[DRAFT] INN: Buffer overflow in control message handling

Russ Allbery rra at stanford.edu
Wed Jan 7 23:48:37 UTC 2004 

[ This is the draft security release, which will go out together with the
  release announcement.  Please send me any comments.  I'm going to be in
  a day-job meeting starting at 4pm Pacific until 5pm or 5:30pm and then
  will return to send these announcements out and move the new release
  into place.  newsfeed.stanford.edu is currently running 2.4.1 and seems
  content. ]

From: Russ Allbery <rra at isc.org>
To: inn-announce at isc.org, bugtraq at securityfocus.com
Newsgroups: news.software.nntp
Subject: [SECURITY] INN: Buffer overflow in control message handling
Organization: Internet Software Consortium

A buffer overflow has been discovered in a portion of the control message
handling code introduced in INN 2.4.0.  It is fairly likely that this
overflow could be remotely exploited to gain access to the user innd runs
as.  INN 2.3.x and earlier are not affected.  The INN CURRENT tree is
affected.

INN 2.4.1 has just been released with a fix for this issue and various
other accumulated patches.  We strongly urge anyone running INN 2.4.0 or
any STABLE snapshot to upgrade to this version, or apply the attached
patch to their source tree and reinstall with make update.  There should
be no incompatibilities between INN 2.4.1 and INN 2.4.0 or STABLE
snapshots.

We apologize for this problem, which was caused by misuse of static
buffers and a dangerous internal INN function that we intend to remove
completely in the next stable release.  The current development branch has
already been converted almost entirely to strlcpy, strlcat, and other safe
string handling routines and that conversion should be complete in the INN
2.5.0 release.

Following is a patch against INN 2.4.0.  It should also apply to a current
STABLE or CURRENT snapshot if you use patch -l to apply it.

--- inn-2.4.0/innd/art.c.orig	2003-05-04 15:10:14.000000000 -0700
+++ inn-2.4.0/innd/art.c	2004-01-07 15:25:08.000000000 -0800
@@ -1773,7 +1773,7 @@
 bool
 ARTpost(CHANNEL *cp)
 {
-  char		*p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+  char		*p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
   int		i, j, *isp, hopcount, oerrno, canpost;
   NEWSGROUP	*ngp, **ngptr;
   SITE		*sp;
@@ -2185,9 +2185,10 @@
    * or control. */
   if (IsControl && Accepted && !ToGroup) {
     ControlStore = true;
-    FileGlue(tmpbuff, "control", '.', ControlWord);
-    if ((ngp = NGfind(tmpbuff)) == NULL)
+    controlgroup = concat("control.", ControlWord, (char *) 0);
+    if ((ngp = NGfind(controlgroup)) == NULL)
       ngp = NGfind(ARTctl);
+    free(controlgroup);
     ngp->PostCount = 0;
     ngptr = GroupPointers;
     *ngptr++ = ngp;

Thanks to Dan Riley for his prompt and detailed report and debugging
assistance.

                                        Russ Allbery
                                        Katsuhiro Kondou
                                        inn at isc.org

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list