Bug 319301 (CVE-2007-5226) - CVE-2007-5226 dircproxy segfault on blank /me
Summary: CVE-2007-5226 dircproxy segfault on blank /me
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2007-5226
Product: Fedora
Classification: Fedora
Component: dircproxy
Version: rawhide
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Jarod Wilson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: source=redhat,reported=20071004,publi...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-04 21:12 UTC by Warren Togami
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-04 21:51:43 UTC
Type: ---


Attachments (Terms of Use)

Description Warren Togami 2007-10-04 21:12:43 UTC
Blank /me messages sent by irssi on irc.freenode.net causes dircproxy to
segfault.  Security implications?

Program received signal SIGSEGV, Segmentation fault.
0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
1157              irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0  0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157
        dccmsg = <value optimized out>
        rejmsg = 0x45d9008 "Py]\004"
        rest = 0x32e454b960 ""
        file_stat = {st_dev = 73233632, st_ino = 218579122528, st_nlink =
73234240, st_mode = 40, st_uid = 0, st_gid = 73233632, pad0 = 0, st_rdev = 0,
st_size = 140733391467344, 
  st_blksize = 4284782, st_blocks = 140733391467448, st_atim = {tv_sec = 0,
tv_nsec = 73234240}, st_mtim = {tv_sec = 40, tv_nsec = 73233632}, st_ctim =
{tv_sec = 0, 
    tv_nsec = 140733391467344}, __unused = {4224354, 0, 0}}
        tmp = 0x8 <Address 0x8 out of bounds>
        ptr = 0x45d77e0 "warren"
        l_port = -464209568
        t_port = <value optimized out>
        type = 0
        r_addr = <value optimized out>
        r_port = 0
        capfile = 0x0
        str = 0x45d8c70 ":lmacken!i=lmacken@fedora/lmacken PRIVMSG
#fedora-meeting :+\001ACTION \001"
#1  0x00000000004158bb in net_poll () at net.c:916
        can_read = <value optimized out>
        can_write = 0
        s = (struct sockinfo *) 0x45d8b50
        ns = 3
        nr = 0
        sn = 2
        now = 71
        ufds = (struct pollfd *) 0x45d79c0
        m_ns = 3
#2  0x0000000000402bc3 in main (argc=<value optimized out>, argv=<value
optimized out>) at main.c:319
        ns = 3
        nt = <value optimized out>
        status = 0
        pid = <value optimized out>
        optc = <value optimized out>
        show_help = 3
        show_version = 3
        show_usage = 0
        local_file = <value optimized out>
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#3  0x00000032e421d8a4 in __libc_start_main (main=0x402540 <main>, argc=3,
ubp_av=0x7fff0bce96a8, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff0bce9698) at libc-start.c:231
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {218561092544,
6919244002178149327, 0, 140733391476384, 0, 0, 6919332491586846239,
6919244198205289360}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x4021d0, 0x6ffffe34}, data = {prev = 0x0, cleanup =
0x0, canceltype = 4202960}}}
        not_first_call = <value optimized out>
#4  0x00000000004021f9 in _start ()
No symbol table info available.

Comment 1 Warren Togami 2007-10-04 21:31:42 UTC
Here is a more complete backtrace, built on F8 with -O0.

Program received signal SIGSEGV, Segmentation fault.
0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
1157              irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
(gdb) bt full
#0  0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070
":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG #test :\001ACTION \001")
at irc_server.c:1157
        cmsg = {cmd = 0x62d2a0 "ACTION", params = 0x0, numparams = 0, orig =
0x62ff70 "ACTION ", paramstarts = 0x0}
        n = (struct strlist *) 0x0
        unquoted = 0x62ffe0 "ACTION "
        r = 0
        currptr = (struct dcc_resume *) 0x7fff1e1813e0
        c = (struct ircchannel *) 0x62f040
        list = (struct strlist *) 0x6300c0
        s = (struct strlist *) 0x0
        str = 0x62eb20 "\001ACTION \001"
        logdest = 0x62eab0 "#test"
        msg = {src = {name = 0x631210 "warren__", username = 0x62fdd0 "~warren",
hostname = 0x631360 "newcaprica.boston.redhat.com", 
    fullname = 0x62f500 "warren__ (~warren@newcaprica.boston.redhat.com)", orig
= 0x62f540 "warren__!~warren@newcaprica.boston.redhat.com", type = 2}, cmd =
0x62f460 "PRIVMSG", 
  params = 0x631390, numparams = 2, orig = 0x62f690
":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG #test :\001ACTION \001",
paramstarts = 0x62d260}
        squelch = 0
        important = 0
#1  0x000000000040be92 in _ircserver_data (p=0x62e680, sock=7) at irc_server.c:436
        str = 0x630070 ":warren__!~warren@newcaprica.boston.redhat.com PRIVMSG
#test :\001ACTION \001"
#2  0x000000000041cc89 in net_poll () at net.c:916
        can_read = 1
        can_write = 0
        s = (struct sockinfo *) 0x62f5f0
        ns = 3
        nr = 1
        sn = 2
        now = 1191533455
        func = 0x427e68 "poll"
        ufds = (struct pollfd *) 0x62ebb0
        m_ns = 3
#3  0x00000000004028e8 in main (argc=3, argv=0x7fff1e183708) at main.c:319
        ns = 3
        nt = 1
        status = 0
        pid = -1
        optc = -1
        show_help = 0
        show_version = 0
        show_usage = 0
        local_file = 0x62d030 "`�b"
        cmd_listen_port = 0x0
        cmd_pid_file = 0x0
        inetd_mode = 0
        no_daemon = 0
#4  0x00000031de41e0b4 in __libc_start_main (main=0x402308 <main>, argc=3,
ubp_av=0x7fff1e183708, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff1e1836f8) at libc-start.c:220
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {214165466048,
-8705122560259286313, 0, 140733698291456, 0, 0, 8705190998673824471,
-8695732190868170025}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x41ddb0, 0x7fff1e183708}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 4316592}}}
        not_first_call = <value optimized out>
#5  0x0000000000402259 in _start ()
No symbol table info available.


Comment 2 Jarod Wilson 2007-10-04 21:38:31 UTC
Looks like this is probably the same thing as
http://dircproxy.securiweb.net/ticket/89

Comment 3 Warren Togami 2007-10-04 21:51:43 UTC
Here is the fix.  Building into rawhide now.

--- dircproxy-1.2.0-beta2.orig/src/irc_server.c 2006-10-07 17:07:08.000000000 -0400
+++ dircproxy-1.2.0-beta2/src/irc_server.c      2007-10-04 17:45:57.000000000 -0400
@@ -1155,7 +1155,7 @@
       
         if (!strcmp(cmsg.cmd, "ACTION")) {
           irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
-                     "%s", cmsg.paramstarts[0]);
+                     "%s", (cmsg.paramstarts != NULL) ?  cmsg.paramstarts[0]:
"none");
 
         } else if (!strcmp(cmsg.cmd, "DCC")
                    && p->conn_class->dcc_proxy_incoming) {


Comment 4 Tomas Hoger 2007-10-08 09:12:52 UTC
CVE id CVE-2007-5226 was assigned to this issue.

Comment 5 Fedora Update System 2007-10-08 14:59:12 UTC
dircproxy-1.2.0-0.6beta2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.