Gentoo Logo

bip: Multiple vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201201-18 / bip
Release Date January 30, 2012
Latest Revision January 30, 2012: 1
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-irc/bip < 0.8.8-r1 >= 0.8.8-r1 All supported architectures

Related bugreports: #336321, #400599

Synopsis

Multiple vulnerabilities in bip might allow remote unauthenticated attackers to cause a Denial of Service or possibly execute arbitrary code.

2.  Impact Information

Background

bip is a multi-user IRC proxy with SSL support.

Description

Multiple vulnerabilities have been discovered in bip:

  • Uli Schlachter reported that bip does not properly handle invalid data during authentication, resulting in a daemon crash (CVE-2010-3071).
  • Julien Tinnes reported that bip does not check the number of open file descriptors against FD_SETSIZE, resulting in a stack buffer overflow (CVE-2012-0806).

Impact

A remote attacker could exploit these vulnerabilities to execute arbitrary code with the privileges of the user running the bip daemon, or cause a Denial of Service condition.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All bip users should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-irc/bip-0.8.8-r1"

NOTE: The CVE-2010-3071 flaw was already corrected in an earlier version of bip and is included in this advisory for completeness.

4.  References



Print

Page updated January 30, 2012

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.