[Please upgrade if you use INN on any platform -- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]>
From: Russ Allbery <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [SECURITY] INN: Buffer overflow in control message handling
Date: Wed, 07 Jan 2004 18:16:38 -0800
A buffer overflow has been discovered in a portion of the control message
handling code introduced in INN 2.4.0. It is fairly likely that this
overflow could be remotely exploited to gain access to the user innd runs
as. INN 2.3.x and earlier are not affected. The INN CURRENT tree is
affected.
So far as we know, there are no current exploits in the wild for this
vulnerability.
INN 2.4.1 has just been released with a fix for this issue and various
other accumulated patches. We strongly urge anyone running INN 2.4.0 or
any STABLE snapshot to upgrade to this version, or apply the attached
patch to their source tree and reinstall with make update. There should
be no incompatibilities between INN 2.4.1 and INN 2.4.0 or STABLE
snapshots.
INN 2.4.1 is available at:
<ftp://ftp.isc.org/isc/inn/inn-2.4.1.tar.gz>
The MD5 checksum of this release is:
bec635b6e70188071fdb539cd374f2ba
A PGP signature will be available in the same directory shortly.
We apologize for this problem, which was caused by misuse of static
buffers and a dangerous internal INN function that we intend to remove
completely in the next stable release. The current development branch has
already been converted almost entirely to strlcpy, strlcat, and other safe
string handling routines and that conversion should be complete in the INN
2.5.0 release.
Following is a patch against INN 2.4.0. It should also apply to a current
STABLE or CURRENT snapshot if you use patch -l to apply it.
--- inn-2.4.0/innd/art.c.orig 2003-05-04 15:10:14.000000000 -0700
+++ inn-2.4.0/innd/art.c 2004-01-07 15:25:08.000000000 -0800
@@ -1773,7 +1773,7 @@
bool
ARTpost(CHANNEL *cp)
{
- char *p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+ char *p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
int i, j, *isp, hopcount, oerrno, canpost;
NEWSGROUP *ngp, **ngptr;
SITE *sp;
@@ -2185,9 +2185,10 @@
* or control. */
if (IsControl && Accepted && !ToGroup) {
ControlStore = true;
- FileGlue(tmpbuff, "control", '.', ControlWord);
- if ((ngp = NGfind(tmpbuff)) == NULL)
+ controlgroup = concat("control.", ControlWord, (char *) 0);
+ if ((ngp = NGfind(controlgroup)) == NULL)
ngp = NGfind(ARTctl);
+ free(controlgroup);
ngp->PostCount = 0;
ngptr = GroupPointers;
*ngptr++ = ngp;
Thanks to Dan Riley for his prompt and detailed report and debugging
assistance.
Russ Allbery
Katsuhiro Kondou
[EMAIL PROTECTED]
------------------------------
End of this Digest
******************
--
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
