atheme.org Security Advisory ASA-2012-12-31 Original release: December 31, 2012. Last update: December 31, 2012. Copyright (c) 2012 atheme.org and its contributors. All rights reserved. Distribution of this document in full, or in part is allowed, provided that the distributed portions remain in otherwise unmodified form and the above copyright notice and this permission notice remain unchanged. Topic: Charybdis: Improper assumptions in the server handshake code may lead to a remote crash. (CAPAB module) Versions affected: All CVSSv2 vector: AV:N/AC:N/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C CVSSv2 base score: 7.8 Access vector: network Access complexity: low Authentication requirement: none Confidentiality impact: none Integrity impact: none Availability impact: complete CVSSv2 temporal score: 6.4 Exploitability: functional exploit exists Remediation level: official fix Report confidence: confirmed Summary: All versions of Charybdis are vulnerable to a remotely-triggered crash bug caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all versions since ircd-ratbox 2.0 are also vulnerable.) The bug has to do with server capability negotiation. A malformed request will trigger a crash due to invalid assumptions. Mitigation: A patch for all affected versions of ircd-ratbox and charybdis is available from the charybdis GIT repository: https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch To apply the patch, go to your IRCd source tree and run the following commands: $ patch -p1 < /path/to/downloaded/patchfile.patch $ make $ make install Then you may hotfix the IRCd by running /MODRESTART as a server admin. Details: In ratbox-2, the following code was added to m_capab.c: char *t = LOCAL_COPY(parv[i]); The other logic was then modified to make use of that stack-allocated buffer rather than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(), and the bug effectively is caused by this expansion calling strlen(NULL). This bug was reported by "Fudge" (http://github.com/FionnK). Contact: For further information about this security advisory, please contact the Charybdis developers at irc.atheme.org #charybdis. For more information about atheme.org, please visit the following resources: - IRC: irc.atheme.org #atheme-project - Web: http://www.atheme.org/