From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Nov 1 16:40:01 2007 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F413B16A420 for ; Thu, 1 Nov 2007 16:40:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D076D13C491 for ; Thu, 1 Nov 2007 16:40:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lA1Ge0er027119 for ; Thu, 1 Nov 2007 16:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lA1Ge0gP027118; Thu, 1 Nov 2007 16:40:00 GMT (envelope-from gnats) Resent-Date: Thu, 1 Nov 2007 16:40:00 GMT Resent-Message-Id: <200711011640.lA1Ge0gP027118@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Michael Moll Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E6C916A418 for ; Thu, 1 Nov 2007 16:32:08 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 6B32013C4AA for ; Thu, 1 Nov 2007 16:32:08 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.1/8.14.1) with ESMTP id lA1GW4Qb054188 for ; Thu, 1 Nov 2007 16:32:04 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.1/8.14.1/Submit) id lA1GW4AN054187; Thu, 1 Nov 2007 16:32:04 GMT (envelope-from nobody) Message-Id: <200711011632.lA1GW4AN054187@www.freebsd.org> Date: Thu, 1 Nov 2007 16:32:04 GMT From: Michael Moll To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/117746: CVE-2007-5226 dircproxy segfault on blank /me X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2007 16:40:01 -0000 >Number: 117746 >Category: ports >Synopsis: CVE-2007-5226 dircproxy segfault on blank /me >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 01 16:40:00 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Michael Moll >Release: 6.2-RELEASE >Organization: The kvedulv.de internet-project >Environment: FreeBSD darkthrone.kvedulv.de 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue Jan 23 20:18:03 CET 2007 mmoll@darkthrone.kvedulv.de:/usr/obj/usr/src/sys/DARKTHRONE sparc64 >Description: I use dircproxy1.20-beta2. When it receives a blank "/me" it crashes, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5226 https://bugzilla.redhat.com/show_bug.cgi?id=319301 http://dircproxy.securiweb.net/ticket/89 >How-To-Repeat: Send a blank "/me" to a channel and watch the EOFs of people with unpatched clients >Fix: I attached the fix for 1.2.0 taken from Rehat's Bugzilla. A fix for 1.0.5 is available here: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=nmu.patch;att=1;bug=445883 Patch attached with submission follows: --- src/irc_server.c.orig 2006-10-07 23:07:08.000000000 +0200 +++ src/irc_server.c 2007-11-01 17:22:13.000000000 +0100 @@ -1155,7 +1155,7 @@ if (!strcmp(cmsg.cmd, "ACTION")) { irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig, - "%s", cmsg.paramstarts[0]); + "%s", (cmsg.paramstarts != NULL) ? cmsg.paramstarts[0]: "none"); } else if (!strcmp(cmsg.cmd, "DCC") && p->conn_class->dcc_proxy_incoming) { >Release-Note: >Audit-Trail: >Unformatted: