Your message dated Fri, 28 Dec 2007 19:52:19 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#457300: fixed in peercast 0.1217.toots.20060314-1etch0
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: peercast
Version: 0.1217.toots.20060314-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for peercast.
CVE-2007-6454[0]:
| Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp
| in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote
| attackers to cause a denial of service and possibly execute arbitrary
| code via a long SOURCE request.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
Attached is a patch extracted from the upstream svn to fix
this.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6454
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Index: servhs.cpp
===================================================================
--- servhs.cpp (revision 328)
+++ servhs.cpp (revision 347)
@@ -43,6 +43,8 @@
{
if (!*cp)
return NULL;
+
+ int cnt=0;
// fetch command
while (*cp)
@@ -51,10 +53,15 @@
if (c == '=')
break;
else
- *cmd++ = c;
+ *cmd++ = c;
+
+ cnt++;
+ if (cnt >= (MAX_CGI_LEN-1))
+ break;
}
*cmd = 0;
-
+
+ cnt=0;
// fetch arg
while (*cp)
{
@@ -62,7 +69,11 @@
if (c == '&')
break;
else
- *arg++ = c;
+ *arg++ = c;
+
+ cnt++;
+ if (cnt >= (MAX_CGI_LEN-1))
+ break;
}
*arg = 0;
@@ -302,13 +313,13 @@
mount[-1] = 0; // password preceeds
break;
}
- strcpy(loginPassword,in+7);
+ loginPassword.set(in+7);
- LOG_DEBUG("ICY client: %s %s",loginPassword,mount?mount:"unknown");
+ LOG_DEBUG("ICY client: %s %s",loginPassword.cstr(),mount?mount:"unknown");
}
if (mount)
- strcpy(loginMount,mount);
+ loginMount.set(mount);
handshakeICY(Channel::SRC_ICECAST,isHTTP);
sock = NULL; // socket is taken over by channel, so don`t close it
@@ -318,7 +329,7 @@
if (!isAllowed(ALLOW_BROADCAST))
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
- strcpy(loginPassword,servMgr->password); // pwd already checked
+ loginPassword.set(servMgr->password); // pwd already checked
sock->writeLine("OK2");
sock->writeLine("icy-caps:11");
@@ -640,9 +651,9 @@
// -----------------------------------
void Servent::handshakeCMD(char *cmd)
{
- char result[256];
- char arg[512];
- char curr[256];
+ char result[MAX_CGI_LEN];
+ char arg[MAX_CGI_LEN];
+ char curr[MAX_CGI_LEN];
char jumpStr[128];
char *jumpArg=NULL;
@@ -831,6 +842,8 @@
// connections
else if (strcmp(curr,"maxcin")==0)
servMgr->maxControl = getCGIargINT(arg);
+ else if (strcmp(curr,"maxsin")==0)
+ servMgr->maxServIn = getCGIargINT(arg);
else if (strcmp(curr,"maxup")==0)
servMgr->maxBitrateOut = getCGIargINT(arg);
@@ -1488,15 +1501,15 @@
while (http.nextHeader())
{
LOG_DEBUG("ICY %s",http.cmdLine);
- readICYHeader(http,info,loginPassword);
+ readICYHeader(http,info,loginPassword.cstr());
}
// check password before anything else, if needed
- if (strcmp(servMgr->password,loginPassword)!=0)
+ if (loginPassword != servMgr->password)
{
- if (!sock->host.isLocalhost() || strlen(loginPassword))
+ if (!sock->host.isLocalhost() || !loginPassword.isEmpty())
throw HTTPException(HTTP_SC_UNAUTHORIZED,401);
}
@@ -1510,7 +1523,7 @@
info.id = chanMgr->broadcastID;
- info.id.encode(NULL,info.name.cstr(),loginMount,info.bitrate);
+ info.id.encode(NULL,info.name.cstr(),loginMount.cstr(),info.bitrate);
LOG_DEBUG("Incoming source: %s : %s",info.name.cstr(),ChanInfo::getTypeStr(info.contentType));
@@ -1531,7 +1544,7 @@
info.comment = chanMgr->broadcastMsg;
info.bcID = chanMgr->broadcastID;
- c = chanMgr->createChannel(info,loginMount);
+ c = chanMgr->createChannel(info,loginMount.cstr());
if (!c)
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
pgpZ5Kc91qomq.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: peercast
Source-Version: 0.1217.toots.20060314-1etch0
We believe that the bug you reported is fixed in the latest version of
peercast, which is due to be installed in the Debian FTP archive:
libpeercast0-dev_0.1217.toots.20060314-1etch0_amd64.deb
to
pool/main/p/peercast/libpeercast0-dev_0.1217.toots.20060314-1etch0_amd64.deb
libpeercast0_0.1217.toots.20060314-1etch0_amd64.deb
to pool/main/p/peercast/libpeercast0_0.1217.toots.20060314-1etch0_amd64.deb
peercast-handlers_0.1217.toots.20060314-1etch0_all.deb
to pool/main/p/peercast/peercast-handlers_0.1217.toots.20060314-1etch0_all.deb
peercast-servent_0.1217.toots.20060314-1etch0_amd64.deb
to
pool/main/p/peercast/peercast-servent_0.1217.toots.20060314-1etch0_amd64.deb
peercast_0.1217.toots.20060314-1etch0.diff.gz
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch0.diff.gz
peercast_0.1217.toots.20060314-1etch0.dsc
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch0.dsc
peercast_0.1217.toots.20060314-1etch0_amd64.deb
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch0_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <[EMAIL PROTECTED]> (supplier of updated peercast package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Dec 2007 16:40:20 +0100
Source: peercast
Binary: libpeercast0 peercast-handlers peercast-servent peercast
libpeercast0-dev
Architecture: source amd64 all
Version: 0.1217.toots.20060314-1etch0
Distribution: stable-security
Urgency: high
Maintainer: Romain Beauxis <[EMAIL PROTECTED]>
Changed-By: Romain Beauxis <[EMAIL PROTECTED]>
Description:
libpeercast0 - P2P audio and video streaming server libraries
libpeercast0-dev - P2P audio and video streaming server -- development
peercast - P2P audio and video streaming server metapackage
peercast-handlers - P2P audio and video streaming handlers
peercast-servent - P2P audio and video streaming servent
Closes: 457300
Changes:
peercast (0.1217.toots.20060314-1etch0) stable-security; urgency=high
.
* Fixed CVE-2007-6454:
| Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp
| in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote
| attackers to cause a denial of service and possibly execute arbitrary
| code via a long SOURCE request.
Closes: #457300
Files:
153071edd20929f6113345ed9d127853 778 sound optional
peercast_0.1217.toots.20060314-1etch0.dsc
d9e83aa7e66f4d3b160d7c4c8b2a3a4f 534016 sound optional
peercast_0.1217.toots.20060314.orig.tar.gz
2f7264e5f9bdff6eb74cfe6b26496534 6276 sound optional
peercast_0.1217.toots.20060314-1etch0.diff.gz
8063dd0125fdc41505554387b433fa91 6644 sound optional
peercast-handlers_0.1217.toots.20060314-1etch0_all.deb
3f4ed56979f0a071eb32a0b7d06d06ad 2710 sound optional
peercast_0.1217.toots.20060314-1etch0_amd64.deb
73d27cd6c28cbf5fd6e8bd29645e6e7d 50586 sound optional
peercast-servent_0.1217.toots.20060314-1etch0_amd64.deb
b7861763bffb0c495e96e3bb23155e4e 171950 libs optional
libpeercast0_0.1217.toots.20060314-1etch0_amd64.deb
17c96525ac00cbfe172c6dbf78495649 323544 libdevel optional
libpeercast0-dev_0.1217.toots.20060314-1etch0_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHcQ/NnuQ3Rt5ZmAARAlVAAJ4vC3WqOkv1MYkDQiyACGZul2HkAwCgneL9
45lJpb+YyTb9jatNKHQsrdE=
=lcrd
-----END PGP SIGNATURE-----
--- End Message ---
