diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:32.bitchx.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-00:32.bitchx.asc | 93 |
1 files changed, 0 insertions, 93 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:32.bitchx.asc b/share/security/advisories/FreeBSD-SA-00:32.bitchx.asc deleted file mode 100644 index bda36aae46..0000000000 --- a/share/security/advisories/FreeBSD-SA-00:32.bitchx.asc +++ /dev/null @@ -1,93 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-00:32 Security Advisory - FreeBSD, Inc. - -Topic: bitchx port contains client-side vulnerability - -Category: ports -Module: bitchx -Announced: 2000-07-05 -Affects: Ports collection. -Corrected: 2000-07-03 -Vendor status: Patch released -FreeBSD only: NO - -I. Background - -BitchX is a popular IRC client. - -II. Problem Description - -The bitchx client incorrectly parses string-formatting operators -included as part of channel invitation messages sent by remote IRC -users. This can cause the local client to crash, and may possibly -present the ability to execute arbitrary code as the local user. - -The bitchx port is not installed by default, nor is it "part of -FreeBSD" as such: it is part of the FreeBSD ports collection, which -contains over 3400 third-party applications in a ready-to-install -format. The ports collections shipped with FreeBSD 4.0 and 3.5 contain -this problem since it was discovered after the release. - -FreeBSD makes no claim about the security of these third-party -applications, although an effort is underway to provide a security -audit of the most security-critical ports. - -III. Impact - -Remote IRC users can cause the local client to crash, and possibly -execute code as the local user. - -If you have not chosen to install the bitchx port/package, then -your system is not vulnerable to this problem. - -IV. Workaround - -Issue the following bitchx command (e.g. as part of a startup script): - -/ignore * invites - -which will disable processing of channel invitation messages. - -V. Solution - -One of the following: - -1) Upgrade your entire ports collection and rebuild the bitchx port. - -2) Deinstall the old package and install a new package dated after the -correction date, obtained from: - -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/bitchx-1.0c16.tar.gz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/bitchx-1.0c16.tar.gz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/bitchx-1.0c16.tar.gz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/bitchx-1.0c16.tar.gz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/bitchx-1.0c16.tar.gz - -NOTE: It may be several days before updated packages are available. Be -sure to check the file creation date on the package, because the -version number of the software has not changed. - -3) download a new port skeleton for the bitchx port from: - -http://www.freebsd.org/ports/ - -and use it to rebuild the port. - -4) Use the portcheckout utility to automate option (3) above. The -portcheckout port is available in /usr/ports/devel/portcheckout or the -package can be obtained from: - -ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz - ------BEGIN PGP SIGNATURE----- -Version: 2.6.2 - -iQCVAwUBOWGvPlUuHi5z0oilAQGEQAP+MbpDIPmejoZUcpVCpIBFP+2LwmR/ouwu -LMuDVgY5l3kaWNIypTNAbMVPDZFx1l3+LEUJfurBLydpH8PnB17C7tE+uPXpNDzA -ph3jjHXazN8DvvdYCD6EcEXccgGIWREz+OUPsH4VZtqC0g84Lt7tpZwBFZ+Fh2Py -gjxO4c2fPE8= -=B4nR ------END PGP SIGNATURE----- |