[PKG-IRC-Maintainers] Bug#780880: inspircd: CVE-2012-1836 patch incorrect

Guillaume Delacour gui at iroqwa.org
Wed Mar 25 22:06:39 UTC 2015


Le vendredi 20 mars 2015 à 22:05 +0000, Adam a écrit :
> Package: inspircd
> Version: 2.0.5-1+b1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> I am an upstream maintainer for InspIRCd. The patch you have for CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch
> we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It appears to be a a version of this commit: https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684.
> However this commit was never in a release, and was only in git for about 6 days (due to someone other than me pulling it in). I looked at the CVE and addressed it with two followup
> commits later.
> 
> This commit and your patch do not fix the problem. You can still send maliciously crafted packets and cause remote code execution. This was fixed
> in https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, prior to the 2.0.7 release.
> 
> Furthermore, your patch introduces a buffer underflow where it has "i =- 12" and not "i -= 12". This causes it to start reading from before the packet's buffer. It is unclear
> to me what this can cause.
> 
> Additionally, at the same time I commited 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from causing InspIRCd to infinite loop. This is not a part of the CVE
> as it does not allow remote code execution, but is still a critical problem due to the potential for denial of service.
> 
> You should perhaps apply these two patches on top of your existing ones, or maybe fetch the dns.cpp file off of 2.0.7 here: https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp.
> It does not change much.
> 
> I would be willing to go through and provide a proper set of patches for this and other less-severe issues if requested. I do not want to do it up front because it would be a lot
> of work, and I am not sure whether or not it would be accepted. You have a very, very old InspIRCd version, and there is a lot of stuff to sift through (about 3 years). Let me know.

I'll try to apply diff for src/dns.cpp between the 2.0.5 and 2.0.7
releases as you suggest it and will test (yes i use personally use
inspircd).
When done, i'll contact the Debian security team for an upload in the
security archive.

As the new stable version Debian 8 Jessie is to be freezed/released, i
don't think i'll find a sponsor to upload a 2.0.17 backport of inspircd
for the current Debian 7 Wheezy.

> 
> Thanks,
> 
> Adam
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-irc-maintainers/attachments/20150325/322afd4d/attachment-0001.sig>


More information about the Pkg-irc-maintainers mailing list