> > > > Access vector: network > Access complexity: low > Authentication requirement: none > > Confidentiality impact: none > Integrity impact: none > Availability impact: complete > > CVSSv2 temporal score: 6.4 > > Exploitability: functional exploit exists > Remediation level: official fix > Report confidence: confirmed > > Summary: > > All versions of Charybdis are vulnerable to a remotely-triggered crash bug > caused by code originating from ircd-ratbox 2.0. (Incidentally, this means > all > versions since ircd-ratbox 2.0 are also vulnerable.) > > The bug has to do with server capability negotiation. A malformed request > will > trigger a crash due to invalid assumptions. > > Mitigation: > > A patch for all affected versions of ircd-ratbox and charybdis is available > from > the charybdis GIT repository: > > https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch > > To apply the patch, go to your IRCd source tree and run the following > commands: > $ patch -p1 < /path/to/downloaded/patchfile.patch > $ make > $ make install > > Then you may hotfix the IRCd by running /MODRESTART as a server admin. > > Details: > > In ratbox-2, the following code was added to m_capab.c: > char *t = LOCAL_COPY(parv[i]); > > The other logic was then modified to make use of that stack-allocated buffer > rather > than the original. LOCAL_COPY() is a macro which expands to alloca() and > strlcpy(), > and the bug effectively is caused by this expansion calling strlen(NULL). > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
