Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 853321 - (CVE-2011-5129) CVE-2011-5129 xchat: Heap-based buffer overflow (crash, ACE) via long response string
CVE-2011-5129 xchat: Heap-based buffer overflow (crash, ACE) via long respons...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Stefan Cornelius
impact=low,public=20120831,reported=2...
: Security
Depends On:
Blocks: 853449
  Show dependency treegraph
 
Reported: 2012-08-31 00:12 EDT by Kurt Seifried
Modified: 2016-03-04 06:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-05 02:37:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2012-08-31 00:12:13 EDT 
A remotely exploitable Denial of service was reported in xchat 2.8.8 and 
earlier on KDE.

Specifically when an xchat client connects to a server and a large string 
is sent by the server the xchat program will crash.

Unfortunately xchat 2.8.9 is only available as a Windows binary, source 
code for 2.8.9 does not appear to be in the xchat site:

http://xchat.org/files/source/2.8/
Comment 2 Jan Lieskovsky 2012-08-31 10:55:39 EDT 
National Vulnerability Database (NVD) entry:

Heap-based buffer overflow in XChat 2.8.9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long response string.

References:
http://www.securityfocus.com/bid/50820
http://www.osvdb.org/77629
http://www.exploit-db.com/exploits/18159/
http://packetstormsecurity.org/files/107312/xchat-dos.txt
https://bugzilla.novell.com/show_bug.cgi?id=778254
Comment 4 Huzaifa S. Sidhpurwala 2012-09-05 02:11:01 EDT 
I dont think this is really a flaw at all. Looking at xchat source, the following should prevent any buffer overflow.

static gboolean
server_read (GIOChannel *source, GIOCondition condition, server *serv)
...
...
                        default:
                                serv->linebuf[serv->pos] = lbuf[i];
                                if (serv->pos >= (sizeof (serv->linebuf) - 1))
                                        fprintf (stderr,
                                                                "*** XCHAT WARNING: Buffer overflow - shit server!\n");
                                else
                                        serv->pos++;

The data read from the server is stored in lbuf, whose size is 2050 bytes. Data is read via:

len = _SSL_recv (serv->ssl, lbuf, sizeof (lbuf) - 2); 

The total data which is read from the server really is just 2048 bytes.

Later in the loop each bye from lbuf is copied into the serv->linebuf buffer and the position of the copied byte is stored in serv->pos. 
serv->pos may not be zero when the data is copied into serv->linebuf.

In the above piece of code, if serv->pos (The place where data needs to be copied into the serv->linebuf, stack buffer), exceeds the size of lbuf, it prints a warning message on stderr and does not increment serv->pos.
So any new data to be read from lbuf, is copied into the last value of serv->pos, leading to no buffer overwrite.
Comment 5 Huzaifa S. Sidhpurwala 2012-09-05 02:37:02 EDT 
Statement:


This bug is not a security issue. For detailed explanation, refer to: 
https://bugzilla.redhat.com/show_bug.cgi?id=853321#c4
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.