On Tue, Jan 29, 2013 at 05:38:36PM +0200, Henri Salo wrote: > Mr. Bob Nomnomnom from Torland reported a denial of service security > vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is > using strtoul to parse masks. Documentation says strtoul can parse "-number" > as > well. Validation of input does not catch evil bits. I can give proof of > concept > if needed. > > Fixed in commit: > http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786 > Fixed in: ircd-hybrid 8.0.6
Hi security team. I've fixed this in experimental and unstable, and the attached debdiff fixes it for stable too. Please let me know if I may upload. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff -u ircd-hybrid-7.2.2.dfsg.2/debian/changelog ircd-hybrid-7.2.2.dfsg.2/debian/changelog --- ircd-hybrid-7.2.2.dfsg.2/debian/changelog +++ ircd-hybrid-7.2.2.dfsg.2/debian/changelog @@ -1,3 +1,11 @@ +ircd-hybrid (1:7.2.2.dfsg.2-6.2+squeeze1) stable-security; urgency=high + + * New maintainer (Closes: #548366) + * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask() + (Closes: #699267) + + -- Dominic Hargreaves <d...@earth.li> Sun, 03 Feb 2013 01:19:57 +0000 + ircd-hybrid (1:7.2.2.dfsg.2-6.2) unstable; urgency=low * Non-maintainer upload. diff -u ircd-hybrid-7.2.2.dfsg.2/debian/control ircd-hybrid-7.2.2.dfsg.2/debian/control --- ircd-hybrid-7.2.2.dfsg.2/debian/control +++ ircd-hybrid-7.2.2.dfsg.2/debian/control @@ -2,8 +2,7 @@ Section: net Priority: optional Build-Depends: debhelper (>= 4.1.16), zlib1g-dev, dpatch, docbook-to-man, flex, bison, libpcre3-dev (>= 6.3) -Maintainer: Joshua Kwan <jo...@triplehelix.org> -Uploaders: Aurélien GÉRÔME <a...@debian.org> +Maintainer: Dominic Hargreaves <d...@earth.li> Standards-Version: 3.8.0 Homepage: http://ircd-hybrid.com/ diff -u ircd-hybrid-7.2.2.dfsg.2/debian/control.in ircd-hybrid-7.2.2.dfsg.2/debian/control.in --- ircd-hybrid-7.2.2.dfsg.2/debian/control.in +++ ircd-hybrid-7.2.2.dfsg.2/debian/control.in @@ -2,8 +2,7 @@ Section: net Priority: optional Build-Depends: debhelper (>= 4.1.16), zlib1g-dev, dpatch, docbook-to-man, flex, bison, libpcre3-dev (>= 6.3) @SSL_BUILD_DEPENDS@ -Maintainer: Joshua Kwan <jo...@triplehelix.org> -Uploaders: Aurélien GÉRÔME <a...@debian.org> +Maintainer: Dominic Hargreaves <d...@earth.li> Standards-Version: 3.8.0 Homepage: http://ircd-hybrid.com/ diff -u ircd-hybrid-7.2.2.dfsg.2/debian/patches/00list ircd-hybrid-7.2.2.dfsg.2/debian/patches/00list --- ircd-hybrid-7.2.2.dfsg.2/debian/patches/00list +++ ircd-hybrid-7.2.2.dfsg.2/debian/patches/00list @@ -18,2 +18,3 @@ 19_sslonly +23-netmask-dos.dpatch 98_patchlevel_debian only in patch2: unchanged: --- ircd-hybrid-7.2.2.dfsg.2.orig/debian/patches/23-netmask-dos.dpatch +++ ircd-hybrid-7.2.2.dfsg.2/debian/patches/23-netmask-dos.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 23-netmask-dos.dpatch by Michael Wobst <wobst.mich...@web.de> +## +## DP: Fixed possible core in try_parse_v4_netmask() as reported by bobnomnom +## +## All lines beginning with `## DP:' are a description of the patch. + +diff --git a/src/hostmask.c b/src/hostmask.c +index 3c06b68..5937843 100644 +--- a/src/hostmask.c ++++ b/src/hostmask.c +@@ -198,7 +198,7 @@ try_parse_v4_netmask(const char *text, struct irc_ssaddr *addr, int *b) + { + char *after; + bits = strtoul(p + 1, &after, 10); +- if (!bits || *after) ++ if (bits < 0 || *after) + return HM_HOST; + if (bits > n * 8) + return HM_HOST;
