Advisory -- Possible denial of service exploit Summary -- Some versions of epic contain buggy code that do not properly terminate at the end-of-string, and thus can walk off the end of the string, leading to the possibility of a segmentation fault. Extent -- All versions of epic4, before epic4pre1.034 are *not* vulnerable. EPIC4pre2.004-19990718 is *not* vulnerable, nor are any versions after EPIC4pre2.004-19990718. All other versions are probably vulnerable. Cause-for-alarm -- Given the right circumstances, it is possible for an untrusted, outside source to provide specially crafted data to the epic program that could result in the above bug being tickled. If the bug is tickled, it is likely that the epic program would crash. Disclaimer -- All non-trivial software has bugs, of varying degrees. EPIC is no exception. This bug is more noteworthy because it is in theory possible for an outside source to crash your client if you have your client set up to blindly echo to your display whatever is sent to you. No evidence has been shown that this bug has been exploited, or that anyone is currently exploiting this bug. Remedy -- Apply the following patch, or upgrade to EPIC4pre2.004-19990718, or later version. -- snip here -- --- screen.c.orig Fri Apr 9 11:24:35 1999 +++ screen.c Wed Aug 18 13:07:34 1999 @@ -2538,8 +2553,11 @@ */ case ('G'): { - while ((chr = next_char()) != ':') + while ((chr = next_char()) != 0 && + chr != ':') ; + if (chr == 0) + put_back(); break; } @@ -2549,8 +2567,11 @@ */ case ('P') : { - while ((chr = next_char()) != 033) + while ((chr = next_char()) != 0 && + chr != 033) ; + if (chr == 0) + put_back(); break; } @@ -2570,6 +2591,8 @@ { while ((chr = next_char()) != 0 && chr != 7) ; + if (chr == 0) + put_back(); break; } -- snip here -- .