linux, säkerhet

7958492 2002-02-06 03:59 +0000  /63 rader/  <ciscosux@hushmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-06  19:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20843>
Ärende: -Possible- licq D.o.S
------------------------------------------------------------
From: <ciscosux@hushmail.com>
To: bugtraq@securityfocus.com
Message-ID: <20020206035946.30250.qmail@mail.securityfocus.com>



Greetings,
if you initiate a "icq chat" with someone on licq then 
proceed to send a constant stream of %d (I usually 
send close to 1000 chars) right after the other, 
nonstop it will cause their licq to seg fault. 

Tested on licq 1.0.4. 

(bugtraq usually formats my messages weird, so 
apologies if this doesn't look right.)

The end result after the flood is: 

Licq Segmentation Violation Detected.
Backtrace:
licq(licq_handle_sigsegv+0x73) [0x809171b]
/lib/libpthread.so.0(pthread_kill+0x170) [0x4002deb4]
/lib/libc.so.6(__libc_sigaction+0x1f8) [0x400ce928]
licq(PopChatEvent__12CChatManager+0xab) 
[0x808ab2b]
/usr/local/lib/licq/licq_qt-gui.so
(slot_chat__7ChatDlg+0xea6) [0x401fb68a]
/usr/lib/libqt.so.2
(activate_signal__7QObjectPCci+0x12a) 
[0x40448b7e]
/usr/lib/libqt.so.2
(activated__15QSocketNotifieri+0x28) [0x4049a0b8]
/usr/lib/libqt.so.2
(event__15QSocketNotifierP6QEvent+0x44) 
[0x4047b07c]
/usr/lib/libqt.so.2
(notify__12QApplicationP7QObjectP6QEvent+0x1ea) 
0x403f88a6]
/usr/lib/libqt.so.2
(qt_set_socket_handler__FiiP7QObjectb+0x4f2) 
[0x403c685a]
/usr/lib/libqt.so.2
(processNextEvent__12QApplicationb+0x6c7) 
[0x403c6f9b]
/usr/lib/libqt.so.2(enter_loop__12QApplication+0x3c) 
[0x403fa5f4]
/usr/lib/libqt.so.2(exec__12QApplication+0x2b) 
[0x403c68c7]
/usr/local/lib/licq/licq_qt-gui.so
(Run__8CLicqGuiP10CICQDaemon+0xf9) 
[0x402070ed]
/usr/local/lib/licq/licq_qt-gui.so(LP_Main+0x4d) 
[0x40205475]
/usr/local/lib/licq/licq_qt-gui.so(LP_Main_tep+0x21) 
[0x40205191]
/lib/libpthread.so.0(pthread_detach+0x519) 
[0x4002b065]
/lib/libc.so.6(__clone+0x3a) [0x4016d01a]
Attempting to generate core file.
syn@slackware:~#
(7958492) / <ciscosux@hushmail.com>/----------------

7969475 2002-02-08 09:08 -0600  /15 rader/ Jon Keating <jon@licq.org>
Sänt av: licq-devel-admin@lists.sourceforge.net
Importerad: 2002-02-08  16:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: licq-devel@licq.org
Extern kopiemottagare: ciscosux@hushmail.com
Mottagare: Licq-cvs (-) importmöte <4515>
Mottagare: Licq-devel (-) importmöte <3098>
Mottagare: Bugtraq (import) <20898>
    Sänt:     2002-02-08 18:06
Ärende: [Licq-devel] RE: -Possible- licq D.o.S
------------------------------------------------------------
Hello.

This crash occurred when a static buffer of 1024 bytes overflowed.
This is  fixed in the latest version of licq in the CVS and should be
in the next CVS  daily snapshot.  The CVS copy of licq uses the new
v8 protocol (otherwise  known as OSCAR) while the latest release does
not.  If for some reason you do  not want to use the CVS copy, use
the attached patch, and when prompted for  file to patch enter the
full path to icqd-chat.cpp (i.e.  /home/user/licq/src/icqd-chat.cpp)

It would be appreciated if the bug reporter would also contact licq-devel to 
let the developers of licq be aware of this problem and any future problems.

Jon
(7969475) /Jon Keating <jon@licq.org>/----(Ombruten)
Bilaga (text/x-c++) i text 7969476


7969476 2002-02-08 09:08 -0600  /15 rader/ Jon Keating <jon@licq.org>
Bilagans filnamn: "licq.icqd-chat.patch"
Importerad: 2002-02-08  16:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: licq-devel@licq.org
Extern kopiemottagare: ciscosux@hushmail.com
Mottagare: Licq-cvs (-) importmöte <4516>
Mottagare: Licq-devel (-) importmöte <3099>
Bilaga (text/plain) till text 7969475
Ärende: Bilaga (licq.icqd-chat.patch) till: [Licq-devel] RE: -Possible- licq D.o.S
------------------------------------------------------------
1247a1248,1253
>           if (strlen(u->linebuf) > 1000) // stop a little early
>           {
>              u->linebuf[1000] = '\0';
>              PushChatEvent(new CChatEvent(CHAT_NEWLINE, u, u->linebuf));
>              u->linebuf[0] = '\0';
>           }
1547a1548,1553
> 	    if (strlen(u->linebuf) > 1000) // stop a little early
> 	    {
> 		u->linebuf[1000] = '\0';
>                 PushChatEvent(new CChatEvent(CHAT_NEWLINE, u, u->linebuf));
> 		u->linebuf[0] = '\0';
> 	    }
(7969476) /Jon Keating <jon@licq.org>/--------------