Your message dated Fri, 21 Dec 2007 13:10:05 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#457300: peercast: CVE-2007-6454 heap-based buffer overflow
possibly leading to code execution
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: peercast
Version: 0.1217.toots.20060314-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for peercast.
CVE-2007-6454[0]:
| Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp
| in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote
| attackers to cause a denial of service and possibly execute arbitrary
| code via a long SOURCE request.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
Attached is a patch extracted from the upstream svn to fix
this.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6454
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Index: servhs.cpp
===================================================================
--- servhs.cpp (revision 328)
+++ servhs.cpp (revision 347)
@@ -43,6 +43,8 @@
{
if (!*cp)
return NULL;
+
+ int cnt=0;
// fetch command
while (*cp)
@@ -51,10 +53,15 @@
if (c == '=')
break;
else
- *cmd++ = c;
+ *cmd++ = c;
+
+ cnt++;
+ if (cnt >= (MAX_CGI_LEN-1))
+ break;
}
*cmd = 0;
-
+
+ cnt=0;
// fetch arg
while (*cp)
{
@@ -62,7 +69,11 @@
if (c == '&')
break;
else
- *arg++ = c;
+ *arg++ = c;
+
+ cnt++;
+ if (cnt >= (MAX_CGI_LEN-1))
+ break;
}
*arg = 0;
@@ -302,13 +313,13 @@
mount[-1] = 0; // password preceeds
break;
}
- strcpy(loginPassword,in+7);
+ loginPassword.set(in+7);
- LOG_DEBUG("ICY client: %s %s",loginPassword,mount?mount:"unknown");
+ LOG_DEBUG("ICY client: %s %s",loginPassword.cstr(),mount?mount:"unknown");
}
if (mount)
- strcpy(loginMount,mount);
+ loginMount.set(mount);
handshakeICY(Channel::SRC_ICECAST,isHTTP);
sock = NULL; // socket is taken over by channel, so don`t close it
@@ -318,7 +329,7 @@
if (!isAllowed(ALLOW_BROADCAST))
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
- strcpy(loginPassword,servMgr->password); // pwd already checked
+ loginPassword.set(servMgr->password); // pwd already checked
sock->writeLine("OK2");
sock->writeLine("icy-caps:11");
@@ -640,9 +651,9 @@
// -----------------------------------
void Servent::handshakeCMD(char *cmd)
{
- char result[256];
- char arg[512];
- char curr[256];
+ char result[MAX_CGI_LEN];
+ char arg[MAX_CGI_LEN];
+ char curr[MAX_CGI_LEN];
char jumpStr[128];
char *jumpArg=NULL;
@@ -831,6 +842,8 @@
// connections
else if (strcmp(curr,"maxcin")==0)
servMgr->maxControl = getCGIargINT(arg);
+ else if (strcmp(curr,"maxsin")==0)
+ servMgr->maxServIn = getCGIargINT(arg);
else if (strcmp(curr,"maxup")==0)
servMgr->maxBitrateOut = getCGIargINT(arg);
@@ -1488,15 +1501,15 @@
while (http.nextHeader())
{
LOG_DEBUG("ICY %s",http.cmdLine);
- readICYHeader(http,info,loginPassword);
+ readICYHeader(http,info,loginPassword.cstr());
}
// check password before anything else, if needed
- if (strcmp(servMgr->password,loginPassword)!=0)
+ if (loginPassword != servMgr->password)
{
- if (!sock->host.isLocalhost() || strlen(loginPassword))
+ if (!sock->host.isLocalhost() || !loginPassword.isEmpty())
throw HTTPException(HTTP_SC_UNAUTHORIZED,401);
}
@@ -1510,7 +1523,7 @@
info.id = chanMgr->broadcastID;
- info.id.encode(NULL,info.name.cstr(),loginMount,info.bitrate);
+ info.id.encode(NULL,info.name.cstr(),loginMount.cstr(),info.bitrate);
LOG_DEBUG("Incoming source: %s : %s",info.name.cstr(),ChanInfo::getTypeStr(info.contentType));
@@ -1531,7 +1544,7 @@
info.comment = chanMgr->broadcastMsg;
info.bcID = chanMgr->broadcastID;
- c = chanMgr->createChannel(info,loginMount);
+ c = chanMgr->createChannel(info,loginMount.cstr());
if (!c)
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
pgpVgxoGxMzBZ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: peercast
Version: 0.1218+svn20071220+2
Hi !
This fix was uploaded yesterday !
Should we prepare a backport for current etch package ?
Romain
Le Friday 21 December 2007 12:55:50 Nico Golde, vous avez écrit :
> Package: peercast
> Version: 0.1217.toots.20060314-1
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for peercast.
>
> CVE-2007-6454[0]:
> | Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp
> | in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote
> | attackers to cause a denial of service and possibly execute arbitrary
> | code via a long SOURCE request.
>
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.
>
> Attached is a patch extracted from the upstream svn to fix
> this.
>
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6454
>
> Kind regards
> Nico
--- End Message ---
