Bug 123013 - CAN-2004-0409 XChat buffer overflow in socks5 proxy
CAN-2004-0409 XChat buffer overflow in socks5 proxy
Status: CLOSED DUPLICATE of bug 159566
Product: Fedora Legacy
Classification: Retired
Component: xchat (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 2, verify-fc2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-11 05:56 EDT by Mark J. Cox (Product Security)
Modified: 2007-04-18 13:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-29 05:12:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2004-05-11 05:56:40 EDT
A flaw in the XChat's Socks-5 proxy code could allow arbitrary code
execution.  To exploit this flaw an attacker would need to create a
malicious socks-5 proxy that the victim connects to.

This issue was public on Mon, 5 Apr 2004

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0409 links to
http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html for 
more information.

"XChat's Socks-5 proxy code is vulnerable to a remote exploit. To
successfully exploit the code, you would need to enable socks5 
traversal (default off) and connect to the attacker's own custom
proxy server.

"If you never intend to use a Socks5 proxy, you are not affected at
all by this issue."

      CAN-2004-0409 Affects: FC1
      CAN-2004-0409 Affects: FC2
Comment 1 Matthew Miller 2005-04-11 18:20:20 EDT
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Comment 2 Matthew Miller 2005-04-12 01:12:42 EDT
Fixed already for earlier releases by Fedora Legacy (bug #152706), but now
needed for FC2.
Comment 3 Marc Deslauriers 2005-05-02 20:17:58 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated xchat packages to QA for fc2:

Changelog:
* Mon May 02 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 1:2.0.7-5.1.legacy
- - Added patch to fix CAN-2004-0409

ea64d6097654b5886a5c0f311fef0dbe0d91127d  xchat-2.0.7-5.1.legacy.i386.rpm
351b752a112f932899f29fec2af03646983c0fd5  xchat-2.0.7-5.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/xchat-2.0.7-5.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/xchat-2.0.7-5.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCdsMqLMAs/0C4zNoRAoa/AJ9tc0Vgq11p43ZcE6fJ89ZMnqlorACfbBkK
qXjSLjqND24yScDSOH0ADC4=
=0UG7
-----END PGP SIGNATURE-----
Comment 4 Matthew Miller 2005-05-05 12:20:04 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for xchat-2.0.7-5.1.legacy.src.rpm for FC2:

* only change to spec file is the addition of the
  one patch to fix this issues.
* verified that this patch is the same as that
  in the previous FL update for RHL. (With
  adjusted line numbers.)
  the 1.0.3 and 1.0.4 sylpheed versions
* package build and installs fine
* seems to run fine

+PUBLISH FC2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCekd1z8vebpLJCdYRApNdAJ44YSQJfyGsIY1qWvH+rLW0TpHTmwCcCpCf
vKGq2e3eZ/xK+WedI1MQOsM=
=YrbM
-----END PGP SIGNATURE-----
Comment 5 Marc Deslauriers 2005-06-19 11:18:46 EDT
Packages were pushed to updates-testing
Comment 6 Pekka Savola 2005-06-29 05:12:09 EDT
Let's track both FC1 and FC2 under the same bug number..

*** This bug has been marked as a duplicate of 159566 ***

Note You need to log in before you can comment on or make changes to this bug.