[Pkg-irc-commits] r297 - in /packages/inspircd/trunk/debian: changelog patches/00list patches/05_CVE-2012-1836.dpatch

kcd-guest at users.alioth.debian.org kcd-guest at users.alioth.debian.org
Sat May 26 16:58:41 UTC 2012 

Author: kcd-guest
Date: Sat May 26 16:58:41 2012
New Revision: 297

URL: http://svn.debian.org/wsvn/pkg-irc/?sc=1&rev=297
Log:
For history, add security upload from Jonathan Wiltshire for 1.1.22 version in squeeze (#667914 CVE-2012-1836)

Added:
    packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch
Modified:
    packages/inspircd/trunk/debian/changelog
    packages/inspircd/trunk/debian/patches/00list

Modified: packages/inspircd/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd/trunk/debian/changelog?rev=297&op=diff
==============================================================================
--- packages/inspircd/trunk/debian/changelog (original)
+++ packages/inspircd/trunk/debian/changelog Sat May 26 16:58:41 2012
@@ -1,8 +1,10 @@
-inspircd (1.1.23-1) unstable; urgency=low
+inspircd (1.1.22+dfsg-4+squeeze1) stable-security; urgency=low
 
-  *  New upstream release
+  * Non-maintainer upload.
+  * Protect against a buffer overflow in src/dns.cpp
+    Closes: #667914 CVE-2012-1836
 
- -- Matt Arnold <mattarnold5 at gmail.com>  Fri, 27 Nov 2009 13:24:43 -0500
+ -- Jonathan Wiltshire <jmw at debian.org>  Sat, 07 Apr 2012 23:17:18 +0100
 
 inspircd (1.1.22+dfsg-4) unstable; urgency=low
 

Modified: packages/inspircd/trunk/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd/trunk/debian/patches/00list?rev=297&op=diff
==============================================================================
--- packages/inspircd/trunk/debian/patches/00list (original)
+++ packages/inspircd/trunk/debian/patches/00list Sat May 26 16:58:41 2012
@@ -2,3 +2,4 @@
 02_fix_gnutls_config.dpatch
 03_use_pkg-config_gnutls.dpatch
 04_gcc44_fixes.dpatch 
+05_CVE-2012-1836.dpatch

Added: packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch
URL: http://svn.debian.org/wsvn/pkg-irc/packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch?rev=297&op=file
==============================================================================
--- packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch (added)
+++ packages/inspircd/trunk/debian/patches/05_CVE-2012-1836.dpatch Sat May 26 16:58:41 2012
@@ -1,0 +1,127 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 05_CVE-2012-1836.dpatch by Jonathan Wiltshire <jmw at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Protect against buffer overflow in src/dns.cpp
+## DP: CVE-2012-1836 (#667914)
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd-1.1.22+dfsg~/src/dns.cpp inspircd-1.1.22+dfsg/src/dns.cpp
+--- inspircd-1.1.22+dfsg~/src/dns.cpp	2012-04-07 23:14:55.000000000 +0100
++++ inspircd-1.1.22+dfsg/src/dns.cpp	2012-04-07 23:16:01.292193775 +0100
+@@ -45,6 +45,8 @@
+ using irc::sockets::OpenTCPSocket;
+ using irc::sockets::NonBlocking;
+ 
++#define DN_COMP_BITMASK	0xC000		/* highest 6 bits in a DN label header */
++
+ /** Masks to mask off the responses we get from the DNSRequest methods
+  */
+ enum QueryInfo
+@@ -105,7 +107,7 @@
+ 
+ 	DNSRequest(InspIRCd* Instance, DNS* dns, int id, const std::string &original);
+ 	~DNSRequest();
+-	DNSInfo ResultIsReady(DNSHeader &h, int length);
++	DNSInfo ResultIsReady(DNSHeader &h, unsigned length);
+ 	int SendRequests(const DNSHeader *header, const int length, QueryType qt);
+ };
+ 
+@@ -155,7 +157,10 @@
+ /* Allocate the processing buffer */
+ DNSRequest::DNSRequest(InspIRCd* Instance, DNS* dns, int id, const std::string &original) : dnsobj(dns)
+ {
+-	res = new unsigned char[512];
++	/* hardening against overflow here:  make our work buffer twice the theoretical
++	 * maximum size so that hostile input doesn't screw us over.
++	 */
++	res = new unsigned char[sizeof(DNSHeader) * 2];
+ 	*res = 0;
+ 	orig = original;
+ 	RequestTimeout* RT = new RequestTimeout(Instance->Config->dns_timeout ? Instance->Config->dns_timeout : 5, Instance, this, id);
+@@ -776,11 +781,11 @@
+ }
+ 
+ /** A result is ready, process it */
+-DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
++DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, unsigned length)
+ {
+-	int i = 0;
++	unsigned i = 0, o;
+ 	int q = 0;
+-	int curanswer, o;
++	int curanswer;
+ 	ResourceRecord rr;
+  	unsigned short ptr;
+ 
+@@ -875,17 +880,31 @@
+ 
+ 	switch (rr.type)
+ 	{
++		/*
++		 * CNAME and PTR are compressed.  We need to decompress them.
++		 */
+ 		case DNS_QUERY_CNAME:
+-			/* CNAME and PTR have the same processing code */
+ 		case DNS_QUERY_PTR:
+ 			o = 0;
+ 			q = 0;
+ 			while (q == 0 && i < length && o + 256 < 1023)
+ 			{
++				/* DN label found (byte over 63) */
+ 				if (header.payload[i] > 63)
+ 				{
+ 					memcpy(&ptr,&header.payload[i],2);
+-					i = ntohs(ptr) - 0xC000 - 12;
++
++					i = ntohs(ptr);
++
++					/* check that highest two bits are set. if not, we've been had */
++					if (!(i & DN_COMP_BITMASK))
++						return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
++
++					/* mask away the two highest bits. */
++					i &= ~DN_COMP_BITMASK;
++
++					/* and decrease length by 12 bytes. */
++					i =- 12;
+ 				}
+ 				else
+ 				{
+@@ -898,7 +917,11 @@
+ 						res[o] = 0;
+ 						if (o != 0)
+ 							res[o++] = '.';
+-						memcpy(&res[o],&header.payload[i + 1],header.payload[i]);
++
++						if (o + header.payload[i] > sizeof(DNSHeader))
++							return std::make_pair((unsigned char *) NULL, "DN label decompression is impossible -- malformed/hostile packet?");
++
++						memcpy(&res[o], &header.payload[i + 1], header.payload[i]);
+ 						o += header.payload[i];
+ 						i += header.payload[i] + 1;
+ 					}
+@@ -907,16 +930,21 @@
+ 			res[o] = 0;
+ 		break;
+ 		case DNS_QUERY_AAAA:
++			if (rr.rdlength != sizeof(struct in6_addr))
++				return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
++
+ 			memcpy(res,&header.payload[i],rr.rdlength);
+ 			res[rr.rdlength] = 0;
+ 		break;
+ 		case DNS_QUERY_A:
++			if (rr.rdlength != sizeof(struct in_addr))
++				return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
++
+ 			memcpy(res,&header.payload[i],rr.rdlength);
+ 			res[rr.rdlength] = 0;
+ 		break;
+ 		default:
+-			memcpy(res,&header.payload[i],rr.rdlength);
+-			res[rr.rdlength] = 0;
++			return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
+ 		break;
+ 	}
+ 	return std::make_pair(res,"No error");;

More information about the Pkg-irc-commits mailing list