From 40a1bb306e0e0ba589b38756f17a2d52c6352a60 Mon Sep 17 00:00:00 2001 From: brad Date: Thu, 27 Mar 2003 15:46:11 +0000 Subject: [PATCH] fixes some potential remote buffer overflows http://marc.theaimsgroup.com/?l=bugtraq&m=104766521328322&w=2 --- net/bitchx/Makefile | 9 +- net/bitchx/patches/patch-source_banlist_c | 67 ++++++++++++++ net/bitchx/patches/patch-source_ctcp_c | 14 +++ net/bitchx/patches/patch-source_misc_c | 107 ++++++++++++++++++++++ net/bitchx/patches/patch-source_names_c | 21 +++++ net/bitchx/patches/patch-source_notice_c | 12 +++ net/bitchx/patches/patch-source_numbers_c | 55 ++++++++++- 7 files changed, 276 insertions(+), 9 deletions(-) create mode 100644 net/bitchx/patches/patch-source_banlist_c create mode 100644 net/bitchx/patches/patch-source_ctcp_c create mode 100644 net/bitchx/patches/patch-source_misc_c create mode 100644 net/bitchx/patches/patch-source_names_c create mode 100644 net/bitchx/patches/patch-source_notice_c diff --git a/net/bitchx/Makefile b/net/bitchx/Makefile index e05206078bc..6b79ce20872 100644 --- a/net/bitchx/Makefile +++ b/net/bitchx/Makefile @@ -1,18 +1,19 @@ -# $OpenBSD: Makefile,v 1.35 2002/10/28 01:38:44 naddy Exp $ +# $OpenBSD: Makefile,v 1.36 2003/03/27 15:46:11 brad Exp $ # $FreeBSD: Makefile,v 1.3 1998/07/21 11:38:44 eivind Exp $ COMMENT= "alternative ircII color client" VERSION= 1.0c18 DISTNAME= ircii-pana-${VERSION} -PKGNAME= BitchX-${VERSION} +PKGNAME= BitchX-${VERSION}p1 CATEGORIES= net -MASTER_SITES= ftp://ftp.bitchx.com/pub/BitchX/source/ \ - ftp://ftp.bitchx.org/pub/BitchX/source/ +MASTER_SITES= ftp://ftp.bitchx.com/pub/BitchX/source/old/ \ + ftp://ftp.bitchx.org/pub/BitchX/source/old/ MAINTAINER= Vincent Derrien +# BSD PERMIT_PACKAGE_CDROM= Yes PERMIT_PACKAGE_FTP= Yes PERMIT_DISTFILES_CDROM= Yes diff --git a/net/bitchx/patches/patch-source_banlist_c b/net/bitchx/patches/patch-source_banlist_c new file mode 100644 index 00000000000..8155fb55164 --- /dev/null +++ b/net/bitchx/patches/patch-source_banlist_c @@ -0,0 +1,67 @@ +$OpenBSD: patch-source_banlist_c,v 1.1 2003/03/27 15:46:11 brad Exp $ +--- source/banlist.c.orig Mon Jan 8 01:24:22 2001 ++++ source/banlist.c Wed Mar 26 23:00:45 2003 +@@ -260,9 +260,9 @@ char *p; + char * ban_it(char *nick, char *user, char *host, char *ip) + { + static char banstr[BIG_BUFFER_SIZE/4+1]; +-char *tmpstr = NULL; + char *t = user; + char *t1 = user; ++char *tmp; + + *banstr = 0; + while (strlen(t1)>9) +@@ -273,32 +273,40 @@ char *t1 = user; + case 7: + if (ip) + { +- sprintf(banstr, "*!*@%s", cluster(ip)); ++ snprintf(banstr, sizeof banstr, "*!*@%s", ++ cluster(ip)); + break; + } + case 2: /* Better */ +- sprintf(banstr, "*!*%s@%s", t1, cluster(host)); ++ snprintf(banstr, sizeof banstr, "*!*%s@%s", t1, ++ cluster(host)); + break; + case 3: /* Host */ +- sprintf(banstr, "*!*@%s", host); ++ snprintf(banstr, sizeof banstr, "*!*@%s", host); + break; + case 4: /* Domain */ +- sprintf(banstr, "*!*@*%s", strrchr(host, '.')); +- break; ++ tmp = strrchr(host, '.'); ++ if (tmp) { ++ snprintf(banstr, sizeof banstr, "*!*@*%s", ++ tmp); ++ } else { ++ snprintf(banstr, sizeof banstr, "*!*@%s", ++ host); ++ } ++ break; + case 5: /* User */ +- sprintf(banstr, "*!%s@%s", t, cluster(host)); ++ snprintf(banstr, sizeof banstr, "*!%s@%s", t, ++ cluster(host)); + break; + case 6: /* Screw */ +- malloc_sprintf(&tmpstr, "*!*%s@%s", t1, host); +- strcpy(banstr, screw(tmpstr)); +- new_free(&tmpstr); ++ snprintf(banstr, sizeof banstr, "*!*%s@%s", t1, host); ++ screw(banstr); + break; + case 1: /* Normal */ + default: +- { +- sprintf(banstr, "%s!*%s@%s", nick, t1, host); ++ snprintf(banstr, sizeof banstr, "%s!*%s@%s", nick, t1, ++ host); + break; +- } + } + return banstr; + } diff --git a/net/bitchx/patches/patch-source_ctcp_c b/net/bitchx/patches/patch-source_ctcp_c new file mode 100644 index 00000000000..923fcfa912a --- /dev/null +++ b/net/bitchx/patches/patch-source_ctcp_c @@ -0,0 +1,14 @@ +$OpenBSD: patch-source_ctcp_c,v 1.1 2003/03/27 15:46:11 brad Exp $ +--- source/ctcp.c.orig Mon Jan 8 01:24:22 2001 ++++ source/ctcp.c Wed Mar 26 23:00:45 2003 +@@ -1478,6 +1478,10 @@ extern void send_ctcp (int type, char *t + *putbuf2; + int len; + len = IRCD_BUFFER_SIZE - (12 + strlen(to)); ++ ++ if (len < strlen(ctcp_cmd[datatag].name) + 3) ++ return; ++ + putbuf2 = alloca(len); + + if (format) diff --git a/net/bitchx/patches/patch-source_misc_c b/net/bitchx/patches/patch-source_misc_c new file mode 100644 index 00000000000..cd9f6a19745 --- /dev/null +++ b/net/bitchx/patches/patch-source_misc_c @@ -0,0 +1,107 @@ +$OpenBSD: patch-source_misc_c,v 1.1 2003/03/27 15:46:11 brad Exp $ +--- source/misc.c.orig Mon Jan 8 01:24:22 2001 ++++ source/misc.c Wed Mar 26 23:00:45 2003 +@@ -3108,42 +3108,47 @@ char *cluster (char *hostname) + static char result[IRCD_BUFFER_SIZE/4 + 1]; + char temphost[BIG_BUFFER_SIZE + 1]; + char *host; ++ char *atsign; + + if (!hostname) + return NULL; +- host = temphost; +- *result = 0; +- memset(result, 0, sizeof(result)); +- memset(temphost, 0, sizeof(temphost)); +- if (strchr(hostname, '@')) +- { +- if (*hostname == '~') +- hostname++; +- strcpy(result, hostname); +- *strchr(result, '@') = '\0'; +- if (strlen(result) > 9) +- { +- result[8] = '*'; +- result[9] = '\0'; ++ ++ atsign = strchr(hostname, '@'); ++ if (atsign) { ++ if (*hostname == '~') { ++ strcpy(result, "~*@"); ++ } else { ++ size_t ident_len = atsign - hostname; ++ ++ if (ident_len <= 9) { ++ /* copy ident@ */ ++ strmcpy(result, hostname, ident_len + 1); ++ } else { ++ strmcpy(result, hostname, 8); ++ result[8] = '*'; ++ result[9] = '@'; ++ result[10] = '\0'; ++ } + } +- strcat(result, "@"); +- if (!(hostname = strchr(hostname, '@'))) +- return NULL; +- hostname++; ++ hostname = atsign + 1; ++ } else { ++ *result = 0; + } +- strcpy(host, hostname); + +- if (*host && isdigit(*(host + strlen(host) - 1))) ++ strlcpy(temphost, hostname, sizeof temphost); ++ host = temphost; ++ ++ if (*host && isdigit((unsigned char)*(host + strlen(host) - 1))) + { + /* Thanks icebreak for this small patch which fixes this function */ + int i; + char *tmp; +- char count=0; ++ char count = 0; + + tmp = host; +- while((tmp-host)next) ++ for (tucm = ucm; tucm && (strlen(nmodes) + 2) < sizeof nmodes; tucm = tucm->next) + { + if (tucm->o_ed) + { diff --git a/net/bitchx/patches/patch-source_notice_c b/net/bitchx/patches/patch-source_notice_c new file mode 100644 index 00000000000..c44c6de9dbc --- /dev/null +++ b/net/bitchx/patches/patch-source_notice_c @@ -0,0 +1,12 @@ +$OpenBSD: patch-source_notice_c,v 1.1 2003/03/27 15:46:11 brad Exp $ +--- source/notice.c.orig Mon Jan 8 01:24:22 2001 ++++ source/notice.c Wed Mar 26 23:00:45 2003 +@@ -421,7 +421,7 @@ irc.BitchX.com *** Notice -- Nick collis + int conn = !strncmp(line+7, "connect", 7) ? 1 : 0; + int dalnet = 0, ircnet = 0; + +- if (*(line+18) == ':') ++ if (strlen(line) >= 19 && line[18] == ':') + q = NULL; + else + dalnet = (q == NULL); diff --git a/net/bitchx/patches/patch-source_numbers_c b/net/bitchx/patches/patch-source_numbers_c index 0fadd16c4c8..d224685e745 100644 --- a/net/bitchx/patches/patch-source_numbers_c +++ b/net/bitchx/patches/patch-source_numbers_c @@ -1,7 +1,52 @@ -$OpenBSD: patch-source_numbers_c,v 1.1 2002/04/16 18:30:39 pvalchev Exp $ ---- source/numbers.c.orig Tue Apr 16 11:45:34 2002 -+++ source/numbers.c Tue Apr 16 11:44:39 2002 -@@ -1454,7 +1454,7 @@ void numbered_command(char *from, int co +$OpenBSD: patch-source_numbers_c,v 1.2 2003/03/27 15:46:11 brad Exp $ +--- source/numbers.c.orig Mon Jan 8 01:24:22 2001 ++++ source/numbers.c Wed Mar 26 23:42:38 2003 +@@ -350,26 +350,29 @@ static void cannot_join_channel(char *fr + + set_display_target(chan, LOG_CURRENT); + PasteArgs(ArgList, 0); +- strcpy(buffer, ArgList[0]); ++ strlcpy(buffer, ArgList[0], sizeof buffer); + switch(-current_numeric) + { + case 437: +- strcat(buffer, " (Channel is temporarily unavailable)"); ++ strlcat(buffer, ++ " (Channel is temporarily unavailable)", ++ sizeof buffer); + break; + case 471: +- strcat(buffer, " (Channel is full)"); ++ strlcat(buffer, " (Channel is full)", sizeof buffer); + break; + case 473: +- strcat(buffer, " (You must be invited)"); ++ strlcat(buffer, " (You must be invited)", ++ sizeof buffer); + break; + case 474: +- strcat(buffer, " (You are banned)"); ++ strlcat(buffer, " (You are banned)", sizeof buffer); + break; + case 475: +- strcat(buffer, " (Bad channel key)"); ++ strlcat(buffer, " (Bad channel key)", sizeof buffer); + break; + case 476: +- strcat(buffer, " (Bad channel mask)"); ++ strlcat(buffer, " (Bad channel mask)", sizeof buffer); + break; + default: + return; +@@ -381,7 +384,6 @@ static void cannot_join_channel(char *fr + reset_display_target(); + } + +- + int handle_server_stats(char *from, char **ArgList, int comm) + { + static int norm = 0, +@@ -1454,7 +1456,7 @@ void numbered_command(char *from, int co if (!ArgList[1] || !*ArgList[1]) break; @@ -10,7 +55,7 @@ $OpenBSD: patch-source_numbers_c,v 1.1 2002/04/16 18:30:39 pvalchev Exp $ strcpy(this_sucks, ctime(&tme)); this_sucks[strlen(this_sucks)-1] = '\0'; -@@ -1465,16 +1465,16 @@ void numbered_command(char *from, int co +@@ -1465,16 +1467,16 @@ void numbered_command(char *from, int co else { char cts[80], pts[80], ots[80];