Bug#487867: marked as done (tirc: crash [SEGV] when server sends numeric replies >=600 (e.g. freenode's hyperion with nickserv))

Mon, 04 Aug 2008 01:14:12 -0700 

Your message dated Mon, 4 Aug 2008 09:10:39 +0100
with message-id <[EMAIL PROTECTED]>
and subject line tirc has been removed from Debian, closing #487867
has caused the Debian Bug report #487867,
regarding tirc: crash [SEGV] when server sends numeric replies >=600 (e.g. 
freenode's hyperion with nickserv)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
487867: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487867
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: tirc
Version: 1.2-11
Severity: grave
Justification: renders package unusable


Go to irc.freeonode.net and identify yourself with /msg nickserv,
the response will be with numeric reply 901 and makes tirc crash with a
segmentation fault. ("tirc -d" shows the server response.)
This will happen with many other irc servers as well;
http://www.alien.net.au/irc/irc2numerics.html shows that numeric
responses above 599 are common nowadays.
tirc has a hard limit on 599 and will use a function array with the
unchecked number. 

I am attaching a patch which raises the limit to 999 making tirc
usable again and also introducing a check before going into the array
which will prevent a crash even if the number is higher (just to be on
the save side).

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages tirc depends on:
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libncurses5            5.5-5             Shared libraries for terminal hand

tirc recommends no packages.

-- no debconf information

--- tirc-1.2/Changelog  1999-05-14 22:02:47.000000000 +0200
+++ tirc-1.2.fixed/Changelog    2008-06-24 18:46:38.840723750 +0200
@@ -1,5 +1,12 @@
 #      $Old: Changelog,v 1.118 1998/02/24 18:30:16 mkb Exp $
 
+20080624 [EMAIL PROTECTED]
+       o raised the range of accepted numeric server replies up to 999,
+         check out http://www.alien.net.au/irc/irc2numerics.html which
+         shows that larger numbers than 599 are widespread.
+       o fixed code not crash, but to warn and ignore the line 
+         when a higher numeric reply number is encountered.
+
 1.1 -> 1.2 1999/03/12
        o do not expect getsid to be around
        o fixed a small printf-missing-arg bug
diff -ur tirc-1.2/irc.c tirc-1.2.fixed/irc.c
--- tirc-1.2/irc.c      2008-06-24 18:42:43.000000000 +0200
+++ tirc-1.2.fixed/irc.c        2008-06-24 18:41:18.372695750 +0200
@@ -565,6 +565,20 @@
                                    dispose_msg(&msg);
                                }
 
+                               /* 
+                                * Take precausing against malicious servers
+                                * sending higher numbers
+                                */
+                               if (sm.sm_num >= MAXSCMD) {
+                                   /* cry out and discard line*/
+                                   iw_printf(COLI_WARN, "%s%sServer send \
+numeric reply %d exceeding my internal MAXSCMD of %d; \
+ignoring the line! %s%s\n", 
+                                       TBOLD, ppre, sm.sm_num, MAXSCMD, 
+                                       timestamp(), TBOLD);
+                                   continue;
+                               }
+
                                /* React on command */
                                (*reacttbl[sm.sm_num])(&sm);
 
diff -ur tirc-1.2/tirc.h tirc-1.2.fixed/tirc.h
--- tirc-1.2/tirc.h     2008-06-24 18:42:43.000000000 +0200
+++ tirc-1.2.fixed/tirc.h       2008-06-24 18:41:54.238937250 +0200
@@ -71,7 +71,7 @@
 #define CNAMESZ                201     /* size of a channel name + NUL */
 #define MSGSZ          513     /* size of an IRC message + NUL */
 #define BUFSZ          4000    /* general buffer size */
-#define MAXSCMD                600     /* highest command number in IRC 
protocol */
+#define MAXSCMD                1000    /* highest command number in IRC 
protocol+1 */
 #define MAXINPUT       510     /* length of editor line */
 #define HISTORY                100     /* number of lines in input history */
 #define BACKSCROLL     1200    /* number of lines in window backscroll */

--- End Message ---
--- Begin Message --- 
Version: 1.2-11+rm

The tirc package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/492850 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
http://Marco.Tondela.org

--- End Message ---

Reply via email to