Package: inspircd Version: 2.0.5-1+b1 Severity: grave Tags: security Justification: user security hole
Hi, I am an upstream maintainer for InspIRCd. The patch you have for CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It appears to be a a version of this commit: https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684. However this commit was never in a release, and was only in git for about 6 days (due to someone other than me pulling it in). I looked at the CVE and addressed it with two followup commits later. This commit and your patch do not fix the problem. You can still send maliciously crafted packets and cause remote code execution. This was fixed in https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, prior to the 2.0.7 release. Furthermore, your patch introduces a buffer underflow where it has "i =- 12" and not "i -= 12". This causes it to start reading from before the packet's buffer. It is unclear to me what this can cause. Additionally, at the same time I commited 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from causing InspIRCd to infinite loop. This is not a part of the CVE as it does not allow remote code execution, but is still a critical problem due to the potential for denial of service. You should perhaps apply these two patches on top of your existing ones, or maybe fetch the dns.cpp file off of 2.0.7 here: https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp. It does not change much. I would be willing to go through and provide a proper set of patches for this and other less-severe issues if requested. I do not want to do it up front because it would be a lot of work, and I am not sure whether or not it would be accepted. You have a very, very old InspIRCd version, and there is a lot of stuff to sift through (about 3 years). Let me know. Thanks, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
