Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Nov 2007 16:32:04 GMT
From:      Michael Moll <kvedulv@kvedulv.de>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/117746: CVE-2007-5226 dircproxy segfault on blank /me
Message-ID:  <200711011632.lA1GW4AN054187@www.freebsd.org>
Resent-Message-ID: <200711011640.lA1Ge0gP027118@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         117746
>Category:       ports
>Synopsis:       CVE-2007-5226 dircproxy segfault on blank /me
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 01 16:40:00 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Michael Moll
>Release:        6.2-RELEASE
>Organization:
The kvedulv.de internet-project
>Environment:
FreeBSD darkthrone.kvedulv.de 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue Jan 23 20:18:03 CET 2007     mmoll@darkthrone.kvedulv.de:/usr/obj/usr/src/sys/DARKTHRONE  sparc64
>Description:
I use dircproxy1.20-beta2. When it receives a blank "/me" it crashes, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5226
https://bugzilla.redhat.com/show_bug.cgi?id=319301
http://dircproxy.securiweb.net/ticket/89
>How-To-Repeat:
Send a blank "/me" to a channel and watch the EOFs of people with unpatched clients
>Fix:
I attached the fix for 1.2.0 taken from Rehat's Bugzilla.
A fix for 1.0.5 is available here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=nmu.patch;att=1;bug=445883

Patch attached with submission follows:

--- src/irc_server.c.orig	2006-10-07 23:07:08.000000000 +0200
+++ src/irc_server.c	2007-11-01 17:22:13.000000000 +0100
@@ -1155,7 +1155,7 @@
       
         if (!strcmp(cmsg.cmd, "ACTION")) {
           irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
-                     "%s", cmsg.paramstarts[0]);
+          "%s", (cmsg.paramstarts != NULL) ? cmsg.paramstarts[0]: "none");
 
         } else if (!strcmp(cmsg.cmd, "DCC")
                    && p->conn_class->dcc_proxy_incoming) {


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711011632.lA1GW4AN054187>