[Pkg-irc-commits] r293 - in /packages/inspircd2/trunk/debian: changelog patches/03_CVE-2012-1836.diff patches/series
kcd-guest at users.alioth.debian.org
kcd-guest at users.alioth.debian.org
Mon Apr 9 15:01:48 UTC 2012
Author: kcd-guest
Date: Mon Apr 9 15:01:47 2012
New Revision: 293
URL: http://svn.debian.org/wsvn/pkg-irc/?sc=1&rev=293
Log:
Sponsoring the upload and fix CVE-2012-1836 (thanks jmw)
Added:
packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff
Modified:
packages/inspircd2/trunk/debian/changelog
packages/inspircd2/trunk/debian/patches/series
Modified: packages/inspircd2/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd2/trunk/debian/changelog?rev=293&op=diff
==============================================================================
--- packages/inspircd2/trunk/debian/changelog (original)
+++ packages/inspircd2/trunk/debian/changelog Mon Apr 9 15:01:47 2012
@@ -1,5 +1,6 @@
-inspircd (2.0.5-1) unstable; urgency=low
+inspircd (2.0.5-0.1) unstable; urgency=low
+ [ Guillaume Delacour ]
* Add myself to uploaders.
* Remove Mario Iseli to uploaders (officially MIA)
* New upstream release (Closes: #545233, #519910, #620960, #641299)
@@ -54,7 +55,15 @@
upstream changes (tags security, performance and log), line break to 80
and load absolute path for /etc/inspircd/inspircd.{motd,rules}
- -- Guillaume Delacour <gui at iroqwa.org> Mon, 14 Nov 2011 22:05:55 +0100
+ [ Jonathan Wiltshire ]
+ * Non-maintainer upload.
+ This is really sponsorship with an added patch, but technically still
+ an NMU.
+ * Patch 03_CVE-2012-1836: protect against buffer overflow vulnerability
+ in src/dns.cpp (merge from upstream)
+ Closes: #667914 CVE-2012-1836
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sat, 07 Apr 2012 22:25:39 +0100
inspircd (1.1.22+dfsg-4) unstable; urgency=low
Added: packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff?rev=293&op=file
==============================================================================
--- packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff (added)
+++ packages/inspircd2/trunk/debian/patches/03_CVE-2012-1836.diff Mon Apr 9 15:01:47 2012
@@ -1,0 +1,125 @@
+Subject: protect against buffer overflow attack in src/dns.cpp
+Author: William Pitcock <nenolod at dereferenced.org>
+Bug: https://github.com/inspircd/inspircd/pull/1
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667914
+Forwarded: not-needed
+Last-Update: 2012-04-07
+
+--- inspircd-2.0.5.orig/src/dns.cpp
++++ inspircd-2.0.5/src/dns.cpp
+@@ -38,6 +38,8 @@
+ #include "configreader.h"
+ #include "socket.h"
+
++#define DN_COMP_BITMASK 0xC000 /* highest 6 bits in a DN label header */
++
+ /** Masks to mask off the responses we get from the DNSRequest methods
+ */
+ enum QueryInfo
+@@ -98,7 +100,7 @@
+
+ DNSRequest(DNS* dns, int id, const std::string &original);
+ ~DNSRequest();
+- DNSInfo ResultIsReady(DNSHeader &h, int length);
++ DNSInfo ResultIsReady(DNSHeader &h, unsigned length);
+ int SendRequests(const DNSHeader *header, const int length, QueryType qt);
+ };
+
+@@ -161,7 +163,10 @@
+ /* Allocate the processing buffer */
+ DNSRequest::DNSRequest(DNS* dns, int rid, const std::string &original) : dnsobj(dns)
+ {
+- res = new unsigned char[512];
++ /* hardening against overflow here: make our work buffer twice the theoretical
++ * maximum size so that hostile input doesn't screw us over.
++ */
++ res = new unsigned char[sizeof(DNSHeader) * 2];
+ *res = 0;
+ orig = original;
+ RequestTimeout* RT = new RequestTimeout(ServerInstance->Config->dns_timeout ? ServerInstance->Config->dns_timeout : 5, this, rid);
+@@ -688,11 +693,11 @@
+ }
+
+ /** A result is ready, process it */
+-DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
++DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, unsigned length)
+ {
+- int i = 0;
++ unsigned i = 0, o;
+ int q = 0;
+- int curanswer, o;
++ int curanswer;
+ ResourceRecord rr;
+ unsigned short ptr;
+
+@@ -790,17 +795,31 @@
+
+ switch (rr.type)
+ {
++ /*
++ * CNAME and PTR are compressed. We need to decompress them.
++ */
+ case DNS_QUERY_CNAME:
+- /* CNAME and PTR have the same processing code */
+ case DNS_QUERY_PTR:
+ o = 0;
+ q = 0;
+ while (q == 0 && i < length && o + 256 < 1023)
+ {
++ /* DN label found (byte over 63) */
+ if (header.payload[i] > 63)
+ {
+ memcpy(&ptr,&header.payload[i],2);
+- i = ntohs(ptr) - 0xC000 - 12;
++
++ i = ntohs(ptr);
++
++ /* check that highest two bits are set. if not, we've been had */
++ if (!(i & DN_COMP_BITMASK))
++ return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
++
++ /* mask away the two highest bits. */
++ i &= ~DN_COMP_BITMASK;
++
++ /* and decrease length by 12 bytes. */
++ i =- 12;
+ }
+ else
+ {
+@@ -813,7 +832,11 @@
+ res[o] = 0;
+ if (o != 0)
+ res[o++] = '.';
+- memcpy(&res[o],&header.payload[i + 1],header.payload[i]);
++
++ if (o + header.payload[i] > sizeof(DNSHeader))
++ return std::make_pair((unsigned char *) NULL, "DN label decompression is impossible -- malformed/hostile packet?");
++
++ memcpy(&res[o], &header.payload[i + 1], header.payload[i]);
+ o += header.payload[i];
+ i += header.payload[i] + 1;
+ }
+@@ -822,16 +845,21 @@
+ res[o] = 0;
+ break;
+ case DNS_QUERY_AAAA:
++ if (rr.rdlength != sizeof(struct in6_addr))
++ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
++
+ memcpy(res,&header.payload[i],rr.rdlength);
+ res[rr.rdlength] = 0;
+ break;
+ case DNS_QUERY_A:
++ if (rr.rdlength != sizeof(struct in_addr))
++ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
++
+ memcpy(res,&header.payload[i],rr.rdlength);
+ res[rr.rdlength] = 0;
+ break;
+ default:
+- memcpy(res,&header.payload[i],rr.rdlength);
+- res[rr.rdlength] = 0;
++ return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
+ break;
+ }
+ return std::make_pair(res,"No error");
Modified: packages/inspircd2/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd2/trunk/debian/patches/series?rev=293&op=diff
==============================================================================
--- packages/inspircd2/trunk/debian/patches/series (original)
+++ packages/inspircd2/trunk/debian/patches/series Mon Apr 9 15:01:47 2012
@@ -1,2 +1,3 @@
01_spelling_error.diff
02_disable_rpath_for_extra_modules.diff
+03_CVE-2012-1836.diff
More information about the Pkg-irc-commits
mailing list