This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 152706 - xchat CAN-2004-0409
xchat CAN-2004-0409
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, rh73
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-30 14:57 EDT by Barry K. Nathan
Modified: 2014-01-21 17:51 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:59:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:24:41 EST
Discussed in RHSA-2004-177 for Red Hat 9. Red Hat 7.2 through 8.0 are also
vulnerable.



------- Additional Comments From jonny.strom@netikka.fi 2004-05-01 02:06:05 ----

A backport for Redhat 7.3 is avalible at:

http://av8.netikka.fi/~johnny/fedora_legacy/rh73/

http://213.250.83.8/~johnny/fedora_legacy/rh73/xchat-1.8.9-1.73.1.legacy.i386.rpm
51ef4cd03f430664185073fa0622b534

http://213.250.83.8/~johnny/fedora_legacy/rh73/xchat-1.8.9-1.73.1.legacy.src.rpm
c3ca17797931b2101cb42269e046560f

http://213.250.83.8/~johnny/fedora_legacy/rh73/xc208-fixsocks5.diff
12c72cd98f4719b222bab75aea68abc3

I have done basic testing on Redhat 7.3 of xchat and it is working as expected.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-04 06:14:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Installed the binary xchat yesterday on 7.3. It works fine.

Today, rebuilt the srpm for xchat on rh7.3. Built fine.

- -DWB


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8FcSY7s7uPf/IURAgIFAKC0bElNOP9TJWUsrRuAM+M/AEl9IACeJjXT
nQVJ90oMuhX3Lu4W9kv8g1Q=
=gKXn
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal@phy.duke.edu 2004-05-04 20:21:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
md5sum checks out:
c3ca17797931b2101cb42269e046560f  xchat-1.8.9-1.73.1.legacy.src.rpm
sha1sum is:
8951fa1af6bedd35914e6ba82e7f7192418c6f97  xchat-1.8.9-1.73.1.legacy.src.rpm
spec file is fine
patch matches one for rhl9 - consistent with cvs check on xchat's cvs repo
builds normally
installs normally
looks good.
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAmIfk1Aj3x2mIbMcRAkXEAJ9+VEp95DVOUA23N/UJNRTr3kGS3wCfUZcZ
s1o/MsWz8nCjB0LQF7KzUhk=
=yzpy
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-05 06:49:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Decided to try this exploit at:

http://fakehalo.deadpig.org/xxchat-socks5.c

set up my new xchat to use localhost 1080 as a socks5 proxy:

domino> ./xxchat-socks5 
[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exploit.
[*] by: by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)

[!] syntax: ./xxchat-socks5 <offset from 0xbffffffa> [port] [shell port]

domino> ./xxchat-socks5 2600
[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exploit.
[*] by: by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)

[*] eip: 0xbffff5d2, socks-5 port: 1080, bindshell port: 7979.
[*] awaiting connection from: *:1080.
[*] socks-5 server connection established.
[*] sending specially crafted string. (exploit)
[*] socks-5 server connection closed.
[*] checking to see if the exploit was successful.
[*] attempting to connect: 127.0.0.1:7979.
[!] connection failed: 127.0.0.1:7979.


then, attempted w. xchat to connect to a new server.

and, xchat failed to connect.

Not sure what happens if a vulnerable xchat is used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAmRskSY7s7uPf/IURAuoVAJ4s7eXkvCA9SwoRC/mmLbmR9ndEaACg3Kin
hcodukPM88h7e2+VyUlTwQo=
=le8A
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-05-05 15:33:45 ----

Any chance at getting a build for 7.2 and 8.0?



------- Additional Comments From warren@togami.com 2004-05-09 20:57:05 ----

Is this the security patch from upstream?  I heard something about a patch from
upstream as not being a fix, but only making the default buffer size larger to
make it more difficult to overflow.  In any case this is a really corner case
exploit and probably much lower in priority compared to other packages here.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-13 11:28:51 ----

From the xchat.org patch:


diff -ur ./src/common/server.c ../xchat-1.8.9/src/common/server.c
--- ./src/common/server.c       Mon Apr  8 15:05:48 2002
+++ ../xchat-1.8.9/src/common/server.c  Sat May  1 14:25:35 2004
@@ -837,7 +837,7 @@
        struct sock5_connect1 sc1;
        unsigned char *sc2;
        unsigned int packetlen, addrlen;
-       unsigned char buf[10];
+       unsigned char buf[260];
 
        sc1.version = 5;
        sc1.nmethods = 1;
@@ -878,7 +878,7 @@
        {
                if (recv (sok, buf, 1, 0) != 1)
                        return 1;
-               packetlen = buf[0] + 2;
+               packetlen = buf[0] + 2; /* can't exceed 260 */
                if (recv (sok, buf, packetlen, 0) != packetlen)
                        return 1;
        }






------- Additional Comments From jkeating@j2solutions.net 2004-05-18 18:55:53 ----

What is the status?  Are other distros using this same patch?  I don't want to
push this anywhere w/out any QA.  What did RHL9 use for the patch?



------- Additional Comments From jonny.strom@netikka.fi 2004-05-20 09:40:44 ----

Redhat used the same xc208-fixsocks5.diff patch in Redhat 9.

This is from the redhat 9 changelog in the spec fil:

* Thu Apr 22 2004 Daniel Reed <djr@redhat.com> 1.8.11-8
- Add bugfix from xchat.org xc208-fixsocks5.diff



------- Additional Comments From marcdeslauriers@videotron.ca 2004-05-26 12:10:06 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are packages for 8.0:
 
f49fb67dd407264656407abcf8450079a245c032  xchat-1.8.10-9.legacy.i386.rpm
b1aabbf2c38353ad85eff22a39c8867396416591  xchat-1.8.10-9.legacy.src.rpm
 
http://www.infostrategique.com/linuxrpms/legacy/xchat-1.8.10-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/xchat-1.8.10-9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAtRWcLMAs/0C4zNoRAt57AKCKIrXvfSetqPSzvEcFtWsWdBfkmwCeK/Th
WO3id43lqN9WQK/JU+KYwic=
=kAe1
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-05 06:51:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested rh7.3 package:

c3ca17797931b2101cb42269e046560f  xchat-1.8.9-1.73.1.legacy.src.rpm

- - md5sum match
- - spec file looks good
- - patch looks good
- - builds OK
- - installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwfmELMAs/0C4zNoRAsW1AJ95HtAz5XXiIuI5BIWuWvdVMotTdQCfd1tm
de66mdikpasl51sqnoYwOs4=
=H3SJ
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal@phy.duke.edu 2004-06-09 18:18:45 ----

This looks like we have two PUBLISH's for 7.3 here.

7.3 appears to the be only affected, supported, platform.





------- Additional Comments From jkeating@j2solutions.net 2004-06-15 07:36:22 ----

Xchat is really not building well in mach.  Fails at this point:

cat-id-tbl.c changed
cd . && rm -f stamp-cat-id && echo timestamp > stamp-cat-id
file=./`echo ca | sed 's,.*/,,'`.gmo \
  && rm -f $file && PATH=../src:$PATH  -o $file ca.po
/bin/sh: -o: command not found
make[2]: *** [ca.gmo] Error 127

Also, I'm pretty sure the BuildReqs are totally missing.  I had to add
gtk+-devel for it to say it would build the GUI, but here is what I'm getting:

xchat 1.8.9
 
Building GTK+ Interface .... : yes 1.2.10
Building TEXT Interface .... : no
 
gnome-libs .......... : no
gnome panel ......... : no
perl ................ : yes
gdk-pixbuf........... : no
python .............. : no
mmx tinting ......... : yes
zvt shell tab ....... : no      nls/gettext ......... : yes
plugin interface .... : yes     glib replace ........ : no
link with socks5 .... : no      translation tables .. : yes
openssl support ..... : no      japanese conversion . : yes
ipv6 support ........ : yes     hebrew support ...... : no

I've asked Mike Harris of Red Hat for guidance on which of these features should
be on to match the last RHL package for xchat.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-15 13:06:48 ----

Here's what I'm getting on my build machine:

Building GTK+ Interface .... : yes 1.2.10
Building TEXT Interface .... : no

gnome-libs .......... : yes 1.4.1.2
gnome panel ......... : no
perl ................ : yes
gdk-pixbuf........... : yes 0.14.0
python .............. : no
mmx tinting ......... : yes
zvt shell tab ....... : yes	nls/gettext ......... : yes
plugin interface .... : yes	glib replace ........ : no
link with socks5 .... : no	translation tables .. : yes
openssl support ..... : yes	japanese conversion . : yes
ipv6 support ........ : yes	hebrew support ...... : no

So I'm guessing: gnome-libs-devel, gdk-pixbuf-devel, openssl-devel.



------- Additional Comments From jkeating@j2solutions.net 2004-06-15 13:08:54 ----

Can you compare your rpm to the last one that came from Red Hat for files and
features and such?



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-15 13:45:15 ----

I think the failed build is because of missing gettext.

OK, I'll try and figure out what's included in RH's version...



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-15 14:10:09 ----

I've compared dependencies with RH's last release, they are identical.

For all the stuff that is disabled in the final build:
- gnome-panel is disabled in the spec file, so it's not built
- python needs to be explicitly enabled to build, which the spec file doesn't do
- socks5 needs to be explicitly enabled to build, which the spec file doesn't do
- hebrew needs to be explicitly enabled to build, which the spec file doesn't do

So I think all that's missing to build properly are:
gnome-libs-devel, gdk-pixbuf-devel, openssl-devel, and gettext




------- Additional Comments From jkeating@j2solutions.net 2004-06-16 19:45:35 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
cf1a4d68df4b21c9f19cc8ac8f87bd6802413e43 
7.3/updates-testing/SRPMS/xchat-1.8.9-1.73.2.legacy.src.rpm
ec7357872af344cb5e09556ba21865aa78e99e3d 
7.3/updates-testing/i386/xchat-1.8.9-1.73.2.legacy.i386.rpm



------- Additional Comments From ckelley@ibnads.com 2004-09-09 06:20:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
ec7357872af344cb5e09556ba21865aa78e99e3d  xchat-1.8.9-1.73.2.legacy.i386.rpm
cf1a4d68df4b21c9f19cc8ac8f87bd6802413e43  xchat-1.8.9-1.73.2.legacy.src.rpm
 
SRPM builds fine.
 
XChat 1.8 loads and runs just fine.. Wow, a trip down memory lane; it's
offically ugly and has the horrible interface that I've since blocked
from my memory.
 
VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBQILJyQ+yTHz+jJkRAgEEAJ9d8MK+CCHUGnvmCEBw0oyZx7w3EgCeIfU2
yqG3anLw6j3MoUIGKspDeX4=
=88ry
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-09-19 07:52:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ec7357872af344cb5e09556ba21865aa78e99e3d  xchat-1.8.9-1.73.2.legacy.i386.rpm
cf1a4d68df4b21c9f19cc8ac8f87bd6802413e43  xchat-1.8.9-1.73.2.legacy.src.rpm

Binary RPM installs and runs fine
Builds cleanly from source

VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBTcdRYzuFKFF44qURAsOVAKDk0FU4nGUU3NkJ7BGoJ/UtGl2wlACeJWNl
Vi6wwQo9htPhRb1CVha7qYM=
=NW2f
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-09-29 14:11:22 ----

I will release this tonight.
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1549-xchat-draft.txt



------- Additional Comments From michal@harddata.com 2004-10-28 04:34:30 ----

RHEL errata for the same issue
https://rhn.redhat.com/errata/RHSA-2004-585.html



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 -------

This bug previously known as bug 1549 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1549
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P4. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-04-12 01:11:44 EDT
Note that it looks like FC2 never did get updated to fix this: bug #123013.

Note You need to log in before you can comment on or make changes to this bug.