[PKG-IRC-Maintainers] squeeze upload of inspircd (1.1.22 version)
Santiago Ruano Rincón
santiagorr at riseup.net
Sat Jul 4 09:59:42 UTC 2015
Hi,
I'm preparing an upload related to this bug for squeeze. I know that the
1.1.22 is considered old, but is still in the squeeze archive, and no
decision has been made to remove it.
Anyway, it's a minor change, and the package is available for test at:
deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
If you're agree, I can push a specific squeeze-lts and tagged version
into the inspircd collab-maint repository.
Cheers,
Santiago
diff -u inspircd-1.1.22+dfsg/debian/changelog inspircd-1.1.22+dfsg/debian/changelog
--- inspircd-1.1.22+dfsg/debian/changelog
+++ inspircd-1.1.22+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+inspircd (1.1.22+dfsg-4+squeeze2~1) santiago-squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Squeeze LTS team.
+ * CVE-2012-1836 was partially fixed. Update 05_CVE-2012-1836.dpatch by
+ importing 2.0.7 src/dns.cpp changes.
+
+ -- Santiago Ruano Rincón <santiagorr at riseup.net> Fri, 03 Jul 2015 11:29:49 +0200
+
inspircd (1.1.22+dfsg-4+squeeze1) stable-security; urgency=low
* Non-maintainer upload.
diff -u inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch
--- inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch
+++ inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch
@@ -1,14 +1,16 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 05_CVE-2012-1836.dpatch by Jonathan Wiltshire <jmw at debian.org>
+## Updated on 2015-07-03 by Santiago R.R. to complete the fix
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Protect against buffer overflow in src/dns.cpp
## DP: CVE-2012-1836 (#667914)
+## DP: CVE-2015-XXXX https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780880
@DPATCH@
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd-1.1.22+dfsg~/src/dns.cpp inspircd-1.1.22+dfsg/src/dns.cpp
---- inspircd-1.1.22+dfsg~/src/dns.cpp 2012-04-07 23:14:55.000000000 +0100
-+++ inspircd-1.1.22+dfsg/src/dns.cpp 2012-04-07 23:16:01.292193775 +0100
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd~/src/dns.cpp inspircd/src/dns.cpp
+--- inspircd~/src/dns.cpp 2015-07-03 11:22:29.000000000 +0200
++++ inspircd/src/dns.cpp 2015-07-03 11:24:22.355860009 +0200
@@ -45,6 +45,8 @@
using irc::sockets::OpenTCPSocket;
using irc::sockets::NonBlocking;
@@ -54,7 +56,16 @@
ResourceRecord rr;
unsigned short ptr;
-@@ -875,17 +880,31 @@
+@@ -842,7 +847,7 @@
+ else i += header.payload[i] + 1; /* skip length and label */
+ }
+ }
+- if (length - i < 10)
++ if (static_cast<int>(length - i) < 10)
+ return std::make_pair((unsigned char*)NULL,"Incorrectly sized DNS reply");
+
+ /* XXX: We actually initialise 'rr' here including its ttl field */
+@@ -875,17 +880,37 @@
switch (rr.type)
{
@@ -64,6 +75,8 @@
case DNS_QUERY_CNAME:
- /* CNAME and PTR have the same processing code */
case DNS_QUERY_PTR:
++ {
++ unsigned short lowest_pos = length;
o = 0;
q = 0;
while (q == 0 && i < length && o + 256 < 1023)
@@ -77,18 +90,22 @@
+ i = ntohs(ptr);
+
+ /* check that highest two bits are set. if not, we've been had */
-+ if (!(i & DN_COMP_BITMASK))
++ if ((i & DN_COMP_BITMASK) != DN_COMP_BITMASK)
+ return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
+
+ /* mask away the two highest bits. */
+ i &= ~DN_COMP_BITMASK;
+
+ /* and decrease length by 12 bytes. */
-+ i =- 12;
++ i -= 12;
++
++ if (i >= lowest_pos)
++ return std::make_pair((unsigned char *) NULL, "Invalid decompression pointer");
++ lowest_pos = i;
}
else
{
-@@ -898,7 +917,11 @@
+@@ -898,25 +923,35 @@
res[o] = 0;
if (o != 0)
res[o++] = '.';
@@ -101,8 +118,10 @@
o += header.payload[i];
i += header.payload[i] + 1;
}
-@@ -907,16 +930,21 @@
+ }
+ }
res[o] = 0;
++ }
break;
case DNS_QUERY_AAAA:
+ if (rr.rdlength != sizeof(struct in6_addr))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-irc-maintainers/attachments/20150704/47083afa/attachment.sig>
More information about the Pkg-irc-maintainers
mailing list