Bug 853321 - (CVE-2011-5129) CVE-2011-5129 xchat: Heap-based buffer overflow (crash, ACE) via long response string
CVE-2011-5129 xchat: Heap-based buffer overflow (crash, ACE) via long respons...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Stefan Cornelius
: Security
Depends On:
Blocks: 853449
  Show dependency treegraph
Reported: 2012-08-31 00:12 EDT by Kurt Seifried
Modified: 2016-03-04 06:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-05 02:37:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-08-31 00:12:13 EDT
A remotely exploitable Denial of service was reported in xchat 2.8.8 and 
earlier on KDE.

Specifically when an xchat client connects to a server and a large string 
is sent by the server the xchat program will crash.

Unfortunately xchat 2.8.9 is only available as a Windows binary, source 
code for 2.8.9 does not appear to be in the xchat site:

Comment 2 Jan Lieskovsky 2012-08-31 10:55:39 EDT
National Vulnerability Database (NVD) entry:

Heap-based buffer overflow in XChat 2.8.9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long response string.

Comment 4 Huzaifa S. Sidhpurwala 2012-09-05 02:11:01 EDT
I dont think this is really a flaw at all. Looking at xchat source, the following should prevent any buffer overflow.

static gboolean
server_read (GIOChannel *source, GIOCondition condition, server *serv)
                                serv->linebuf[serv->pos] = lbuf[i];
                                if (serv->pos >= (sizeof (serv->linebuf) - 1))
                                        fprintf (stderr,
                                                                "*** XCHAT WARNING: Buffer overflow - shit server!\n");

The data read from the server is stored in lbuf, whose size is 2050 bytes. Data is read via:

len = _SSL_recv (serv->ssl, lbuf, sizeof (lbuf) - 2); 

The total data which is read from the server really is just 2048 bytes.

Later in the loop each bye from lbuf is copied into the serv->linebuf buffer and the position of the copied byte is stored in serv->pos. 
serv->pos may not be zero when the data is copied into serv->linebuf.

In the above piece of code, if serv->pos (The place where data needs to be copied into the serv->linebuf, stack buffer), exceeds the size of lbuf, it prints a warning message on stderr and does not increment serv->pos.
So any new data to be read from lbuf, is copied into the last value of serv->pos, leading to no buffer overwrite.
Comment 5 Huzaifa S. Sidhpurwala 2012-09-05 02:37:02 EDT

This bug is not a security issue. For detailed explanation, refer to: 

Note You need to log in before you can comment on or make changes to this bug.