From matthias.andree@gmx.de Mon Dec 30 04:28:26 2002 From: Matthias Andree To: vulnwatch@vulnwatch.org, leafnode-announce@lists.sourceforge.net, bugtraq@securityfocus.com Date: Sun, 29 Dec 2002 21:50:23 +0100 Subject: [VulnWatch] Leafnode security announcement SA:2002:01 -----BEGIN PGP SIGNED MESSAGE----- leafnode-SA-2002:01.versions Topic: vulnerabilities in leafnode Announcement: leafnode-SA-2002:01 Writer: Matthias Andree Version: 1.00 Announced: 2002-12-29 Category: main Type: denial of service Impact: CPU busy loop Credits: Jan Knutar (jknutar, nic dot fi), for finding the bug Mark Brown (broonie, debian dot org), for pointing out DoS capability Danger: medium (only trusted users should be able to connect to leafnode, lest it was installed improperly). Affects: leafnode 1.9.20 up to 1.9.29 Not affected: leafnode 1.9.30 and 1.9.31 Default install: unaffected. Introduced: 2002-03-14 23:41:40 UTC (CVS) 2002-03-25 20:58 leafnode 1.9.20 released Corrected: 2002-11-08 17:14:41 UTC (CVS) - committed corrected version 2002-12-04 00:40 leafnode 1.9.30 released 0. Release history 2002-12-29 1.00 initial announcement 1. Background leafnode is a store-and-forward proxy for Usenet news, is uses the network news transfer protocol (NNTP). It consists of several collaborating programs, the server part is usually started by inetd, xinetd or tcpserver, the client part is usually started by cron or manually. This security announcement pertains to leafnode-1, the stable branch. The leafnode-2 development branch has not yet seen a stable release, so it is not subject to security announcements. 2. Problem description A vulnerability was found in the leafnode program (the NNTP server) that may go into an infinite loop with 100% CPU use when an article that has been crossposted to several groups, one of which is the prefix of another, and when this article is then requested by its Message-ID. Note though that one newsgroup name MUST NOT be the prefix of anohter newsgroup's name, these problems show up however in badly-maintained or anarchistic hierarchies such as alt.* or free.*. 3. Impact This vulnerability can make leafnode's nntpd server, named leafnode, go into an unterminated loop when a particular article is requested. The connection becomes irresponsive, and the server hogs the CPU. The client will have to terminate the connection and connect again, and may fall prey to the same problem; ultimately, there may be so many leafnode processes hogging the CPU that no serious work is possible any more and the super user has to kill all running leafnode processes. 4. Workaround No sane workaround can be presented. 5. Solution Upgrade your leafnode package to version 1.9.30 or 1.9.31, or apply the patch below and recompile and reinstall. Note that leafnode 1.9.X versions are stable, and it is usually best to go for the latest released 1.9.X version to have all the other bug fixes as well. Note that while leafnode 1.9.19 is unaffected, it has other critical bugs, it can corrupt parts of its news spool under certain circumstances and should not be used. The details are however not subject of this security announcement as these problems are believed not to be security problems. leafnode 1.9.31 is available from sourceforge: http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=130347 6. Solution details revision 1.83 date: 2002/11/08 17:14:41; author: emma; state: Exp; lines: +1 -1 A. References leafnode home page: http://www.leafnode.org/ B. Patch diff -u -C4 -r1.81 -r1.83 *** nntpd.c 24 Sep 2002 16:04:01 -0000 1.81 - --- nntpd.c 8 Nov 2002 17:14:41 -0000 1.83 *************** *** 520,527 **** - --- 520,528 ---- localartno = strtoul(q, NULL, 10); markgroup = group->name; break; } + p = q; } } /* if we don't have a localartno, then we need to mark this * article in a different news group */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBPg9fhCdEoB0mv1ypAQGl2wP/VUB4/SWf7nVgiezCKf6bBuATvWL0dP0X il9yxUsAnH8Wy+T3UjJEUVIhTdIOqfPjrvV6O4zBTHps/FH1IG61WUfzzdtq6Tf9 JaUyDImfLyp6TP7rk+vvXv6kw0XrATkCD1MhRwS5fuECAvvcxrCjHXAhJLw4uDPf nBgj6dfCQNM= =eJxF -----END PGP SIGNATURE-----