work-around: /ignore *!*@* DCC
	Fix: Apply patch to 2.0.6 and recompile.
	Permanent fix: Pay me to check 3rd party patches more thoroughly.

Patch:
	http://xchat.org/files/source/2.0/xc206-fixpsend.diff


2.0.7 may follow in a few days to avoid the problem of people downloading
2.0.6 without the patch.

-- 
Peter.
--
XChat-announce:  Xchat announcement list
Archive:         http://mail.nl.linux.org/xchat-announce/

Next by Date: Mr. Uwe Schmidt is a knave! Dont' do business with Microsale!
Next by thread: Mr. Uwe Schmidt is a knave! Dont' do business with Microsale!
Index(es):
- Date
- Thread