[Pkg-irc-commits] r297 - in /packages/inspircd/trunk/debian: changelog patches/00list patches/05_CVE-2012-1836.dpatch
kcd-guest at users.alioth.debian.org
kcd-guest at users.alioth.debian.org
Sat May 26 16:58:41 UTC 2012
Author: kcd-guest
Date: Sat May 26 16:58:41 2012
New Revision: 297
URL: http://svn.debian.org/wsvn/pkg-irc/?sc=1&rev=297
Log:
For history, add security upload from Jonathan Wiltshire for 1.1.22 version in squeeze (#667914 CVE-2012-1836)
Added:
packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch
Modified:
packages/inspircd/trunk/debian/changelog
packages/inspircd/trunk/debian/patches/00list
Modified: packages/inspircd/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd/trunk/debian/changelog?rev=297&op=diff
==============================================================================
--- packages/inspircd/trunk/debian/changelog (original)
+++ packages/inspircd/trunk/debian/changelog Sat May 26 16:58:41 2012
@@ -1,8 +1,10 @@
-inspircd (1.1.23-1) unstable; urgency=low
+inspircd (1.1.22+dfsg-4+squeeze1) stable-security; urgency=low
- * New upstream release
+ * Non-maintainer upload.
+ * Protect against a buffer overflow in src/dns.cpp
+ Closes: #667914 CVE-2012-1836
- -- Matt Arnold <mattarnold5 at gmail.com> Fri, 27 Nov 2009 13:24:43 -0500
+ -- Jonathan Wiltshire <jmw at debian.org> Sat, 07 Apr 2012 23:17:18 +0100
inspircd (1.1.22+dfsg-4) unstable; urgency=low
Modified: packages/inspircd/trunk/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd/trunk/debian/patches/00list?rev=297&op=diff
==============================================================================
--- packages/inspircd/trunk/debian/patches/00list (original)
+++ packages/inspircd/trunk/debian/patches/00list Sat May 26 16:58:41 2012
@@ -2,3 +2,4 @@
02_fix_gnutls_config.dpatch
03_use_pkg-config_gnutls.dpatch
04_gcc44_fixes.dpatch
+05_CVE-2012-1836.dpatch
Added: packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch?rev=297&op=file
==============================================================================
--- packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch (added)
+++ packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch Sat May 26 16:58:41 2012
@@ -1,0 +1,127 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 05_CVE-2012-1836.dpatch by Jonathan Wiltshire <jmw at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Protect against buffer overflow in src/dns.cpp
+## DP: CVE-2012-1836 (#667914)
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd-1.1.22+dfsg~/src/dns.cpp inspircd-1.1.22+dfsg/src/dns.cpp
+--- inspircd-1.1.22+dfsg~/src/dns.cpp 2012-04-07 23:14:55.000000000 +0100
++++ inspircd-1.1.22+dfsg/src/dns.cpp 2012-04-07 23:16:01.292193775 +0100
+@@ -45,6 +45,8 @@
+ using irc::sockets::OpenTCPSocket;
+ using irc::sockets::NonBlocking;
+
++#define DN_COMP_BITMASK 0xC000 /* highest 6 bits in a DN label header */
++
+ /** Masks to mask off the responses we get from the DNSRequest methods
+ */
+ enum QueryInfo
+@@ -105,7 +107,7 @@
+
+ DNSRequest(InspIRCd* Instance, DNS* dns, int id, const std::string &original);
+ ~DNSRequest();
+- DNSInfo ResultIsReady(DNSHeader &h, int length);
++ DNSInfo ResultIsReady(DNSHeader &h, unsigned length);
+ int SendRequests(const DNSHeader *header, const int length, QueryType qt);
+ };
+
+@@ -155,7 +157,10 @@
+ /* Allocate the processing buffer */
+ DNSRequest::DNSRequest(InspIRCd* Instance, DNS* dns, int id, const std::string &original) : dnsobj(dns)
+ {
+- res = new unsigned char[512];
++ /* hardening against overflow here: make our work buffer twice the theoretical
++ * maximum size so that hostile input doesn't screw us over.
++ */
++ res = new unsigned char[sizeof(DNSHeader) * 2];
+ *res = 0;
+ orig = original;
+ RequestTimeout* RT = new RequestTimeout(Instance->Config->dns_timeout ? Instance->Config->dns_timeout : 5, Instance, this, id);
+@@ -776,11 +781,11 @@
+ }
+
+ /** A result is ready, process it */
+-DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
++DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, unsigned length)
+ {
+- int i = 0;
++ unsigned i = 0, o;
+ int q = 0;
+- int curanswer, o;
++ int curanswer;
+ ResourceRecord rr;
+ unsigned short ptr;
+
+@@ -875,17 +880,31 @@
+
+ switch (rr.type)
+ {
++ /*
++ * CNAME and PTR are compressed. We need to decompress them.
++ */
+ case DNS_QUERY_CNAME:
+- /* CNAME and PTR have the same processing code */
+ case DNS_QUERY_PTR:
+ o = 0;
+ q = 0;
+ while (q == 0 && i < length && o + 256 < 1023)
+ {
++ /* DN label found (byte over 63) */
+ if (header.payload[i] > 63)
+ {
+ memcpy(&ptr,&header.payload[i],2);
+- i = ntohs(ptr) - 0xC000 - 12;
++
++ i = ntohs(ptr);
++
++ /* check that highest two bits are set. if not, we've been had */
++ if (!(i & DN_COMP_BITMASK))
++ return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
++
++ /* mask away the two highest bits. */
++ i &= ~DN_COMP_BITMASK;
++
++ /* and decrease length by 12 bytes. */
++ i =- 12;
+ }
+ else
+ {
+@@ -898,7 +917,11 @@
+ res[o] = 0;
+ if (o != 0)
+ res[o++] = '.';
+- memcpy(&res[o],&header.payload[i + 1],header.payload[i]);
++
++ if (o + header.payload[i] > sizeof(DNSHeader))
++ return std::make_pair((unsigned char *) NULL, "DN label decompression is impossible -- malformed/hostile packet?");
++
++ memcpy(&res[o], &header.payload[i + 1], header.payload[i]);
+ o += header.payload[i];
+ i += header.payload[i] + 1;
+ }
+@@ -907,16 +930,21 @@
+ res[o] = 0;
+ break;
+ case DNS_QUERY_AAAA:
++ if (rr.rdlength != sizeof(struct in6_addr))
++ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
++
+ memcpy(res,&header.payload[i],rr.rdlength);
+ res[rr.rdlength] = 0;
+ break;
+ case DNS_QUERY_A:
++ if (rr.rdlength != sizeof(struct in_addr))
++ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
++
+ memcpy(res,&header.payload[i],rr.rdlength);
+ res[rr.rdlength] = 0;
+ break;
+ default:
+- memcpy(res,&header.payload[i],rr.rdlength);
+- res[rr.rdlength] = 0;
++ return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
+ break;
+ }
+ return std::make_pair(res,"No error");;
More information about the Pkg-irc-commits
mailing list