INN 2.4.1 urgent release

Russ Allbery rra at stanford.edu
Wed Jan 7 22:59:16 UTC 2004


Dan Riley found a potential (likely) security vulnerability in INN 2.4.0
and later (INN 2.3.x are not affected).  I'm rolling INN 2.4.1 tonight.
If anyone currently is running the STABLE release, I'd really appreciate
testing of:

    <ftp://ftp.isc.org/isc/inn/testing/inn-2.4.1.tar.gz>

before I actually kick the tarball out the door and announce it to the
general public.  I'm installing it on my systems now.

Please let me know right away if there are any problems installing it over
an existing INN 2.4 or STABLE installation.  Note that the security
vulnerability should be fixed in this release and is *not* fixed in the
current STABLE snapshots.

CURRENT is also vulnerable; I just committed the fixes and hopefully the
snapshots will update quickly.  For CURRENT users, here is the relevant
patch:

--- art.c       2003/07/12 19:40:34     1.212.2.2
+++ art.c       2004/01/07 22:25:39     1.212.2.3
@@ -1773,7 +1773,7 @@ ARTmakeoverview(CHANNEL *cp)
 bool
 ARTpost(CHANNEL *cp)
 {
-  char         *p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+  char         *p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
   int          i, j, *isp, hopcount, oerrno, canpost;
   NEWSGROUP    *ngp, **ngptr;
   SITE         *sp;
@@ -2184,9 +2184,10 @@ ARTpost(CHANNEL *cp)
    * or control. */
   if (IsControl && Accepted && !ToGroup) {
     ControlStore = true;
-    FileGlue(tmpbuff, "control", '.', ControlWord);
-    if ((ngp = NGfind(tmpbuff)) == NULL)
+    controlgroup = concat("control.", ControlWord, (char *) 0);
+    if ((ngp = NGfind(controlgroup)) == NULL)
       ngp = NGfind(ARTctl);
+    free(controlgroup);
     ngp->PostCount = 0;
     ngptr = GroupPointers;
     *ngptr++ = ngp;

This is a patch against STABLE but should apply to CURRENT with some fuzz.

As soon as we get this release out the door, I'm going to see about making
FileGlue go away completely in the innd source; it's too easy to misuse by
accident.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list