[NEWS] Vulnerabilities in Leafnode

From: support@securiteam.com
Date: 01/05/03

  • Next message: support@securiteam.com: "[NT] CuteFTP Banner Buffer Overflow" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 5 Jan 2003 10:54:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Vulnerabilities in Leafnode
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.leafnode.org/> leafnode is a store-and-forward proxy for
    Usenet news, is uses the network news transfer protocol (NNTP). It
    consists of several collaborating programs, the server part is usually
    started by inetd, xinetd or tcpserver, the client part is usually started
    by cron or manually.

    This security announcement pertains to leafnode-1, the stable branch.

    The leafnode-2 development branch has not yet seen a stable release, so it
    is not subject to security announcements.

    DETAILS

    A vulnerability was found in the leafnode program (the NNTP server) that
    may go into an infinite loop with 100% CPU use when an article that has
    been crossposted to several groups, one of which is the prefix of another,
    and when this article is then requested by its Message-ID.

    Note though that one newsgroup name MUST NOT be the prefix of anohter
    newsgroup's name, these problems show up however in badly-maintained or
    anarchistic hierarchies such as alt.* or free.*.

    Impact:
    This vulnerability can make leafnode's nntpd server, named leafnode, go
    into an unterminated loop when a particular article is requested. The
    connection becomes irresponsive, and the server hogs the CPU. The client
    will have to terminate the connection and connect again, and may fall prey
    to the same problem; ultimately, there may be so many leafnode processes
    hogging the CPU that no serious work is possible any more and the super
    user has to kill all running leafnode processes.

    Workaround:
    No sane workaround can be presented.

    Solution:
    Upgrade your leafnode package to version 1.9.30 or 1.9.31, or apply the
    patch below and recompile and reinstall. Note that leafnode 1.9.X versions
    are stable, and it is usually best to go for the latest released 1.9.X
    version to have all the other bug fixes as well.

    Note that while leafnode 1.9.19 is unaffected, it has other critical bugs,
    it can corrupt parts of its news spool under certain circumstances and
    should not be used. The details are however not subject of this security
    announcement as these problems are believed not to be security problems.

    leafnode 1.9.31 is available from sourceforge:
     
    <http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=130347tp://sourceforge.net/project/showfiles.php?group_id=57767&release_id=130347

    Solution details:
    Revision 1.83 date: 2002/11/08 17:14:41; author: emma; state: Exp; lines:
    +1 -1

    Patch:
    diff -u -C4 -r1.81 -r1.83
    *** nntpd.c 24 Sep 2002 16:04:01 -0000 1.81
    - --- nntpd.c 8 Nov 2002 17:14:41 -0000 1.83
    ***************
    *** 520,527 ****
    - --- 520,528 ----
      localartno = strtoul(q, NULL, 10);
      markgroup = group->name;
      break;
          }
    + p = q;
      }
          }
          /* if we don't have a localartno, then we need to mark this
           * article in a different news group */

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:matthias.andree@gmx.de>
    Matthias Andree.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages