COMMAND

    ircd

SYSTEMS AFFECTED

    BitchX

PROBLEM

    Rick Jansen found following.  Because of a simple

        /invite nickname #%s%s%s%s%s%s%s%s%s

    BitchX will segfault and coredump.  AFAIK, v1.0c16 is  vulnerable,
    other versions may be vulnerable as well.

    'typo' added that this  is a fatal and  exploitable bug.  And  the
    rest of bitchx's code doesn't  look much better.. lets examine  at
    the rest of  parse.c, just looking  for completly similiar  issues
    with logmsg:

        parse.c:1033: warning: TESO: Insufficient Format arguments: logmsg(4/5).
        parse.c:1100: warning: TESO: Insufficient Format arguments: logmsg(4/5).
        parse.c:1033: logmsg(LOG_INVITE, from, 0, invite_channel);
        parse.c:1100: logmsg(LOG_KILL, from, 0, ArgList[1]?ArgList[1]:"(No Reason)");

    BitchX  privileged   port  dcc   protection  is   susceptable   to
    overflowing the port argument (meaning: its ineffectual).

    Under FreeBSD 4, /invite-ing  somebody to a channel  with %s%s%s%s
    in the name causes a segmentation violation on the remote  client.
    Linux  appears  not  to  suffer  from  this  problem,  but this is
    probably just a  lucky break.   Linux (RedHat 6.1,  Debian Frozen)
    does die if you invite somebody to channel %n%n%n%n.

    As many system administrators,  including very senior ones,  leave
    their client open  24 hours a  day, possibly in  a screen session,
    this might be a real problem waiting to happen.

    The bug effects all versions of BitchX from 75 through 1.0c16, and
    does not effect EPIC or any other clients.  The invite parsing  is
    the easiest to exploit, but the bug also exists in the kill parsing.
    The patch existed before the  bug was publicly known.   There were
    also locally exploitable format bugs, but they have been fixed now.
    The next version  of BitchX will  include all of  these fixes, and
    they have been applied to the CVS repository.

SOLUTION

    A temporary solution is to  switch to another client, like  ircII,
    which is considered by many to be the more karmic client anyway.

    A patch has been available on ftp.bitchx.org:

        ftp://ftp.bitchx.org/pub/BitchX/source/1.0c16-format.patch
        ftp://ftp.bitchx.org/pub/BitchX/source/75p3-format.patch

    Fixed  packages  for  Debian  2.2  are  also  available, and fixed
    packages for Debian 2.1 are forthcoming.

    As workaround issue the following bitchx command (e.g. as part  of
    a startup script):

        /ignore * invites

    which will disable processing of channel invitation messages.

    For FreeBSD:

        1) Upgrade your entire ports collection and rebuild the bitchx
           port.
        2) Deinstall the old package  and install a new package  dated
           after the correction date (2000-07-03), obtained from:
           ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/bitchx-1.0c16.tar.gz
           ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/bitchx-1.0c16.tar.gz
           ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/bitchx-1.0c16.tar.gz
           ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/bitchx-1.0c16.tar.gz
           ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/bitchx-1.0c16.tar.gz
        3) download a new port skeleton for the bitchx port from:
           http://www.freebsd.org/ports/
           and use it to rebuild the port.

    For RedHat (Red Hat Powertools 6.2):

        sparc: ftp://updates.redhat.com/powertools/6.2/sparc/BitchX-1.0c16-1.sparc.rpm
        alpha: ftp://updates.redhat.com/powertools/6.2/alpha/BitchX-1.0c16-1.alpha.rpm
         i386: ftp://updates.redhat.com/powertools/6.2/i386/BitchX-1.0c16-1.i386.rpm
      sources: ftp://updates.redhat.com/powertools/6.2/SRPMS/BitchX-1.0c16-1.src.rpm

    For Conectiva Linux users of BitchX must upgrade:

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/BitchX-75p3-9cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wserv-1.13-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/BitchX-75p3-9cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wserv-1.13-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/BitchX-75p3-9cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wserv-1.13-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/BitchX-75p3-9cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wserv-1.13-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/BitchX-75p3-9cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wserv-1.13-2cl.i386.rpm

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/BitchX-75p3-9cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/BitchX-75p3-9cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/BitchX-75p3-9cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/BitchX-75p3-9cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/BitchX-75p3-9cl.src.rpm

    For Mandrake Linux:

        6.1/RPMS/BitchX-75p3-12mdk.i586.rpm
        6.1/SRPMS/BitchX-75p3-12mdk.src.rpm
        7.0/RPMS/BitchX-75p3-12mdk.i586.rpm
        7.0/SRPMS/BitchX-75p3-12mdk.src.rpm
        7.1/RPMS/BitchX-75p3-12mdk.i586.rpm
        7.1/SRPMS/BitchX-75p3-12mdk.src.rpm

    For Caldera Systems:

        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/irc-BX-75p3-5.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/irc-BX-75p3-5.src.rpm