[CVE-2007-5226] dircproxy segfault on blank /me

Bug #150848 reported by Stephan Rügamer
254
Affects Status Importance Assigned to Milestone
dircproxy (Debian)
Fix Released
Unknown
dircproxy (Fedora)
Fix Released
High
dircproxy (Ubuntu)
Fix Released
Medium
Stephan Rügamer
Dapper
Fix Released
Medium
Stephan Rügamer
Edgy
Fix Released
Medium
Stephan Rügamer
Feisty
Fix Released
Medium
Stephan Rügamer
Gutsy
Fix Released
Medium
Stephan Rügamer

Bug Description

Binary package hint: dircproxy

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dircproxy.

CVE-2007-5226[0]:
| irc_server.c in dircproxy 1.2.0 and earlier allows remote attackers to
| cause a denial of service (segmentation fault) via an ACTION command
| without a parameter, which triggers a NULL pointer dereference, as
| demonstrated using a blank /me message from irssi.

Revision history for this message
In , Warren (warren-redhat-bugs) wrote :

Blank /me messages sent by irssi on irc.freenode.net causes dircproxy to
segfault. Security implications?

Program received signal SIGSEGV, Segmentation fault.
0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
1157 irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0 0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
        dccmsg = <value optimized out>
        rejmsg = 0x45d9008 "Py]\004"
        rest = 0x32e454b960 ""
        file_stat = {st_dev = 73233632, st_ino = 218579122528, st_nlink =
73234240, st_mode = 40, st_uid = 0, st_gid = 73233632, pad0 = 0, st_rdev = 0,
st_size = 140733391467344,
  st_blksize = 4284782, st_blocks = 140733391467448, st_atim = {tv_sec = 0,
tv_nsec = 73234240}, st_mtim = {tv_sec = 40, tv_nsec = 73233632}, st_ctim =
{tv_sec = 0,
    tv_nsec = 140733391467344}, __unused = {4224354, 0, 0}}
        tmp = 0x8 <Address 0x8 out of bounds>
        ptr = 0x45d77e0 "warren"
        l_port = -464209568
        t_port = <value optimized out>
        type = 0
        r_addr = <value optimized out>
        r_port = 0
        capfile = 0x0
        str = 0x45d8c70 ":lmacken!i=lmacken@fedora/lmacken PRIVMSG
#fedora-meeting :+\001ACTION \001"
#1 0x00000000004158bb in net_poll () at net.c:916
        can_read = <value optimized out>
        can_write = 0
        s = (struct sockinfo *) 0x45d8b50
        ns = 3
        nr = 0
        sn = 2
        now = 71
        ufds = (struct pollfd *) 0x45d79c0
        m_ns = 3
#2 0x0000000000402bc3 in main (argc=<value optimized out>, argv=<value
optimized out>) at main.c:319
        ns = 3
        nt = <value optimized out>
        status = 0
        pid = <value optimized out>
        optc = <value optimized out>
        show_help = 3
        show_version = 3
        show_usage = 0
        local_file = <value optimized out>
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#3 0x00000032e421d8a4 in __libc_start_main (main=0x402540 <main>, argc=3,
ubp_av=0x7fff0bce96a8, init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff0bce9698) at libc-start.c:231
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {218561092544,
6919244002178149327, 0, 140733391476384, 0, 0, 6919332491586846239,
6919244198205289360}, mask_was_saved = 0}},
  priv = {pad = {0x0, 0x0, 0x4021d0, 0x6ffffe34}, data = {prev = 0x0, cleanup =
0x0, canceltype = 4202960}}}
        not_first_call = <value optimized out>
#4 0x00000000004021f9 in _start ()
No symbol table info available.

Revision history for this message
In , Warren (warren-redhat-bugs) wrote :

Here is a more complete backtrace, built on F8 with -O0.

Program received signal SIGSEGV, Segmentation fault.
0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~<email address hidden> PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
1157 irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0 0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~<email address hidden> PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
        cmsg = {cmd = 0x62d2a0 "ACTION", params = 0x0, numparams = 0, orig =
0x62ff70 "ACTION ", paramstarts = 0x0}
        n = (struct strlist *) 0x0
        unquoted = 0x62ffe0 "ACTION "
        r = 0
        currptr = (struct dcc_resume *) 0x7fff1e1813e0
        c = (struct ircchannel *) 0x62f040
        list = (struct strlist *) 0x6300c0
        s = (struct strlist *) 0x0
        str = 0x62eb20 "\001ACTION \001"
        logdest = 0x62eab0 "#test"
        msg = {src = {name = 0x631210 "warren__", username = 0x62fdd0 "~warren",
hostname = 0x631360 "newcaprica.boston.redhat.com",
    fullname = 0x62f500 "warren__ (~<email address hidden>)", orig
= 0x62f540 "warren__!~<email address hidden>", type = 2}, cmd =
0x62f460 "PRIVMSG",
  params = 0x631390, numparams = 2, orig = 0x62f690
":warren__!~<email address hidden> PRIVMSG #test :\001ACTION \001",
paramstarts = 0x62d260}
        squelch = 0
        important = 0
#1 0x000000000040be92 in _ircserver_data (p=0x62e680, sock=7) at irc_server.c:436
        str = 0x630070 ":warren__!~<email address hidden> PRIVMSG
#test :\001ACTION \001"
#2 0x000000000041cc89 in net_poll () at net.c:916
        can_read = 1
        can_write = 0
        s = (struct sockinfo *) 0x62f5f0
        ns = 3
        nr = 1
        sn = 2
        now = 1191533455
        func = 0x427e68 "poll"
        ufds = (struct pollfd *) 0x62ebb0
        m_ns = 3
#3 0x00000000004028e8 in main (argc=3, argv=0x7fff1e183708) at main.c:319
        ns = 3
        nt = 1
        status = 0
        pid = -1
        optc = -1
        show_help = 0
        show_version = 0
        show_usage = 0
        local_file = 0x62d030 "`�b"
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#4 0x00000031de41e0b4 in __libc_start_main (main=0x402308 <main>, argc=3,
ubp_av=0x7fff1e183708, init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff1e1836f8) at libc-start.c:220
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {214165466048,
-8705122560259286313, 0, 140733698291456, 0, 0, 8705190998673824471,
-8695732190868170025}, mask_was_saved = 0}},
  priv = {pad = {0x0, 0x0, 0x41ddb0, 0x7fff1e183708}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 4316592}}}
        not_first_call = <value optimized out>
#5 0x0000000000402259 in _start ()
No symbol table info available.

Revision history for this message
In , Jarod (jarod-redhat-bugs) wrote :

Looks like this is probably the same thing as
http://dircproxy.securiweb.net/ticket/89

Revision history for this message
In , Warren (warren-redhat-bugs) wrote :

Here is the fix. Building into rawhide now.

--- dircproxy-1.2.0-beta2.orig/src/irc_server.c 2006-10-07 17:07:08.000000000 -0400
+++ dircproxy-1.2.0-beta2/src/irc_server.c 2007-10-04 17:45:57.000000000 -0400
@@ -1155,7 +1155,7 @@

         if (!strcmp(cmsg.cmd, "ACTION")) {
           irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
- "%s", cmsg.paramstarts[0]);
+ "%s", (cmsg.paramstarts != NULL) ? cmsg.paramstarts[0]:
"none");

         } else if (!strcmp(cmsg.cmd, "DCC")
                    && p->conn_class->dcc_proxy_incoming) {

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

CVE id CVE-2007-5226 was assigned to this issue.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

dircproxy-1.2.0-0.6beta2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

I'll provide debdiffs for all ubuntu releases...stay tuned

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
William Grant (wgrant)
Changed in dircproxy:
assignee: nobody → shermann
status: New → Confirmed
assignee: nobody → shermann
status: New → Confirmed
assignee: nobody → shermann
status: New → Confirmed
assignee: nobody → shermann
status: New → Confirmed
Revision history for this message
William Grant (wgrant) wrote :

Gutsy fix uploaded.

Changed in dircproxy:
status: Confirmed → Fix Committed
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

dircproxy (1.0.5-5ubuntu1) gutsy; urgency=low

  * src/irc_server.c: Added fix by Steffen Joeris <email address hidden>
    to fix CVE-2007-5226 (LP: #150848)
  * debian/control: Adjusted Maintainer field to match Ubuntu Maintainer
    Policy

 -- Stephan Hermann <email address hidden> Tue, 09 Oct 2007 09:50:59 +0200

Changed in dircproxy:
status: Fix Committed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for getting these debdiffs ready. Can you alter the changelog versions (following the recommendations in the SUP[1]) so that they don't collide? I'd expect them to be 1.0.5-4ubuntu0.6.06.1, 1.0.5-4ubuntu0.6.10.1, and 1.0.5-5ubuntu0.1 respectively. Thanks!

[1] https://wiki.ubuntu.com/SecurityUpdateProcedures

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

@Kees,

will do it in a few :)

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

@Kees,

dapper, edgy, feisty debdiffs updated and ready for upload....

thx
,

\sh

Changed in dircproxy:
status: Unknown → Fix Released
Changed in dircproxy:
status: Unknown → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Great! These are building now; they should be published shortly.

Changed in dircproxy:
importance: Undecided → Medium
status: Confirmed → Fix Committed
importance: Undecided → Medium
status: Confirmed → Fix Committed
importance: Undecided → Medium
status: Confirmed → Fix Committed
importance: Undecided → Medium
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

dircproxy (1.0.5-5ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: irc_server.c in dircproxy 1.2.0 and earlier allows remote
    attackers to cause a denial of service (segmentation fault) via an ACTION
    command without a parameter, which triggers a NULL pointer dereference, as
    demonstrated using a blank /me message from irssi.
  * src/irc_server.c: Added fix by Steffen Joeris <email address hidden>
    to fix CVE-2007-5226 (LP: #150848)
  * References:
    CVE-2007-5226
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445883

 -- Stephan Hermann <email address hidden> Tue, 09 Oct 2007 10:09:15 +0200

Changed in dircproxy:
status: Fix Committed → Fix Released
Kees Cook (kees)
Changed in dircproxy:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in dircproxy (Fedora):
importance: Unknown → High
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.