Date: Thu, 2 Feb 2012 15:41:41 -0500 (EST) From: Steve Wills <swills@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: sylvio@FreeBSD.org Subject: ports/164719: [PATCH] irc/bip: update to fix CVE-2012-0806 Message-ID: <201202022041.q12Kffc0033074@meatwad.mouf.net> Resent-Message-ID: <201202022050.q12KoA9N037042@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 164719 >Category: ports >Synopsis: [PATCH] irc/bip: update to fix CVE-2012-0806 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Feb 02 20:50:10 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Steve Wills >Release: FreeBSD 10.0-CURRENT amd64 >Organization: >Environment: System: FreeBSD meatwad.mouf.net 10.0-CURRENT FreeBSD 10.0-CURRENT #8: Mon Dec 19 15:53:28 EST 2011 >Description: see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0806 patch from: https://projects.duckcorp.org/projects/bip/repository/revisions/222a33cb84a2e52ad55a88900b7895bf9dd0262c (I just concatenated the 3 patches) Added file(s): - files/patch-bip-269 Port maintainer (sylvio@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.99 >How-To-Repeat: >Fix: --- bip-0.8.8_1.patch begins here --- Index: Makefile =================================================================== RCS file: /home/pcvs/ports/irc/bip/Makefile,v retrieving revision 1.19 diff -u -u -r1.19 Makefile --- Makefile 23 Sep 2011 22:23:32 -0000 1.19 +++ Makefile 2 Feb 2012 20:40:30 -0000 @@ -7,6 +7,7 @@ PORTNAME= bip PORTVERSION= 0.8.8 +PORTREVISION= 1 CATEGORIES= irc MASTER_SITES= https://projects.duckcorp.org/attachments/download/39/ @@ -14,6 +15,7 @@ COMMENT= A simple IRC proxy with SSL support LICENSE= GPLv2 + GNU_CONFIGURE= yes LDFLAGS+= -L${LOCALBASE}/lib USE_GMAKE= yes @@ -21,6 +23,7 @@ USE_OPENSSL= yes +PATCH_STRIP= -p1 PLIST_FILES= bin/bip bin/bipmkpw SUB_FILES= pkg-message MAN1= bip.1 bipmkpw.1 Index: files/patch-bip-269 =================================================================== RCS file: files/patch-bip-269 diff -N files/patch-bip-269 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-bip-269 2 Feb 2012 20:40:30 -0000 @@ -0,0 +1,139 @@ +commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c +Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> +Date: Sat Jan 7 11:41:02 2012 +0100 + + Buffer Overflow: check against the implicit size of select() arrays + + Reported by Julien Tinnes (Fix #269) + exit is called when the listening socket can not be created + +diff --git a/src/bip.c b/src/bip.c +index d46ee2b..b4ac706 100644 +--- a/src/bip.c ++++ b/src/bip.c +@@ -1311,7 +1311,7 @@ int main(int argc, char **argv) + close(fd); + + bip.listener = listen_new(conf_ip, conf_port, conf_css); +- if (!bip.listener) ++ if (!bip.listener || bip.listener->connected == CONN_ERROR) + fatal("Could not create listening socket"); + + for (;;) { +commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c +Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> +Date: Sat Jan 7 11:41:02 2012 +0100 + + Buffer Overflow: check against the implicit size of select() arrays + + Reported by Julien Tinnes (Fix #269) + exit is called when the listening socket can not be created + +diff --git a/src/connection.c b/src/connection.c +index 07ab431..5c4c24a 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -124,6 +124,18 @@ static void connect_trynext(connection_t *cn) + continue; + } + ++ if (cn->handle >= FD_SETSIZE) { ++ mylog(LOG_WARN, "too many fd used, close socket %d", ++ cn->handle); ++ ++ if (close(cn->handle) == -1) ++ mylog(LOG_WARN, "Error on socket close: %s", ++ strerror(errno)); ++ ++ cn->handle = -1; ++ break; ++ } ++ + socket_set_nonblock(cn->handle); + + if (cn->connecting_data->src) { +@@ -789,13 +801,8 @@ list_t *wait_event(list_t *cn_list, int *msec, int *nc) + /* + * This shouldn't happen ! just in case... + */ +- if (cn->handle < 0) { +- mylog(LOG_WARN, "wait_event invalid socket %d", +- cn->handle); +- if (cn_is_connected(cn)) +- cn->connected = CONN_ERROR; +- continue; +- } ++ if (cn->handle < 0 || cn->handle >= FD_SETSIZE) ++ fatal("wait_event invalid socket %d", cn->handle); + + /* exceptions are OOB and disconnections */ + FD_SET(cn->handle, &fds_except); +@@ -966,6 +973,18 @@ static void create_listening_socket(char *hostname, char *port, + continue; + } + ++ if (cn->handle >= FD_SETSIZE) { ++ mylog(LOG_WARN, "too many fd used, close listening socket %d", ++ cn->handle); ++ ++ if (close(cn->handle) == -1) ++ mylog(LOG_WARN, "Error on socket close: %s", ++ strerror(errno)); ++ ++ cn->handle = -1; ++ break; ++ } ++ + if (setsockopt(cn->handle, SOL_SOCKET, SO_REUSEADDR, + (char *)&multi_client, + sizeof(multi_client)) < 0) { +@@ -1113,10 +1132,21 @@ connection_t *accept_new(connection_t *cn) + + mylog(LOG_DEBUG, "Trying to accept new client on %d", cn->handle); + err = accept(cn->handle, &sa, &sa_len); ++ + if (err < 0) { +- mylog(LOG_ERROR, "accept failed: %s", strerror(errno)); ++ fatal("accept failed: %s", strerror(errno)); ++ } ++ ++ if (err >= FD_SETSIZE) { ++ mylog(LOG_WARN, "too many client connected, close %d", err); ++ ++ if (close(err) == -1) ++ mylog(LOG_WARN, "Error on socket close: %s", ++ strerror(errno)); ++ + return NULL; + } ++ + socket_set_nonblock(err); + + conn = connection_init(cn->anti_flood, cn->ssl, cn->timeout, 0); +commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c +Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> +Date: Sat Jan 7 11:41:02 2012 +0100 + + Buffer Overflow: check against the implicit size of select() arrays + + Reported by Julien Tinnes (Fix #269) + exit is called when the listening socket can not be created + +diff --git a/src/irc.c b/src/irc.c +index ebc1b34..147a315 100644 +--- a/src/irc.c ++++ b/src/irc.c +@@ -2439,9 +2439,10 @@ void bip_on_event(bip_t *bip, connection_t *conn) + + if (conn == bip->listener) { + struct link_client *n = irc_accept_new(conn); +- assert(n); +- list_add_last(&bip->conn_list, CONN(n)); +- list_add_last(&bip->connecting_client_list, n); ++ if (n) { ++ list_add_last(&bip->conn_list, CONN(n)); ++ list_add_last(&bip->connecting_client_list, n); ++ } + return; + } + --- bip-0.8.8_1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202022041.q12Kffc0033074>