Bug 319301 - (CVE-2007-5226) CVE-2007-5226 dircproxy segfault on blank /me
CVE-2007-5226 dircproxy segfault on blank /me
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dircproxy (Show other bugs)
rawhide
All Linux
high Severity high
: ---
: ---
Assigned To: Jarod Wilson
Fedora Extras Quality Assurance
source=redhat,reported=20071004,publi...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-04 17:12 EDT by Warren Togami
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-04 17:51:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Warren Togami 2007-10-04 17:12:43 EDT
Blank /me messages sent by irssi on irc.freenode.net causes dircproxy to
segfault.  Security implications?

Program received signal SIGSEGV, Segmentation fault.
0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
1157              irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0  0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
        dccmsg = <value optimized out>
        rejmsg = 0x45d9008 "Py]\004"
        rest = 0x32e454b960 ""
        file_stat = {st_dev = 73233632, st_ino = 218579122528, st_nlink =
73234240, st_mode = 40, st_uid = 0, st_gid = 73233632, pad0 = 0, st_rdev = 0,
st_size = 140733391467344, 
  st_blksize = 4284782, st_blocks = 140733391467448, st_atim = {tv_sec = 0,
tv_nsec = 73234240}, st_mtim = {tv_sec = 40, tv_nsec = 73233632}, st_ctim =
{tv_sec = 0, 
    tv_nsec = 140733391467344}, __unused = {4224354, 0, 0}}
        tmp = 0x8 <Address 0x8 out of bounds>
        ptr = 0x45d77e0 "warren"
        l_port = -464209568
        t_port = <value optimized out>
        type = 0
        r_addr = <value optimized out>
        r_port = 0
        capfile = 0x0
        str = 0x45d8c70 ":lmacken!i=lmacken@fedora/lmacken PRIVMSG
#fedora-meeting :+\001ACTION \001"
#1  0x00000000004158bb in net_poll () at net.c:916
        can_read = <value optimized out>
        can_write = 0
        s = (struct sockinfo *) 0x45d8b50
        ns = 3
        nr = 0
        sn = 2
        now = 71
        ufds = (struct pollfd *) 0x45d79c0
        m_ns = 3
#2  0x0000000000402bc3 in main (argc=<value optimized out>, argv=<value
optimized out>) at main.c:319
        ns = 3
        nt = <value optimized out>
        status = 0
        pid = <value optimized out>
        optc = <value optimized out>
        show_help = 3
        show_version = 3
        show_usage = 0
        local_file = <value optimized out>
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#3  0x00000032e421d8a4 in __libc_start_main (main=0x402540 <main>, argc=3,
ubp_av=0x7fff0bce96a8, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff0bce9698) at libc-start.c:231
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {218561092544,
6919244002178149327, 0, 140733391476384, 0, 0, 6919332491586846239,
6919244198205289360}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x4021d0, 0x6ffffe34}, data = {prev = 0x0, cleanup =
0x0, canceltype = 4202960}}}
        not_first_call = <value optimized out>
#4  0x00000000004021f9 in _start ()
No symbol table info available.
Comment 1 Warren Togami 2007-10-04 17:31:42 EDT
Here is a more complete backtrace, built on F8 with -O0.

Program received signal SIGSEGV, Segmentation fault.
0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
1157              irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0  0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
        cmsg = {cmd = 0x62d2a0 "ACTION", params = 0x0, numparams = 0, orig =
0x62ff70 "ACTION ", paramstarts = 0x0}
        n = (struct strlist *) 0x0
        unquoted = 0x62ffe0 "ACTION "
        r = 0
        currptr = (struct dcc_resume *) 0x7fff1e1813e0
        c = (struct ircchannel *) 0x62f040
        list = (struct strlist *) 0x6300c0
        s = (struct strlist *) 0x0
        str = 0x62eb20 "\001ACTION \001"
        logdest = 0x62eab0 "#test"
        msg = {src = {name = 0x631210 "warren__", username = 0x62fdd0 "~warren",
hostname = 0x631360 "newcaprica.boston.redhat.com", 
    fullname = 0x62f500 "warren__ (~warren@newcaprica.boston.redhat.com)", orig
= 0x62f540 "warren__!~warren@newcaprica.boston.redhat.com", type = 2}, cmd =
0x62f460 "PRIVMSG", 
  params = 0x631390, numparams = 2, orig = 0x62f690
":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG #test :\001ACTION \001",
paramstarts = 0x62d260}
        squelch = 0
        important = 0
#1  0x000000000040be92 in _ircserver_data (p=0x62e680, sock=7) at irc_server.c:436
        str = 0x630070 ":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG
#test :\001ACTION \001"
#2  0x000000000041cc89 in net_poll () at net.c:916
        can_read = 1
        can_write = 0
        s = (struct sockinfo *) 0x62f5f0
        ns = 3
        nr = 1
        sn = 2
        now = 1191533455
        func = 0x427e68 "poll"
        ufds = (struct pollfd *) 0x62ebb0
        m_ns = 3
#3  0x00000000004028e8 in main (argc=3, argv=0x7fff1e183708) at main.c:319
        ns = 3
        nt = 1
        status = 0
        pid = -1
        optc = -1
        show_help = 0
        show_version = 0
        show_usage = 0
        local_file = 0x62d030 "`�b"
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#4  0x00000031de41e0b4 in __libc_start_main (main=0x402308 <main>, argc=3,
ubp_av=0x7fff1e183708, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff1e1836f8) at libc-start.c:220
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {214165466048,
-8705122560259286313, 0, 140733698291456, 0, 0, 8705190998673824471,
-8695732190868170025}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x41ddb0, 0x7fff1e183708}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 4316592}}}
        not_first_call = <value optimized out>
#5  0x0000000000402259 in _start ()
No symbol table info available.
Comment 2 Jarod Wilson 2007-10-04 17:38:31 EDT
Looks like this is probably the same thing as
http://dircproxy.securiweb.net/ticket/89
Comment 3 Warren Togami 2007-10-04 17:51:43 EDT
Here is the fix.  Building into rawhide now.

--- dircproxy-1.2.0-beta2.orig/src/irc_server.c 2006-10-07 17:07:08.000000000 -0400
+++ dircproxy-1.2.0-beta2/src/irc_server.c      2007-10-04 17:45:57.000000000 -0400
@@ -1155,7 +1155,7 @@
       
         if (!strcmp(cmsg.cmd, "ACTION")) {
           irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
-                     "%s", cmsg.paramstarts[0]);
+                     "%s", (cmsg.paramstarts != NULL) ?  cmsg.paramstarts[0]:
"none");
 
         } else if (!strcmp(cmsg.cmd, "DCC")
                    && p->conn_class->dcc_proxy_incoming) {
Comment 4 Tomas Hoger 2007-10-08 05:12:52 EDT
CVE id CVE-2007-5226 was assigned to this issue.
Comment 5 Fedora Update System 2007-10-08 10:59:12 EDT
dircproxy-1.2.0-0.6beta2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.