[PKG-IRC-Maintainers] squeeze upload of inspircd (1.1.22 version)

Santiago Ruano Rincón santiagorr at riseup.net
Sat Jul 4 09:59:42 UTC 2015 

Hi,

I'm preparing an upload related to this bug for squeeze. I know that the
1.1.22 is considered old, but is still in the squeeze archive, and no
decision has been made to remove it.

Anyway, it's a minor change, and the package is available for test at:
    deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/

If you're agree, I can push a specific squeeze-lts and tagged version
into the inspircd collab-maint repository.

Cheers,

Santiago

diff -u inspircd-1.1.22+dfsg/debian/changelog inspircd-1.1.22+dfsg/debian/changelog
--- inspircd-1.1.22+dfsg/debian/changelog
+++ inspircd-1.1.22+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+inspircd (1.1.22+dfsg-4+squeeze2~1) santiago-squeeze-lts; urgency=medium
+
+  * Non-maintainer upload by the Squeeze LTS team.
+  * CVE-2012-1836 was partially fixed. Update 05_CVE-2012-1836.dpatch by
+    importing 2.0.7 src/dns.cpp changes.
+
+ -- Santiago Ruano Rincón <santiagorr at riseup.net>  Fri, 03 Jul 2015 11:29:49 +0200
+
 inspircd (1.1.22+dfsg-4+squeeze1) stable-security; urgency=low
 
   * Non-maintainer upload.
diff -u inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch
--- inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch
+++ inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch
@@ -1,14 +1,16 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
 ## 05_CVE-2012-1836.dpatch by Jonathan Wiltshire <jmw at debian.org>
+## Updated on 2015-07-03 by Santiago R.R. to complete the fix
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
 ## DP: Protect against buffer overflow in src/dns.cpp
 ## DP: CVE-2012-1836 (#667914)
+## DP: CVE-2015-XXXX https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780880
 
 @DPATCH@
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd-1.1.22+dfsg~/src/dns.cpp inspircd-1.1.22+dfsg/src/dns.cpp
---- inspircd-1.1.22+dfsg~/src/dns.cpp	2012-04-07 23:14:55.000000000 +0100
-+++ inspircd-1.1.22+dfsg/src/dns.cpp	2012-04-07 23:16:01.292193775 +0100
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd~/src/dns.cpp inspircd/src/dns.cpp
+--- inspircd~/src/dns.cpp	2015-07-03 11:22:29.000000000 +0200
++++ inspircd/src/dns.cpp	2015-07-03 11:24:22.355860009 +0200
 @@ -45,6 +45,8 @@
  using irc::sockets::OpenTCPSocket;
  using irc::sockets::NonBlocking;
@@ -54,7 +56,16 @@
  	ResourceRecord rr;
   	unsigned short ptr;
  
-@@ -875,17 +880,31 @@
+@@ -842,7 +847,7 @@
+ 				else i += header.payload[i] + 1; /* skip length and label */
+ 			}
+ 		}
+-		if (length - i < 10)
++		if (static_cast<int>(length - i) < 10)
+ 			return std::make_pair((unsigned char*)NULL,"Incorrectly sized DNS reply");
+ 
+ 		/* XXX: We actually initialise 'rr' here including its ttl field */
+@@ -875,17 +880,37 @@
  
  	switch (rr.type)
  	{
@@ -64,6 +75,8 @@
  		case DNS_QUERY_CNAME:
 -			/* CNAME and PTR have the same processing code */
  		case DNS_QUERY_PTR:
++		{
++			unsigned short lowest_pos = length;
  			o = 0;
  			q = 0;
  			while (q == 0 && i < length && o + 256 < 1023)
@@ -77,18 +90,22 @@
 +					i = ntohs(ptr);
 +
 +					/* check that highest two bits are set. if not, we've been had */
-+					if (!(i & DN_COMP_BITMASK))
++					if ((i & DN_COMP_BITMASK) != DN_COMP_BITMASK)
 +						return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
 +
 +					/* mask away the two highest bits. */
 +					i &= ~DN_COMP_BITMASK;
 +
 +					/* and decrease length by 12 bytes. */
-+					i =- 12;
++					i -= 12;
++
++					if (i >= lowest_pos)
++						return std::make_pair((unsigned char *) NULL, "Invalid decompression pointer");
++					lowest_pos = i;
  				}
  				else
  				{
-@@ -898,7 +917,11 @@
+@@ -898,25 +923,35 @@
  						res[o] = 0;
  						if (o != 0)
  							res[o++] = '.';
@@ -101,8 +118,10 @@
  						o += header.payload[i];
  						i += header.payload[i] + 1;
  					}
-@@ -907,16 +930,21 @@
+ 				}
+ 			}
  			res[o] = 0;
++		}
  		break;
  		case DNS_QUERY_AAAA:
 +			if (rr.rdlength != sizeof(struct in6_addr))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-irc-maintainers/attachments/20150704/47083afa/attachment.sig>

More information about the Pkg-irc-maintainers mailing list