]> jfr.im git - irc.git/blob - software/RELEASES/ircservices/achurch.org/services/lists/ircservices/2002/002978.html
projects / irc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
rename -> *.git
[irc.git] / software / RELEASES / ircservices / achurch.org / services / lists / ircservices / 2002 / 002978.html
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
2 <HTML>
3 <HEAD>
4 <TITLE> [IRCServices] bug in ircservices and epona can crash services
5 </TITLE>
6 <LINK REL="Index" HREF="index.html" >
7 <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20bug%20in%20ircservices%20and%20epona%20can%20crash%20services&In-Reply-To=">
8 <META NAME="robots" CONTENT="index,nofollow">
9 <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
10 <LINK REL="Previous" HREF="002976.html">
11 <LINK REL="Next" HREF="002979.html">
12 </HEAD>
13 <BODY BGCOLOR="#ffffff">
14 <H1>[IRCServices] bug in ircservices and epona can crash services</H1>
15 <B>Lucas Nussbaum</B>
16 <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20bug%20in%20ircservices%20and%20epona%20can%20crash%20services&In-Reply-To="
17 TITLE="[IRCServices] bug in ircservices and epona can crash services">lucas at lucas-nussbaum.net
18 </A><BR>
19 <I>Sun Jun 23 19:08:01 PDT 2002</I>
20 <P><UL>
21 <LI>Previous message: <A HREF="002976.html">[IRCServices] who should I send bug reports to ?
22 </A></li>
23 <LI>Next message: <A HREF="002979.html">[IRCServices] Services 4.5.41 released
24 </A></li>
25 <LI> <B>Messages sorted by:</B>
26 <a href="date.html#2978">[ date ]</a>
27 <a href="thread.html#2978">[ thread ]</a>
28 <a href="subject.html#2978">[ subject ]</a>
29 <a href="author.html#2978">[ author ]</a>
30 </LI>
31 </UL>
32 <HR>
33 <!--beginarticle-->
34 <PRE>Hi,
35
36 There's a bug in both ircservices and epona which can cause services to crash. Remote execution of code on the services account is theorically possible (it isn't likely, but you never know).
37
38 I won't detail the contents of the patch yet : I don't want to make all networks be crashed by users because of me ;o) I will just tell you that every user on your network can crash your services.
39
40 The bug was found by Aristotles (he is asleep right now, so I can't ask for me information to be able to credit him properly). Anyway, congratulations go to him :)
41
42 Andrew Church (for ircservices) and lara (for epona) were both contacted. They might release a new version fixing this in a more clever way soon.
43
44 Patch for epona :
45 <A HREF="http://www.lucas-nussbaum.net/epona-1.4.11+formatfix.diff">http://www.lucas-nussbaum.net/epona-1.4.11+formatfix.diff</A>
46 (please note that the bug is in ircservices code used by epona, so lara isn't to blame)
47
48 Patch for ircservices :
49 <A HREF="http://www.lucas-nussbaum.net/ircservices-4.5.40+formatfix.diff">http://www.lucas-nussbaum.net/ircservices-4.5.40+formatfix.diff</A>
50
51 To apply (example for epona) :
52 cd epona-1.4.11
53 patch -p1 &lt; epona-1.4.11+formatfix.diff
54
55 The patch is very simple, and applies to some very old code, so you should be able to apply it to older versions too.
56
57 Other services based on ircservices might be vulnerable too.
58 Thales (IRC to MySQL gateway, see <A HREF="http://www.lucas-nussbaum.net/thales/">http://www.lucas-nussbaum.net/thales/</A> ), contains the vulnerable code but doesn't use it.
59
60
61 After contacting him, Andrew Church suggested the following patch :
62 Index: send.c
63 ===================================================================
64 RCS file: /var/cvs-private/ircservices/send.c,v
65 retrieving revision 1.8.4.2
66 diff -u -r1.8.4.2 send.c
67 --- send.c 7 Jan 2002 15:35:56 -0000 1.8.4.2
68 +++ send.c 23 Jun 2002 16:55:36 -0000
69 @@ -100,8 +100,8 @@
70 char buf[BUFSIZE];
71
72 va_start(args, fmt);
73 - snprintf(buf, sizeof(buf), &quot;NOTICE %s :%s&quot;, dest, fmt);
74 - vsend_cmd(source, buf, args);
75 + vsnprintf(buf, sizeof(buf), fmt, args);
76 + send_cmd(source, &quot;NOTICE %s :%s&quot;, dest, buf);
77 }
78
79
80 @@ -195,8 +195,8 @@
81 char buf[BUFSIZE];
82
83 va_start(args, fmt);
84 - snprintf(buf, sizeof(buf), &quot;PRIVMSG %s :%s&quot;, dest, fmt);
85 - vsend_cmd(source, buf, args);
86 + vsnprintf(buf, sizeof(buf), fmt, args);
87 + send_cmd(source, &quot;PRIVMSG %s :%s&quot;, dest, buf);
88 }
89
90 /*************************************************************************/
91 @@ -258,12 +258,12 @@
92 char buf[BUFSIZE];
93
94 va_start(args, fmt);
95 + vsnprintf(buf, sizeof(buf), fmt, args);
96 #ifdef IRC_DALNET
97 - snprintf(buf, sizeof(buf), &quot;GLOBOPS :%s&quot;, fmt);
98 + send_cmd(source ? source : ServerName, &quot;GLOBOPS :%s&quot;, buf);
99 #else
100 - snprintf(buf, sizeof(buf), &quot;WALLOPS :%s&quot;, fmt);
101 + send_cmd(source ? source : ServerName, &quot;WALLOPS :%s&quot;, buf);
102 #endif
103 - vsend_cmd(source ? source : ServerName, buf, args);
104 }
105
106 /*************************************************************************/
107
108 So I let you choose which one you prefer ;)
109
110 Bye,
111
112 lucas
113
114 </PRE>
115
116 <!--endarticle-->
117 <HR>
118 <P><UL>
119 <!--threads-->
120 <LI>Previous message: <A HREF="002976.html">[IRCServices] who should I send bug reports to ?
121 </A></li>
122 <LI>Next message: <A HREF="002979.html">[IRCServices] Services 4.5.41 released
123 </A></li>
124 <LI> <B>Messages sorted by:</B>
125 <a href="date.html#2978">[ date ]</a>
126 <a href="thread.html#2978">[ thread ]</a>
127 <a href="subject.html#2978">[ subject ]</a>
128 <a href="author.html#2978">[ author ]</a>
129 </LI>
130 </UL>
131
132 </body></html>
Archived IRC server & client software