tags 465643 +patch
thanks
> Package: tintin++
> Version: 1.97.9-1
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for tintin++.
>
> CVE-2008-0673[0]:
> | TinTin++ 1.97.9 and WinTin++ 1.97.9 open files on the basis of an
> | inbound file-transfer request, before the user has an opportunity to
> | decline the request, which allows remote attackers to truncate
> | arbitrary files in the top level of a home directory.
>
> CVE-2008-0672[1]:
> | The process_chat_input function in TinTin++ 1.97.9 and WinTin++ 1.97.9
> | allows remote attackers to cause a denial of service (application
> | crash) via a YES message without a newline character, which triggers a
> | NULL dereference.
>
> CVE-2008-0671[2]:
> | Stack-based buffer overflow in the add_line_buffer function in
> | TinTin++ 1.97.9 and WinTin++ 1.97.9 allows remote attackers to execute
> | arbitrary code via a long chat message, related to conversion from LF
> | to CRLF.
>
> If you fix these vulnerabilities please also include the CVE ids
> in your changelog entry.
>
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0673
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0672
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0671
>
The attached patch seems to fix these vulnerabilities for tintin 1.97.9.
The patch needs backporting for previous versions.
I will upload a patched revision in a couple of minutes.
Ana
Patch by Igor van den Hoven
Changes:
chat.c Fixed an exploit to erase files with #chat.
chat.c Fixed a crash bug in the negatiation routine, apparently
sscanf doesn't check line feeds.
chat.c Lowered the maximum read from socket size to half of
BUFFER_SIZE to prevent buffer overflows.
diff -Nrua tt-1.97.9/src/chat.c tt-1.98/src/chat.c
--- tt-1.97.9/src/chat.c 2007-12-22 13:50:38.000000000 +0100
+++ tt-1.98/src/chat.c 2008-02-13 21:31:24.000000000 +0100
@@ -743,7 +743,7 @@
push_call("process_chat_input(%p)",buddy);
- size = read(buddy->fd, buf, BUFFER_SIZE - 1000);
+ size = read(buddy->fd, buf, BUFFER_SIZE / 2);
if (size <= 0)
{
@@ -819,25 +819,27 @@
if (!strncmp(buf, "YES:", 4))
{
- if (sscanf(buf, "YES:%s\n", temp) == 1)
+ if ((sep = strchr(buf, '\n')) != NULL)
{
- strip_vt102_codes(temp, name);
+ *sep++ = 0;
- RESTRING(buddy->name, name);
+ strcpy(temp, buf);
- chat_socket_printf(buddy, "%c%s%s%c", CHAT_VERSION, "TinTin++ ", VERSION_NUM, CHAT_END_OF_COMMAND);
+ strip_vt102_codes(&temp[4], name);
- sep = strchr(buf, '\n');
+ RESTRING(buddy->name, name);
- *sep++ = 0;
+ chat_socket_printf(buddy, "%c%s%s%c", CHAT_VERSION, "TinTin++ ", VERSION_NUM, CHAT_END_OF_COMMAND);
- get_chat_commands(buddy, sep, size - strlen(buf));
+ get_chat_commands(buddy, sep, size - strlen(temp) - 1);
pop_call();
return 0;
}
else
{
+ chat_printf("Error in processing connection negotiation with [EMAIL PROTECTED]", buddy->name, buddy->ip);
+
pop_call();
return -1;
}
@@ -845,6 +847,8 @@
if (!strncmp(buf, "NO", 2))
{
+ chat_printf("Connection negotiation refused by [EMAIL PROTECTED]", buddy->name, buddy->ip);
+
pop_call();
return -1;
}
@@ -1774,6 +1778,7 @@
DO_CHAT(chat_accept)
{
struct chat_data *buddy;
+ char path[BUFFER_SIZE];
if ((buddy = find_buddy(left)) == NULL)
{
@@ -1782,7 +1787,7 @@
return;
}
- if (buddy->file_pt == NULL)
+ if (buddy->file_name == NULL)
{
chat_printf("ERROR: You don't have a file transfer in progress with %s.", buddy->name);
@@ -1796,6 +1801,19 @@
return;
}
+ sprintf(path, "%s%s", gtd->chat->download, buddy->file_name);
+
+ if ((buddy->file_pt = fopen(path, "w")) == NULL)
+ {
+ deny_file(buddy, "\nCould not create that file on receiver's end.\n");
+
+ chat_printf("ERROR: Could not create the file '%s' on your end.", buddy->file_name);
+
+ file_cleanup(buddy);
+
+ return;
+ }
+
buddy->file_start_time = utime();
chat_socket_printf(buddy, "%c%c", CHAT_FILE_BLOCK_REQUEST, CHAT_END_OF_COMMAND);
@@ -1991,19 +2009,18 @@
sprintf(path, "%s%s", gtd->chat->download, buddy->file_name);
- if ((buddy->file_pt = fopen(path, "w")) == NULL)
+ chat_printf("File transfer from %s, file: %s, size: %d.", buddy->name, buddy->file_name, buddy->file_size);
+ chat_printf("Use %cchat <accept|decline> %s to proceed.", gtd->tintin_char, buddy->name);
+
+ if ((buddy->file_pt = fopen(path, "r")) != NULL)
{
- deny_file(buddy, "\nCould not create that file on receiver's end.\n");
+ chat_printf("Warning, the file already exists on your end.");
- file_cleanup(buddy);
+ fclose(buddy->file_pt);
- pop_call();
- return;
+ buddy->file_pt = NULL;
}
- chat_printf("File transfer from %s, file: %s, size: %d.", buddy->name, buddy->file_name, buddy->file_size);
- chat_printf("Use %cchat <accept|decline> %s to proceed.", gtd->tintin_char, buddy->name);
-
buddy->file_start_time = 0;
pop_call();
