Red Hat Bugzilla – Bug 787298
null pointer dereference, remote DoS
Last modified: 2012-02-12 17:48:37 EST
Created attachment 559361 [details]
Fix for the bug
Description of problem:
In src/xchat-ruby.c functions
static_ruby_custom_command_hook(char *word, char *word_eol, void *userdata)
static_ruby_custom_server_hook(char *word, char *word_eol, void *userdata)
parameter 'word' used in a for cycle without break 
for( i = 1; word[i] != '\0'; i++ )
The problem is word[PDIWORDS] always set to NULL by xchat. So if the input contains more words than PDIWORDS (32) , the NULL pointer will be dereferenced.
This bug remote triggerable over IRC networks if one or more ruby plugin uses hook_server().
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use a simple xchat ruby plugin which uses hook_server()
2. Connect to IRC network with xchat
3. Write a lot of words (more than 32) for yourself in one line
xchat got SIGSEGV
xchat keeps running
Fixed and built in rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761672
xchat-ruby-1.2-11.fc16 has been submitted as an update for Fedora 16.
xchat-ruby-1.2-11.fc15 has been submitted as an update for Fedora 15.
Updates submitted -- please try it and give feedback if you can. Thanks!
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xchat-ruby-1.2-11.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
xchat-ruby-1.2-11.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
xchat-ruby-1.2-11.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.