Bug 319301 (CVE-2007-5226)

Summary: CVE-2007-5226 dircproxy segfault on blank /me
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: dircproxyAssignee: Jarod Wilson <jarod>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=redhat,reported=20071004,public=20071004
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-04 21:51:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Warren Togami 2007-10-04 21:12:43 UTC 
Blank /me messages sent by irssi on irc.freenode.net causes dircproxy to
segfault.  Security implications?

Program received signal SIGSEGV, Segmentation fault.
0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
1157              irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0  0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
        dccmsg = <value optimized out>
        rejmsg = 0x45d9008 "Py]\004"
        rest = 0x32e454b960 ""
        file_stat = {st_dev = 73233632, st_ino = 218579122528, st_nlink =
73234240, st_mode = 40, st_uid = 0, st_gid = 73233632, pad0 = 0, st_rdev = 0,
st_size = 140733391467344, 
  st_blksize = 4284782, st_blocks = 140733391467448, st_atim = {tv_sec = 0,
tv_nsec = 73234240}, st_mtim = {tv_sec = 40, tv_nsec = 73233632}, st_ctim =
{tv_sec = 0, 
    tv_nsec = 140733391467344}, __unused = {4224354, 0, 0}}
        tmp = 0x8 <Address 0x8 out of bounds>
        ptr = 0x45d77e0 "warren"
        l_port = -464209568
        t_port = <value optimized out>
        type = 0
        r_addr = <value optimized out>
        r_port = 0
        capfile = 0x0
        str = 0x45d8c70 ":lmacken!i=lmacken@fedora/lmacken PRIVMSG
#fedora-meeting :+\001ACTION \001"
#1  0x00000000004158bb in net_poll () at net.c:916
        can_read = <value optimized out>
        can_write = 0
        s = (struct sockinfo *) 0x45d8b50
        ns = 3
        nr = 0
        sn = 2
        now = 71
        ufds = (struct pollfd *) 0x45d79c0
        m_ns = 3
#2  0x0000000000402bc3 in main (argc=<value optimized out>, argv=<value
optimized out>) at main.c:319
        ns = 3
        nt = <value optimized out>
        status = 0
        pid = <value optimized out>
        optc = <value optimized out>
        show_help = 3
        show_version = 3
        show_usage = 0
        local_file = <value optimized out>
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#3  0x00000032e421d8a4 in __libc_start_main (main=0x402540 <main>, argc=3,
ubp_av=0x7fff0bce96a8, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff0bce9698) at libc-start.c:231
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {218561092544,
6919244002178149327, 0, 140733391476384, 0, 0, 6919332491586846239,
6919244198205289360}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x4021d0, 0x6ffffe34}, data = {prev = 0x0, cleanup =
0x0, canceltype = 4202960}}}
        not_first_call = <value optimized out>
#4  0x00000000004021f9 in _start ()
No symbol table info available.
Comment 1 Warren Togami 2007-10-04 21:31:42 UTC 
Here is a more complete backtrace, built on F8 with -O0.

Program received signal SIGSEGV, Segmentation fault.
0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
1157              irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0  0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
        cmsg = {cmd = 0x62d2a0 "ACTION", params = 0x0, numparams = 0, orig =
0x62ff70 "ACTION ", paramstarts = 0x0}
        n = (struct strlist *) 0x0
        unquoted = 0x62ffe0 "ACTION "
        r = 0
        currptr = (struct dcc_resume *) 0x7fff1e1813e0
        c = (struct ircchannel *) 0x62f040
        list = (struct strlist *) 0x6300c0
        s = (struct strlist *) 0x0
        str = 0x62eb20 "\001ACTION \001"
        logdest = 0x62eab0 "#test"
        msg = {src = {name = 0x631210 "warren__", username = 0x62fdd0 "~warren",
hostname = 0x631360 "newcaprica.boston.redhat.com", 
    fullname = 0x62f500 "warren__ (~warren.redhat.com)", orig
= 0x62f540 "warren__!~warren.redhat.com", type = 2}, cmd =
0x62f460 "PRIVMSG", 
  params = 0x631390, numparams = 2, orig = 0x62f690
":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001",
paramstarts = 0x62d260}
        squelch = 0
        important = 0
#1  0x000000000040be92 in _ircserver_data (p=0x62e680, sock=7) at irc_server.c:436
        str = 0x630070 ":warren__!~warren.redhat.com PRIVMSG
#test :\001ACTION \001"
#2  0x000000000041cc89 in net_poll () at net.c:916
        can_read = 1
        can_write = 0
        s = (struct sockinfo *) 0x62f5f0
        ns = 3
        nr = 1
        sn = 2
        now = 1191533455
        func = 0x427e68 "poll"
        ufds = (struct pollfd *) 0x62ebb0
        m_ns = 3
#3  0x00000000004028e8 in main (argc=3, argv=0x7fff1e183708) at main.c:319
        ns = 3
        nt = 1
        status = 0
        pid = -1
        optc = -1
        show_help = 0
        show_version = 0
        show_usage = 0
        local_file = 0x62d030 "`�b"
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#4  0x00000031de41e0b4 in __libc_start_main (main=0x402308 <main>, argc=3,
ubp_av=0x7fff1e183708, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff1e1836f8) at libc-start.c:220
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {214165466048,
-8705122560259286313, 0, 140733698291456, 0, 0, 8705190998673824471,
-8695732190868170025}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x41ddb0, 0x7fff1e183708}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 4316592}}}
        not_first_call = <value optimized out>
#5  0x0000000000402259 in _start ()
No symbol table info available.
Comment 2 Jarod Wilson 2007-10-04 21:38:31 UTC 
Looks like this is probably the same thing as
http://dircproxy.securiweb.net/ticket/89
Comment 3 Warren Togami 2007-10-04 21:51:43 UTC 
Here is the fix.  Building into rawhide now.

--- dircproxy-1.2.0-beta2.orig/src/irc_server.c 2006-10-07 17:07:08.000000000 -0400
+++ dircproxy-1.2.0-beta2/src/irc_server.c      2007-10-04 17:45:57.000000000 -0400
@@ -1155,7 +1155,7 @@
       
         if (!strcmp(cmsg.cmd, "ACTION")) {
           irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
-                     "%s", cmsg.paramstarts[0]);
+                     "%s", (cmsg.paramstarts != NULL) ?  cmsg.paramstarts[0]:
"none");
 
         } else if (!strcmp(cmsg.cmd, "DCC")
                    && p->conn_class->dcc_proxy_incoming) {
Comment 4 Tomas Hoger 2007-10-08 09:12:52 UTC 
CVE id CVE-2007-5226 was assigned to this issue.
Comment 5 Fedora Update System 2007-10-08 14:59:12 UTC 
dircproxy-1.2.0-0.6beta2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.