================================================================
Italk Project Security Advisory ITALK-SA-1-1

First revision issued: 2006-12-15
Revision: 1

Software affected: italkplus 0.92 and before
Kind of vulnerability: buffer overflow, some on stack
Possiblity of attacks: from remote

Yutaka OIWA, a member of the Italk project has found that italkplus
0.92 and before has several buffer overflow vulnerabilities which can
possibly be exploited from remote. Possible exploits do not require
any pre-authentication.

The problems are fixed in version 0.92.1. Users of italkplus
should either upgrade to italkplus version 0.92.1, or to "inid",
a successor of the chat server.
Italkplus 0.92.1 is available from our project summary page,
http://sourceforge.net/project/showfiles.php?group_id=5286&package_id=5371
.

Note: Italkplus is obsolete and not actively maintained any more.
Final development effort has been performed more than 6 years ago.
Furthermore, the design of italkplus 0.80 and after are fragile in
terms of reliability and stability (compared to current consensus on
secure programming methodology in 2006, at least). We had poured our
development efforts to "inid", the next generation italk server which
are completely rewritten and designed in more solid way. If possible,
please consider migrating to inid. You can refer
http://inid.lefs.org/ (in Japanese) or
http://italk.sourceforge.net/servers/inid/ (in English). Please note
that these servers uses incompatible format for storing persistent
information and thus some conversions are needed.

Revision history:
1 (2006-12-15): initial revision. (Yutaka OIWA)