Whoisd buffer overrun

Dear colleagues,

It was brought to our attention last night that the perl whoisd server
the RIPE NCC is currently running is vulnerable to a buffer overflow
attack.

We have taken action immediately and fixed this problem on our
production servers. We have also checked for traces of people taking
advantage of the vulnerability and concluded that this was not the
case.

The whois service was not affected.

Should you be running a copy of our software, please apply the patch
attached below to bin/whoisd. It truncates the query to 255 characters.

If you have any questions or comments, please contact <ripe-dbm at ripe.net>.


We would like to thank Geert Jan de Groot and Steve Bellovin for
bringing this to our attention.

Kind Regards,

Mirjam Kuehne
Head External Services
RIPE NCC
--------------------


1. save the following text as /tmp/whoisdpatch

----------cut here------------------------------
*** whoisd.trunc        Wed Feb  2 22:28:34 2000
--- whoisd              Wed Feb  2 22:29:46 2000
***************
*** 1679,1694 ****
           $query=join(" ", @ARGV);
        }
        else {
-       my($trunclen);
-
           alarm $KEEPOPEN if (!$commandline);
           $query=<$input>;
-
-       # truncate to 255 chars
-         $trunclen = length($query);
-         $trunclen = 255 if $trunclen > 255;
-         substr( $query, $trunclen ) = "";
-
        }

  #      &dpr("query: -$query- errorcode: -$!-\n");
--- 1679,1686 ----
----------cut here--------------------------------


2. execute in the directory where your whoisd lives:
$ patch < /tmp/whoisdpatch