[Pkg-irc-commits] r293 - in /packages/inspircd2/trunk/debian: changelog patches/03_CVE-2012-1836.diff patches/series

kcd-guest at users.alioth.debian.org kcd-guest at users.alioth.debian.org
Mon Apr 9 15:01:48 UTC 2012


Author: kcd-guest
Date: Mon Apr  9 15:01:47 2012
New Revision: 293

URL: http://svn.debian.org/wsvn/pkg-irc/?sc=1&rev=293
Log:
Sponsoring the upload and fix CVE-2012-1836 (thanks jmw)

Added:
    packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff
Modified:
    packages/inspircd2/trunk/debian/changelog
    packages/inspircd2/trunk/debian/patches/series

Modified: packages/inspircd2/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd2/trunk/debian/changelog?rev=293&op=diff
==============================================================================
--- packages/inspircd2/trunk/debian/changelog (original)
+++ packages/inspircd2/trunk/debian/changelog Mon Apr  9 15:01:47 2012
@@ -1,5 +1,6 @@
-inspircd (2.0.5-1) unstable; urgency=low
+inspircd (2.0.5-0.1) unstable; urgency=low
 
+  [ Guillaume Delacour ]
   * Add myself to uploaders.
   * Remove Mario Iseli to uploaders (officially MIA)
   * New upstream release (Closes: #545233, #519910, #620960, #641299)
@@ -54,7 +55,15 @@
     upstream changes (tags security, performance and log), line break to 80
     and load absolute path for /etc/inspircd/inspircd.{motd,rules}
 
- -- Guillaume Delacour <gui at iroqwa.org>  Mon, 14 Nov 2011 22:05:55 +0100
+  [ Jonathan Wiltshire ]
+  * Non-maintainer upload.
+    This is really sponsorship with an added patch, but technically still 
+    an NMU.
+  * Patch 03_CVE-2012-1836: protect against buffer overflow vulnerability
+    in src/dns.cpp (merge from upstream)
+    Closes: #667914 CVE-2012-1836
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Sat, 07 Apr 2012 22:25:39 +0100
 
 inspircd (1.1.22+dfsg-4) unstable; urgency=low
 

Added: packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff?rev=293&op=file
==============================================================================
--- packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff (added)
+++ packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff Mon Apr  9 15:01:47 2012
@@ -1,0 +1,125 @@
+Subject: protect against buffer overflow attack in src/dns.cpp
+Author: William Pitcock <nenolod at dereferenced.org>
+Bug: https://github.com/inspircd/inspircd/pull/1
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667914
+Forwarded: not-needed
+Last-Update: 2012-04-07
+
+--- inspircd-2.0.5.orig/src/dns.cpp
++++ inspircd-2.0.5/src/dns.cpp
+@@ -38,6 +38,8 @@
+ #include "configreader.h"
+ #include "socket.h"
+ 
++#define DN_COMP_BITMASK	0xC000		/* highest 6 bits in a DN label header */
++
+ /** Masks to mask off the responses we get from the DNSRequest methods
+  */
+ enum QueryInfo
+@@ -98,7 +100,7 @@
+ 
+ 	DNSRequest(DNS* dns, int id, const std::string &original);
+ 	~DNSRequest();
+-	DNSInfo ResultIsReady(DNSHeader &h, int length);
++	DNSInfo ResultIsReady(DNSHeader &h, unsigned length);
+ 	int SendRequests(const DNSHeader *header, const int length, QueryType qt);
+ };
+ 
+@@ -161,7 +163,10 @@
+ /* Allocate the processing buffer */
+ DNSRequest::DNSRequest(DNS* dns, int rid, const std::string &original) : dnsobj(dns)
+ {
+-	res = new unsigned char[512];
++	/* hardening against overflow here:  make our work buffer twice the theoretical
++	 * maximum size so that hostile input doesn't screw us over.
++	 */
++	res = new unsigned char[sizeof(DNSHeader) * 2];
+ 	*res = 0;
+ 	orig = original;
+ 	RequestTimeout* RT = new RequestTimeout(ServerInstance->Config->dns_timeout ? ServerInstance->Config->dns_timeout : 5, this, rid);
+@@ -688,11 +693,11 @@
+ }
+ 
+ /** A result is ready, process it */
+-DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
++DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, unsigned length)
+ {
+-	int i = 0;
++	unsigned i = 0, o;
+ 	int q = 0;
+-	int curanswer, o;
++	int curanswer;
+ 	ResourceRecord rr;
+  	unsigned short ptr;
+ 
+@@ -790,17 +795,31 @@
+ 
+ 	switch (rr.type)
+ 	{
++		/*
++		 * CNAME and PTR are compressed.  We need to decompress them.
++		 */
+ 		case DNS_QUERY_CNAME:
+-			/* CNAME and PTR have the same processing code */
+ 		case DNS_QUERY_PTR:
+ 			o = 0;
+ 			q = 0;
+ 			while (q == 0 && i < length && o + 256 < 1023)
+ 			{
++				/* DN label found (byte over 63) */
+ 				if (header.payload[i] > 63)
+ 				{
+ 					memcpy(&ptr,&header.payload[i],2);
+-					i = ntohs(ptr) - 0xC000 - 12;
++
++					i = ntohs(ptr);
++
++					/* check that highest two bits are set. if not, we've been had */
++					if (!(i & DN_COMP_BITMASK))
++						return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
++
++					/* mask away the two highest bits. */
++					i &= ~DN_COMP_BITMASK;
++
++					/* and decrease length by 12 bytes. */
++					i =- 12;
+ 				}
+ 				else
+ 				{
+@@ -813,7 +832,11 @@
+ 						res[o] = 0;
+ 						if (o != 0)
+ 							res[o++] = '.';
+-						memcpy(&res[o],&header.payload[i + 1],header.payload[i]);
++
++						if (o + header.payload[i] > sizeof(DNSHeader))
++							return std::make_pair((unsigned char *) NULL, "DN label decompression is impossible -- malformed/hostile packet?");
++
++						memcpy(&res[o], &header.payload[i + 1], header.payload[i]);
+ 						o += header.payload[i];
+ 						i += header.payload[i] + 1;
+ 					}
+@@ -822,16 +845,21 @@
+ 			res[o] = 0;
+ 		break;
+ 		case DNS_QUERY_AAAA:
++			if (rr.rdlength != sizeof(struct in6_addr))
++				return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
++
+ 			memcpy(res,&header.payload[i],rr.rdlength);
+ 			res[rr.rdlength] = 0;
+ 		break;
+ 		case DNS_QUERY_A:
++			if (rr.rdlength != sizeof(struct in_addr))
++				return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
++
+ 			memcpy(res,&header.payload[i],rr.rdlength);
+ 			res[rr.rdlength] = 0;
+ 		break;
+ 		default:
+-			memcpy(res,&header.payload[i],rr.rdlength);
+-			res[rr.rdlength] = 0;
++			return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
+ 		break;
+ 	}
+ 	return std::make_pair(res,"No error");

Modified: packages/inspircd2/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd2/trunk/debian/patches/series?rev=293&op=diff
==============================================================================
--- packages/inspircd2/trunk/debian/patches/series (original)
+++ packages/inspircd2/trunk/debian/patches/series Mon Apr  9 15:01:47 2012
@@ -1,2 +1,3 @@
 01_spelling_error.diff
 02_disable_rpath_for_extra_modules.diff
+03_CVE-2012-1836.diff




More information about the Pkg-irc-commits mailing list