Bug#836714: security upload for Charybdis

[Antoine Beaupré]

Control: tags -1 +pending +patch
Hi,

This is a fix for a "certificate fingerprint spoofing through crafted
SASL messages" in Charybdis:

https://security-tracker.debian.org/tracker/CVE-2016-7143

I backported the patch from 3.5 to 3.4, it seems to apply, but I haven't
tested it directly.

Debdiff attached. Note that I restore the "+" separator for the deb8uX
version as 3.4 is not in stretch anymore, so there's no risk of a failed
upgrade. It felt confusing to keep X=1 so I bumped the release number to
3.4.2-5+deb8u2.


diff -Nru charybdis-3.4.2/debian/changelog charybdis-3.4.2/debian/changelog
--- charybdis-3.4.2/debian/changelog	2015-11-19 13:58:01.000000000 -0500
+++ charybdis-3.4.2/debian/changelog	2016-09-05 19:45:08.000000000 -0400
@@ -1,3 +1,9 @@
+charybdis (3.4.2-5+deb8u2) jessie-security; urgency=high
+
+  * add fix for CVE-2016-7143, backported from upstream (Closes: #836714)
+
+ -- Antoine Beaupré <anar...@debian.org>  Mon, 05 Sep 2016 19:41:12 -0400
+
 charybdis (3.4.2-5~deb8u1) stable; urgency=high
 
   * switch to new anonscm hostnames
diff -Nru charybdis-3.4.2/debian/patches/sasl-spoofing-836714.patch charybdis-3.4.2/debian/patches/sasl-spoofing-836714.patch
--- charybdis-3.4.2/debian/patches/sasl-spoofing-836714.patch	1969-12-31 19:00:00.000000000 -0500
+++ charybdis-3.4.2/debian/patches/sasl-spoofing-836714.patch	2016-09-05 19:45:08.000000000 -0400
@@ -0,0 +1,28 @@
+From 818a3fda944b26d4814132cee14cfda4ea4aa824 Mon Sep 17 00:00:00 2001
+From: Aaron Jones <aaronmdjo...@gmail.com>
+Date: Sat, 3 Sep 2016 17:28:41 +0000
+Subject: [PATCH] SASL: Disallow beginning : and space anywhere in AUTHENTICATE
+ parameter
+
+This is a FIX FOR A SECURITY VULNERABILITY. All Charybdis users must
+apply this fix if you support SASL on your servers, or unload m_sasl.so
+in the meantime.
+---
+ modules/m_sasl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/modules/m_sasl.c
++++ b/modules/m_sasl.c
+@@ -83,6 +83,12 @@ mr_authenticate(struct Client *client_p,
+ 		return 0;
+ 	}
+ 
++	if (*parv[1] == ':' || strchr(parv[1], ' '))
++	{
++		exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
++		return 0;
++	}
++
+ 	if(source_p->preClient->sasl_complete)
+ 	{
+ 		sendto_one(source_p, form_str(ERR_SASLALREADY), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
diff -Nru charybdis-3.4.2/debian/patches/series charybdis-3.4.2/debian/patches/series
--- charybdis-3.4.2/debian/patches/series	2015-11-19 13:58:01.000000000 -0500
+++ charybdis-3.4.2/debian/patches/series	2016-09-05 19:45:08.000000000 -0400
@@ -1,3 +1,4 @@
+sasl-spoofing-836714.patch
 fix-paths
 ircd.conf.patch
 non-static-sqlite

I am running the resulting .deb in production, and am ready to upload
when confirmation is received.

A.

-- 
We all pay for life with death, so everything in between should be
free.
                         - Bill Hicks