Bug 787298

Summary: null pointer dereference, remote DoS
Product: [Fedora] Fedora Reporter: Roland Pallai <dap78>
Component: xchat-rubyAssignee: Conrad Meyer <cse.cem+redhatbugz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: cse.cem+redhatbugz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: xchat-ruby-1.2-11.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-12 22:48:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Fix for the bug none

Description Roland Pallai 2012-02-03 20:43:49 UTC 
Created attachment 559361 [details]
Fix for the bug

Description of problem:

In src/xchat-ruby.c functions

 static_ruby_custom_command_hook(char *word[], char *word_eol[], void *userdata)
 static_ruby_custom_server_hook(char *word[], char *word_eol[], void *userdata)

parameter 'word' used in a for cycle without break [1]
 for( i = 1; word[i][0] != '\0'; i++ )

The problem is word[PDIWORDS] always set to NULL by xchat. So if the input contains more words than PDIWORDS (32) [2], the NULL pointer will be dereferenced.

This bug remote triggerable over IRC networks if one or more ruby plugin uses hook_server().

[1] http://bazaar.launchpad.net/~vcs-imports/xchat/trunk/view/head:/src/common/proto-irc.c#L1150
[2] http://bazaar.launchpad.net/~vcs-imports/xchat/trunk/view/head:/src/common/xchat.h#L76

Fix attached.


Version-Release number of selected component (if applicable):
1.2-9.fc15

How reproducible:
100%

Steps to Reproduce:
1. Use a simple xchat ruby plugin which uses hook_server()
2. Connect to IRC network with xchat
3. Write a lot of words (more than 32) for yourself in one line
  
Actual results:
xchat got SIGSEGV

Expected results:
xchat keeps running

Additional info:
Comment 1 Conrad Meyer 2012-02-04 02:05:29 UTC 
Fixed and built in rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761672
F16: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761674
F15: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761676
Comment 2 Fedora Update System 2012-02-04 02:11:41 UTC 
xchat-ruby-1.2-11.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/xchat-ruby-1.2-11.fc16
Comment 3 Fedora Update System 2012-02-04 02:11:49 UTC 
xchat-ruby-1.2-11.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xchat-ruby-1.2-11.fc15
Comment 4 Conrad Meyer 2012-02-04 02:15:49 UTC 
Updates submitted -- please try it and give feedback if you can. Thanks!
Comment 5 Fedora Update System 2012-02-04 23:51:39 UTC 
Package xchat-ruby-1.2-11.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xchat-ruby-1.2-11.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1325/xchat-ruby-1.2-11.fc15
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-02-12 22:48:26 UTC 
xchat-ruby-1.2-11.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-02-12 22:48:37 UTC 
xchat-ruby-1.2-11.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.