bitchx / bitchx1.3 Goto Github PK

Subject: Remote DoS Vulnerability in bitchx, ircii < 20210314 and scrollz

Hi,

i discovered a remote DoS vulnerability (crash) that effects bitchx, ircii and
scrollz.

Its unknown if this could also be used for arbitrary code execution.

Affected Versions:

This bug is very old and affects any version, except
ircii-20210314, which got a fix.

CVE Name:

none yet

Problem Description:

ircii has a bug in parsing CTCP UTC messages. bitchx and scrollz are forks of
ircii and inherited that feature and bug.

Impact:

A malicious irc user could nuke any other irc user that uses bitchx, ircii or
scrollz out of irc (crash their irc client) by connecting to the same irc
network and sending a malicious CTCP UTC message.

Solution:

For ircii: Update to ircii-20210314
For bitchx and scrollz: none yet

History:

20210302 Vulnerability and PoC reported to:
bitchx - [email protected]
ircii - [email protected]
scrollz - [email protected]
20210314 ircii released a fixed version
BitchX has not

No recent updates? :(

Compiling on Debian with latest libssl-dev package fails. Configure reports that SSL is not found on the system.

   checking for SSLeay in -lcrypto... no
   configure: WARNING: OpenSSL not found, will not have SSL support.

and:

configure: error: --with-ssl given, but could not find OpenSSL.

This looks to be due to the SSL check:

case "$with_ssl" in
    yes|check)
      AC_CHECK_LIB([crypto], [SSLeay], [], [], [])
      if test x"$ac_cv_lib_crypto_SSLeay" = x"yes"; then
        AC_CHECK_LIB([ssl], [SSL_accept], [], [], [])
      fi
      if test x"$ac_cv_lib_ssl_SSL_accept" = x"yes"; then
        dnl This would be unnecessary if we used HAVE_LIBSSL in the code
        AC_DEFINE(HAVE_SSL, 1, Define this if the system has SSL support.)
      else
        if test x"$with_ssl" = x"yes"; then
          AC_MSG_FAILURE([--with-ssl given, but could not find OpenSSL.])
        else
          AC_MSG_WARN([OpenSSL not found, will not have SSL support.])
        fi
      fi
      ;;
esac

Using the original test case for SSL in configure.in from BitchX 1.2 sf git succeeds:

case "$with_ssl" in
    yes|check)
      AC_CHECK_LIB([crypto], [ERR_get_error], [], [], [])
      AS_IF([test x"$ac_cv_lib_crypto_ERR_get_error" = x"yes"], [AC_CHECK_LIB([ssl], [SSL_accept], [], [], [])], [])
      AS_IF([test x"$ac_cv_lib_ssl_SSL_accept" != x"yes"],
          [AS_IF([test x"$with_ssl" = x"yes"],
		    [AC_MSG_FAILURE([--with-ssl given, but could not find OpenSSL.])],
            [AC_MSG_WARN([OpenSSL not found, will not have SSL support.])])
          ], [])
      ;;
esac

This has been tested and confirmed successfully on Debian 11, FreeBSD 13 and Mac OS Catalina 10.15.7 .

When will you enable UTF8 support?

Autoconf does not properly detect GLIB2 and GTK2.

Was it removed?

https://www.ilmarilauhakangas.fi/irc_technology_news_from_the_first_half_of_2023/ doesn't list BitchX. Please add IRC v3 to BitchX if it doesn't have it yet.

http://www.bitchx.org is currently showing:

"Oops!
Something went wrong

Looks like this domain's DNS hosting service has expired. If you are the administrator for this domain, please log into your DNS Made Easy account and renew your services. If you do not have a DNS Made Easy account, please contact your hosting provider."