Bug#686454: marked as done (CVE-2011-5129: xchat buffer overflow)

Wed, 19 Sep 2012 08:54:18 -0700 

Your message dated Wed, 19 Sep 2012 17:31:04 +0200
with message-id <20120919153104.gb6...@inutil.org>
and subject line Re: CVE-2011-5129: xchat buffer overflow
has caused the Debian Bug report #686454,
regarding CVE-2011-5129: xchat buffer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
686454: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686454
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: xchat
Severity: grave
Tags: security

Hi,
the following vulnerability was published for xchat.

CVE-2011-5129[0]:
| Heap-based buffer overflow in XChat 2.8.9 and earlier allows remote
| attackers to cause a denial of service (crash) and possibly execute
| arbitrary code via a long response string.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5129
    http://security-tracker.debian.org/tracker/CVE-2011-5129
Please adjust the affected versions in the BTS as needed.

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---
--- Begin Message --- 
On Sun, Sep 09, 2012 at 11:57:39AM +0200, François Gannaz wrote:
> Hi,
> 
> I can't reproduce this bug on my amd64 testing debian, using XFCE and
> xchat 2.8.8-6.
> 
> With the "proof of concept" script referenced in the CVE, I get no crash.
> Only the following line on STDERR repeated thousands of times:
> *** XCHAT WARNING: Buffer overflow - shit server!
> 
> The part of the code that handles this security concern is:
> http://xchat.svn.sourceforge.net/viewvc/xchat/src/common/server.c?revision=1502&view=markup#l410
> It first fills a buffer with recv() from sys/socket, then reads it char
> by char untill the destination is full (line 472).

This is confirmed by the analysis in Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=853321#c4

Closing.

Cheers,
        Moritz

--- End Message ---

Reply via email to