Your message dated Fri, 1 Feb 2013 14:33:45 +0200
with message-id <20130201123345.gm21...@kludge.henri.nerv.fi>
and subject line tested
has caused the Debian Bug report #699267,
regarding ircd-hybrid: CVE-2013-0238 Denial of service vulnerability in
hostmask.c:try_parse_v4_netmask()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
699267: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699267
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ircd-hybrid
Version: 1:7.2.2.dfsg.2-6.2
Severity: grave
Tags: security
Mr. Bob Nomnomnom from Torland reported a denial of service security
vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is
using strtoul to parse masks. Documentation says strtoul can parse "-number" as
well. Validation of input does not catch evil bits. I can give proof of concept
if needed.
Fixed in commit:
http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786
Fixed in: ircd-hybrid 8.0.6
I have requested CVE identifier for this vulnerability.
Program received signal SIGSEGV, Segmentation fault.
0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>,
addr=0x113e270, b=0x113e2f8) at hostmask.c:229
229 addb[bits / 8] &= ~((1 << (8 - bits % 8)) - 1);
(gdb) bt
#0 0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>,
addr=0x113e270, b=0x113e2f8) at hostmask.c:229
#1 parse_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at
hostmask.c:255
#2 0x000000000040c4ab in add_id (client_p=0x7ffff7f9a058, chptr=0x11264e8,
banid=<value optimized out>,
type=<value optimized out>) at channel_mode.c:233
#3 0x000000000040cd28 in chm_ban (client_p=0x7ffff7f9a058,
source_p=0x7ffff7f9a058, chptr=0x11264e8,
parc=<value optimized out>, parn=0x7ffff7565580, parv=0x2f,
errors=0x7fffffffdd08, alev=2, dir=1, c=98 'b', d=0x0,
chname=0x1126774 "#foo") at channel_mode.c:803
#4 0x000000000040baac in set_channel_mode (client_p=<value optimized out>,
source_p=<value optimized out>,
chptr=<value optimized out>, member=<value optimized out>, parc=2,
parv=0x8ed410, chname=0x1126774 "#foo")
at channel_mode.c:1785
#5 0x00007fffee7655a4 in m_mode (client_p=0x7ffff7f9a058,
source_p=0x7ffff7f9a058, parc=4, parv=0x8ed400) at m_mode.c:115
#6 0x0000000000422d9f in parse_client_queued (client_p=0x7ffff7f9a058) at
packet.c:216
#7 0x0000000000422ee5 in read_packet (fd=0x10faa18, data=<value optimized
out>) at packet.c:359
#8 0x0000000000423ead in comm_select () at s_bsd_epoll.c:204
#9 0x000000000041f7f8 in io_loop (argc=0, argv=0x7fffffffe588) at ircd.c:237
#10 main (argc=0, argv=0x7fffffffe588) at ircd.c:670
--
Henri Salo
--- End Message ---
--- Begin Message ---
All Debian packages tested not to be affected by this issue. I wonder who made
these changes to Debian packages code as she/he did not report these issues to
upstream (or didn't know about the problem).
--
Henri Salo
--- End Message ---
