BitchX mode change denial of service

bitchx-mode-change-dos (12008)

Low Risk

Description:

BitchX is vulnerable to a denial of service. If a remote attacker could cause specific mode changes to occur, the attacker could cause the client to crash.

Platforms Affected:

• Colten Edwards, BitchX 1.0 c20cvs - prior
• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• Conectiva, Linux 9.0
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.1

Remedy:

Upgrade to the current CVS snapshot of Bitchx (1.0 c20-cvs-05092003 or later), available from the BitchX Web site. See References.

For Conectiva Linux:
Upgrade to the latest BitchX package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:655 for more information. See References.

Conectiva Linux 6.0: 1.0c18-1U60_2cl or later
Conectiva Linux 7.0: 1.0c18-1U70_2cl or later
Conectiva Linux 8: 1.0c18-17U80_2cl or later
Conectiva Linux 9: 1.0c18-29203U90_1cl or later

For Mandrake Linux:
Upgrade to the latest BitchX package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:069 : BitchX for more information. See References.

Mandrake Linux 9.0: 1.0-0.c19.3.1mdk or later
Mandrake Linux 9.1: 1.0-0.c19.4.1mdk or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

• BitchX Web site, Offical BitchX Homepage at http://www.bitchx.org/download.php.
• BugTraq Mailing List, Sat May 10 2003 - 13:40:07 CDT, BitchX: Crash when channel modes change at http://archives.neohapsis.com/archives/bugtraq/2003-05/0114.html.
• Conectiva Linux Security Announcement CLSA-2003:655, BitchX at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000655.
• BID-7551: BitchX Mode Change Denial Of Service Vulnerability
• CVE-2003-0334: BitchX IRC client 1.0c20cvs and earlier allows attackers to cause a denial of service (core dump) via certain channel mode changes that are not properly handled in names.c.
• MDKSA-2003:069: Updated BitchX packages fix DoS vulnerability

Reported:

May 10, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page