Ubuntu
ircii-pana package

remote IRC servers can execute arbitrary commands

Bug #129771 reported by StefanPotyra on 2007-08-01

256

	Status	Importance	Assigned to
ircii-pana (Debian)	Fix Released	Unknown	debbugs #432120
ircii-pana (Ubuntu)	Fix Released	Medium	Kees Cook
Dapper	Fix Released	Medium	Kees Cook
Edgy	Fix Released	Medium	Kees Cook
Feisty	Fix Released	Medium	Kees Cook

Bug Description

"hook.c in BitchX 1.1-final allows remote IRC servers to execute
arbitrary commands by sending a client certain data containing NICK and
EXEC strings, which exceeds the bounds of a hash table, and injects an
EXEC hook function that receives and executes shell commands." (from CVE-2007-3360)
(Debian-bug: 432120, ubuntu section universe)

Related branches

lp:ubuntu/gutsy-updates/ircii-pana

CVE References

2007-3360

Revision history for this message

StefanPotyra (sistpoty) wrote on 2007-08-01:

didn't check exactly about this bug, just saw this while trying to merge the package in the DBTS.

also, the newest version in unstable FTBFS (see bug #129134 for details).

Bug Watch Updater (bug-watch-updater) on 2007-08-02

Changed in ircii-pana:
status:	Unknown → New

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-10-02:

Will provide a debdiff with the fix from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432120

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-10-02:

debdiff to fix the remote_exec exploit Edit (1.3 KiB, text/plain)

Jamie Strandboge (jdstrand) on 2007-10-02

Changed in ircii-pana:
assignee:	nobody → ubuntu-security

Revision history for this message

StefanPotyra (sistpoty) wrote on 2007-10-02:

Format: 1.7
Date: Tue, 02 Oct 2007 11:39:33 +0200
Source: ircii-pana
Binary: bitchx-dev bitchx-ssl bitchx bitchx-gtk
Architecture: source
Version: 1:1.1-4ubuntu4
Distribution: gutsy
Urgency: low
Maintainer: Ubuntu MOTU Team <email address hidden>
Changed-By: Stephan Hermann <email address hidden>
Description:
bitchx - Advanced Internet Relay Chat client
bitchx-dev - Header files for BitchX
bitchx-gtk - GTK interface for BitchX
bitchx-ssl - SSL support for BitchX
Launchpad-Bugs-Fixed: 129771
Changes:
ircii-pana (1:1.1-4ubuntu4) gutsy; urgency=low
.
   * debian/patches/remote_exec_fix.patch:
     Fixes CVE-2007-3360 (Closes: dbts: #432120)
     (LP: #129771)
Files:
caa495fb57df9647fd92ff704a8fe515 919 net optional ircii-pana_1.1-4ubuntu4.dsc
61136535f26320e81f58883e37d367ee 56661 net optional ircii-pana_1.1-4ubuntu4.diff.gz
Original-Maintainer: Daniel Jacobowitz <email address hidden>

Changed in ircii-pana:
status:	New → Fix Committed

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-10-02:

ircii-pana (1:1.1-4ubuntu4) gutsy; urgency=low

  * debian/patches/remote_exec_fix.patch:
    Fixes CVE-2007-3360 (Closes: dbts: #432120)
    (LP: #129771)

-- Stephan Hermann <email address hidden> Tue, 02 Oct 2007 11:39:33 +0200

Changed in ircii-pana:
status:	Fix Committed → Fix Released

Luca Falavigna (dktrkranz) on 2007-10-02

Changed in ircii-pana:
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2007-10-02:

ircii-pana_1.1-4ubuntu2.1.debdiff Edit (1.5 KiB, text/plain)

Patch for feisty-security.

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2007-10-02:

ircii-pana_1.1-4ubuntu1.1.debdiff Edit (1.5 KiB, text/plain)

Patch for edgy-security.

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2007-10-02:

ircii-pana_1.1-4ubuntu0.1.debdiff Edit (1.5 KiB, text/plain)

Patch for dapper-security.

Kees Cook (kees) on 2007-10-02

Changed in ircii-pana:
assignee:	ubuntu-security → keescook
importance:	Undecided → Medium
status:	Fix Released → In Progress
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	Confirmed → In Progress
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	Confirmed → In Progress
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	Confirmed → In Progress
status:	In Progress → Fix Released

Revision history for this message

Kees Cook (kees) wrote on 2007-10-03:

Thanks for getting these ready! I've published them now.

Changed in ircii-pana:
status:	In Progress → Fix Released
status:	In Progress → Fix Released
status:	In Progress → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-04-28

Changed in ircii-pana:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #432120
[done grave patch security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuircii-pana package

remote IRC servers can execute arbitrary commands

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
ircii-pana package