Le vendredi 20 mars 2015 à 22:05 +0000, Adam a écrit : > Package: inspircd > Version: 2.0.5-1+b1 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > I am an upstream maintainer for InspIRCd. The patch you have for > CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch > we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It > appears to be a a version of this commit: > https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684. > However this commit was never in a release, and was only in git for about 6 > days (due to someone other than me pulling it in). I looked at the CVE and > addressed it with two followup > commits later. > > This commit and your patch do not fix the problem. You can still send > maliciously crafted packets and cause remote code execution. This was fixed > in > https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, > prior to the 2.0.7 release. > > Furthermore, your patch introduces a buffer underflow where it has "i =- 12" > and not "i -= 12". This causes it to start reading from before the packet's > buffer. It is unclear > to me what this can cause. > > Additionally, at the same time I commited > 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from > causing InspIRCd to infinite loop. This is not a part of the CVE > as it does not allow remote code execution, but is still a critical problem > due to the potential for denial of service. > > You should perhaps apply these two patches on top of your existing ones, or > maybe fetch the dns.cpp file off of 2.0.7 here: > https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp. > It does not change much. > > I would be willing to go through and provide a proper set of patches for this > and other less-severe issues if requested. I do not want to do it up front > because it would be a lot > of work, and I am not sure whether or not it would be accepted. You have a > very, very old InspIRCd version, and there is a lot of stuff to sift through > (about 3 years). Let me know.
I'll try to apply diff for src/dns.cpp between the 2.0.5 and 2.0.7 releases as you suggest it and will test (yes i use personally use inspircd). When done, i'll contact the Debian security team for an upload in the security archive. As the new stable version Debian 8 Jessie is to be freezed/released, i don't think i'll find a sponsor to upload a 2.0.17 backport of inspircd for the current Debian 7 Wheezy. > > Thanks, > > Adam >
signature.asc
Description: This is a digitally signed message part
