• info
• discussion
• exploit
• solution
• references

BitchX Remote cannot_join_channel() Buffer Overflow Vulnerability

Solution:
Slackware has released an advisory (SSA:2003-141-02) and fixes. Information about obtaining and applying fixes are available in the referenced advisory.

Debian has released an advisory (DSA 306-1). Information about obtaining and applying fixes are available in the referenced advisory.

Gentoo has released bitchx-1.0.19-r5 which addresses this issue. Users are advised to upgrade by performing the following commands:

emerge sync
emerge bitchx
emerge clean

Conectiva has released an advisory (CLA-2003:655) and fixes for this issue. Links to fixed packages can be found in the attached advisory. Alternatively, users can use the apt tool:

apt-get update
apt-get upgrade

An unofficial and untested patch has been released by caf@guarana.org.

It has been reported that these issues have been addressed in the current cvs tree.


BitchX IRC Client 1.0 c19

• caf@guarana.org 1.0c19-evil-server.patch
  Unofficial patch.
  http://downloads.securityfocus.com/vulnerabilities/patches/1.0c19-evil -server.patch


• Debian bitchx-dev_1.0-0c19-1.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_alpha.deb


• Debian bitchx-dev_1.0-0c19-1.1_arm.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_arm.deb


• Debian bitchx-dev_1.0-0c19-1.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_hppa.deb


• Debian bitchx-dev_1.0-0c19-1.1_i386.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_i386.deb


• Debian bitchx-dev_1.0-0c19-1.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_ia64.deb


• Debian bitchx-dev_1.0-0c19-1.1_m68k.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_m68k.deb


• Debian bitchx-dev_1.0-0c19-1.1_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_mips.deb


• Debian bitchx-dev_1.0-0c19-1.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_mipsel.deb


• Debian bitchx-dev_1.0-0c19-1.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_powerpc.deb


• Debian bitchx-dev_1.0-0c19-1.1_s390.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_s390.deb


• Debian bitchx-dev_1.0-0c19-1.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-dev_1 .0-0c19-1.1_sparc.deb


• Debian bitchx-gtk_1.0-0c19-1.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_alpha.deb


• Debian bitchx-gtk_1.0-0c19-1.1_arm.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_arm.deb


• Debian bitchx-gtk_1.0-0c19-1.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_hppa.deb


• Debian bitchx-gtk_1.0-0c19-1.1_i386.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_i386.deb


• Debian bitchx-gtk_1.0-0c19-1.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_ia64.deb


• Debian bitchx-gtk_1.0-0c19-1.1_m68k.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_m68k.deb


• Debian bitchx-gtk_1.0-0c19-1.1_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_mips.deb


• Debian bitchx-gtk_1.0-0c19-1.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_mipsel.deb


• Debian bitchx-gtk_1.0-0c19-1.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_powerpc.deb


• Debian bitchx-gtk_1.0-0c19-1.1_s390.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_s390.deb


• Debian bitchx-gtk_1.0-0c19-1.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c19-1.1_sparc.deb


• Debian bitchx-ssl_1.0-0c19-1.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_alpha.deb


• Debian bitchx-ssl_1.0-0c19-1.1_arm.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_arm.deb


• Debian bitchx-ssl_1.0-0c19-1.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_hppa.deb


• Debian bitchx-ssl_1.0-0c19-1.1_i386.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_i386.deb


• Debian bitchx-ssl_1.0-0c19-1.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_ia64.deb


• Debian bitchx-ssl_1.0-0c19-1.1_m68k.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_m68k.deb


• Debian bitchx-ssl_1.0-0c19-1.1_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_mips.deb


• Debian bitchx-ssl_1.0-0c19-1.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_mipsel.deb


• Debian bitchx-ssl_1.0-0c19-1.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_powerpc.deb


• Debian bitchx-ssl_1.0-0c19-1.1_s390.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_s390.deb


• Debian bitchx-ssl_1.0-0c19-1.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-ssl_1 .0-0c19-1.1_sparc.deb


• Debian bitchx_1.0-0c19-1.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_alpha.deb


• Debian bitchx_1.0-0c19-1.1_arm.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_arm.deb


• Debian bitchx_1.0-0c19-1.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_hppa.deb


• Debian bitchx_1.0-0c19-1.1_i386.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_i386.deb


• Debian bitchx_1.0-0c19-1.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_ia64.deb


• Debian bitchx_1.0-0c19-1.1_m68k.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_m68k.deb


• Debian bitchx_1.0-0c19-1.1_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_mips.deb


• Debian bitchx_1.0-0c19-1.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_mipsel.deb


• Debian bitchx_1.0-0c19-1.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_powerpc.deb


• Debian bitchx_1.0-0c19-1.1_s390.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_s390.deb


• Debian bitchx_1.0-0c19-1.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c19-1.1_sparc.deb


• Slackware bitchx-1.0c19-i386-3.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/b itchx-1.0c19-i386-3.tgz


• Slackware bitchx-1.0c19-i386-3.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/b itchx-1.0c19-i386-3.tgz

BitchX IRC Client 1.0 c16

• Debian bitchx-gtk_1.0-0c16-2.1_alpha.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c16-2.1_alpha.deb


• Debian bitchx-gtk_1.0-0c16-2.1_arm.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c16-2.1_arm.deb


• Debian bitchx-gtk_1.0-0c16-2.1_i386.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c16-2.1_i386.deb


• Debian bitchx-gtk_1.0-0c16-2.1_m68k.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c16-2.1_m68k.deb


• Debian bitchx-gtk_1.0-0c16-2.1_powerpc.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c16-2.1_powerpc.deb


• Debian bitchx-gtk_1.0-0c16-2.1_sparc.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx-gtk_1 .0-0c16-2.1_sparc.deb


• Debian bitchx_1.0-0c16-2.1_alpha.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c16-2.1_alpha.deb


• Debian bitchx_1.0-0c16-2.1_arm.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c16-2.1_arm.deb


• Debian bitchx_1.0-0c16-2.1_i386.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c16-2.1_i386.deb


• Debian bitchx_1.0-0c16-2.1_m68k.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c16-2.1_m68k.deb


• Debian bitchx_1.0-0c16-2.1_powerpc.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c16-2.1_powerpc.deb


• Debian bitchx_1.0-0c16-2.1_sparc.deb
  Debian GNU/Linux 2.2 alias potato
  http://security.debian.org/pool/updates/main/i/ircii-pana/bitchx_1.0-0 c16-2.1_sparc.deb