Bug 319301 (CVE-2007-5226)
Summary: | CVE-2007-5226 dircproxy segfault on blank /me | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Warren Togami <wtogami> |
Component: | dircproxy | Assignee: | Jarod Wilson <jarod> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | source=redhat,reported=20071004,public=20071004 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-04 21:51:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Warren Togami
2007-10-04 21:12:43 UTC
Here is a more complete backtrace, built on F8 with -O0. Program received signal SIGSEGV, Segmentation fault. 0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001") at irc_server.c:1157 1157 irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig, (gdb) bt full #0 0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001") at irc_server.c:1157 cmsg = {cmd = 0x62d2a0 "ACTION", params = 0x0, numparams = 0, orig = 0x62ff70 "ACTION ", paramstarts = 0x0} n = (struct strlist *) 0x0 unquoted = 0x62ffe0 "ACTION " r = 0 currptr = (struct dcc_resume *) 0x7fff1e1813e0 c = (struct ircchannel *) 0x62f040 list = (struct strlist *) 0x6300c0 s = (struct strlist *) 0x0 str = 0x62eb20 "\001ACTION \001" logdest = 0x62eab0 "#test" msg = {src = {name = 0x631210 "warren__", username = 0x62fdd0 "~warren", hostname = 0x631360 "newcaprica.boston.redhat.com", fullname = 0x62f500 "warren__ (~warren.redhat.com)", orig = 0x62f540 "warren__!~warren.redhat.com", type = 2}, cmd = 0x62f460 "PRIVMSG", params = 0x631390, numparams = 2, orig = 0x62f690 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001", paramstarts = 0x62d260} squelch = 0 important = 0 #1 0x000000000040be92 in _ircserver_data (p=0x62e680, sock=7) at irc_server.c:436 str = 0x630070 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001" #2 0x000000000041cc89 in net_poll () at net.c:916 can_read = 1 can_write = 0 s = (struct sockinfo *) 0x62f5f0 ns = 3 nr = 1 sn = 2 now = 1191533455 func = 0x427e68 "poll" ufds = (struct pollfd *) 0x62ebb0 m_ns = 3 #3 0x00000000004028e8 in main (argc=3, argv=0x7fff1e183708) at main.c:319 ns = 3 nt = 1 status = 0 pid = -1 optc = -1 show_help = 0 show_version = 0 show_usage = 0 local_file = 0x62d030 "`�b" cmd_listen_port = 0x0 cmd_pid_file = 0x0 inetd_mode = 0 no_daemon = 0 #4 0x00000031de41e0b4 in __libc_start_main (main=0x402308 <main>, argc=3, ubp_av=0x7fff1e183708, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff1e1836f8) at libc-start.c:220 result = <value optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {214165466048, -8705122560259286313, 0, 140733698291456, 0, 0, 8705190998673824471, -8695732190868170025}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x41ddb0, 0x7fff1e183708}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4316592}}} not_first_call = <value optimized out> #5 0x0000000000402259 in _start () No symbol table info available. Looks like this is probably the same thing as http://dircproxy.securiweb.net/ticket/89 Here is the fix. Building into rawhide now. --- dircproxy-1.2.0-beta2.orig/src/irc_server.c 2006-10-07 17:07:08.000000000 -0400 +++ dircproxy-1.2.0-beta2/src/irc_server.c 2007-10-04 17:45:57.000000000 -0400 @@ -1155,7 +1155,7 @@ if (!strcmp(cmsg.cmd, "ACTION")) { irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig, - "%s", cmsg.paramstarts[0]); + "%s", (cmsg.paramstarts != NULL) ? cmsg.paramstarts[0]: "none"); } else if (!strcmp(cmsg.cmd, "DCC") && p->conn_class->dcc_proxy_incoming) { CVE id CVE-2007-5226 was assigned to this issue. dircproxy-1.2.0-0.6beta2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |