[PKG-IRC-Maintainers] Bug#780880: inspircd: CVE-2012-1836 patch incorrect

Adam adam at anope.org
Fri Mar 20 22:05:29 UTC 2015 

Package: inspircd
Version: 2.0.5-1+b1
Severity: grave
Tags: security
Justification: user security hole

Hi,

I am an upstream maintainer for InspIRCd. The patch you have for CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch
we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It appears to be a a version of this commit: https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684.
However this commit was never in a release, and was only in git for about 6 days (due to someone other than me pulling it in). I looked at the CVE and addressed it with two followup
commits later.

This commit and your patch do not fix the problem. You can still send maliciously crafted packets and cause remote code execution. This was fixed
in https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, prior to the 2.0.7 release.

Furthermore, your patch introduces a buffer underflow where it has "i =- 12" and not "i -= 12". This causes it to start reading from before the packet's buffer. It is unclear
to me what this can cause.

Additionally, at the same time I commited 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from causing InspIRCd to infinite loop. This is not a part of the CVE
as it does not allow remote code execution, but is still a critical problem due to the potential for denial of service.

You should perhaps apply these two patches on top of your existing ones, or maybe fetch the dns.cpp file off of 2.0.7 here: https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp.
It does not change much.

I would be willing to go through and provide a proper set of patches for this and other less-severe issues if requested. I do not want to do it up front because it would be a lot
of work, and I am not sure whether or not it would be accepted. You have a very, very old InspIRCd version, and there is a lot of stuff to sift through (about 3 years). Let me know.

Thanks,

Adam

More information about the Pkg-irc-maintainers mailing list