Debians sikkerhedsbulletin

DSA-099-1 xchat -- kapring af IRC-session

Rapporteret den:

12. jan 2002

Berørte pakker:

XChat

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2002-0006.

Yderligere oplysninger:

zen-parse har fundet en sårbarhed i IRC-klienten XChat som giver en angriber mulighed for at overtage brugernes IRC-sessioner.

Det er muligt at snyde XChat IRC-klienter til at sende vilkårlige kommandoer til IRC-serveren de er tilsluttet, hvilket potentielt kan åbne for angreb ved at narre andre til at give fortrolige oplysninger om deres system ("social engineering attack"), og overbelastningsangreb ("denial of service"). Dette problem findes i versionerne 1.4.2 og 1.4.3. Senere versioner af XChat er også sårbare, men adfærd kontrolleres af konfigurationsvariablen "percascii", der som standard er sat til 0. Hvis den er sat til 1 viser problemet sig også i version 1.6/1.8.

Problemet er rettet i opstrømsversion 1.8.7 og i version 1.4.3-1 i den aktuelle, stabile Debian udgivelse (2.2) med en rettelse stillet til rådighed af opstrømsforfatteren, Peter Zelezny. Vi anbefaler at du omgående opgraderer dine XChat-pakker, da dette problem allerede bliver udnyttet.

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:: http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3.orig.tar.gz; http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-1.dsc; http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-1.diff.gz
Arkitekturuafhængig komponent:: http://security.debian.org/dists/stable/updates/main/binary-all/xchat-common_1.4.3-1_all.deb
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-gnome_1.4.3-1_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-text_1.4.3-1_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat_1.4.3-1_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-gnome_1.4.3-1_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-text_1.4.3-1_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/xchat_1.4.3-1_arm.deb
Intel ia32:: http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-gnome_1.4.3-1_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-text_1.4.3-1_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/xchat_1.4.3-1_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat_1.4.3-1_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-gnome_1.4.3-1_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-text_1.4.3-1_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-gnome_1.4.3-1_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat_1.4.3-1_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-text_1.4.3-1_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-text_1.4.3-1_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-gnome_1.4.3-1_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat_1.4.3-1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.