[SECURITY] INN: Buffer overflow in control message handling
A buffer overflow has been discovered in a portion of the control message
handling code introduced in INN 2.4.0. It is fairly likely that this
overflow could be remotely exploited to gain access to the user innd runs
as. INN 2.3.x and earlier are not affected. The INN CURRENT tree is
affected.
So far as we know, there are no current exploits in the wild for this
vulnerability.
INN 2.4.1 has just been released with a fix for this issue and various
other accumulated patches. We strongly urge anyone running INN 2.4.0 or
any STABLE snapshot to upgrade to this version, or apply the attached
patch to their source tree and reinstall with make update. There should
be no incompatibilities between INN 2.4.1 and INN 2.4.0 or STABLE
snapshots.
INN 2.4.1 is available at:
<ftp://ftp.isc.org/isc/inn/inn-2.4.1.tar.gz>
The MD5 checksum of this release is:
bec635b6e70188071fdb539cd374f2ba
A PGP signature will be available in the same directory shortly.
We apologize for this problem, which was caused by misuse of static
buffers and a dangerous internal INN function that we intend to remove
completely in the next stable release. The current development branch has
already been converted almost entirely to strlcpy, strlcat, and other safe
string handling routines and that conversion should be complete in the INN
2.5.0 release.
Following is a patch against INN 2.4.0. It should also apply to a current
STABLE or CURRENT snapshot if you use patch -l to apply it.
--- inn-2.4.0/innd/art.c.orig 2003-05-04 15:10:14.000000000 -0700
+++ inn-2.4.0/innd/art.c 2004-01-07 15:25:08.000000000 -0800
@@ -1773,7 +1773,7 @@
bool
ARTpost(CHANNEL *cp)
{
- char *p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+ char *p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
int i, j, *isp, hopcount, oerrno, canpost;
NEWSGROUP *ngp, **ngptr;
SITE *sp;
@@ -2185,9 +2185,10 @@
* or control. */
if (IsControl && Accepted && !ToGroup) {
ControlStore = true;
- FileGlue(tmpbuff, "control", '.', ControlWord);
- if ((ngp = NGfind(tmpbuff)) == NULL)
+ controlgroup = concat("control.", ControlWord, (char *) 0);
+ if ((ngp = NGfind(controlgroup)) == NULL)
ngp = NGfind(ARTctl);
+ free(controlgroup);
ngp->PostCount = 0;
ngptr = GroupPointers;
*ngptr++ = ngp;
Thanks to Dan Riley for his prompt and detailed report and debugging
assistance.
Russ Allbery
Katsuhiro Kondou
inn@xxxxxxx