Blank /me messages sent by irssi on irc.freenode.net causes dircproxy to segfault. Security implications? Program received signal SIGSEGV, Segmentation fault. 0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157 1157 irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig, (gdb) bt full #0 0x000000000040c016 in _ircserver_data (p=0x45d74e0, sock=9) at irc_server.c:1157 dccmsg = <value optimized out> rejmsg = 0x45d9008 "Py]\004" rest = 0x32e454b960 "" file_stat = {st_dev = 73233632, st_ino = 218579122528, st_nlink = 73234240, st_mode = 40, st_uid = 0, st_gid = 73233632, pad0 = 0, st_rdev = 0, st_size = 140733391467344, st_blksize = 4284782, st_blocks = 140733391467448, st_atim = {tv_sec = 0, tv_nsec = 73234240}, st_mtim = {tv_sec = 40, tv_nsec = 73233632}, st_ctim = {tv_sec = 0, tv_nsec = 140733391467344}, __unused = {4224354, 0, 0}} tmp = 0x8 <Address 0x8 out of bounds> ptr = 0x45d77e0 "warren" l_port = -464209568 t_port = <value optimized out> type = 0 r_addr = <value optimized out> r_port = 0 capfile = 0x0 str = 0x45d8c70 ":lmacken!i=lmacken@fedora/lmacken PRIVMSG #fedora-meeting :+\001ACTION \001" #1 0x00000000004158bb in net_poll () at net.c:916 can_read = <value optimized out> can_write = 0 s = (struct sockinfo *) 0x45d8b50 ns = 3 nr = 0 sn = 2 now = 71 ufds = (struct pollfd *) 0x45d79c0 m_ns = 3 #2 0x0000000000402bc3 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:319 ns = 3 nt = <value optimized out> status = 0 pid = <value optimized out> optc = <value optimized out> show_help = 3 show_version = 3 show_usage = 0 local_file = <value optimized out> cmd_listen_port = 0x0 cmd_pid_file = 0x0 inetd_mode = 0 no_daemon = 0 #3 0x00000032e421d8a4 in __libc_start_main (main=0x402540 <main>, argc=3, ubp_av=0x7fff0bce96a8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff0bce9698) at libc-start.c:231 result = <value optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {218561092544, 6919244002178149327, 0, 140733391476384, 0, 0, 6919332491586846239, 6919244198205289360}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x4021d0, 0x6ffffe34}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4202960}}} not_first_call = <value optimized out> #4 0x00000000004021f9 in _start () No symbol table info available.
Here is a more complete backtrace, built on F8 with -O0. Program received signal SIGSEGV, Segmentation fault. 0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001") at irc_server.c:1157 1157 irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig, (gdb) bt full #0 0x000000000040e126 in _ircserver_gotmsg (p=0x62e680, str=0x630070 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001") at irc_server.c:1157 cmsg = {cmd = 0x62d2a0 "ACTION", params = 0x0, numparams = 0, orig = 0x62ff70 "ACTION ", paramstarts = 0x0} n = (struct strlist *) 0x0 unquoted = 0x62ffe0 "ACTION " r = 0 currptr = (struct dcc_resume *) 0x7fff1e1813e0 c = (struct ircchannel *) 0x62f040 list = (struct strlist *) 0x6300c0 s = (struct strlist *) 0x0 str = 0x62eb20 "\001ACTION \001" logdest = 0x62eab0 "#test" msg = {src = {name = 0x631210 "warren__", username = 0x62fdd0 "~warren", hostname = 0x631360 "newcaprica.boston.redhat.com", fullname = 0x62f500 "warren__ (~warren.redhat.com)", orig = 0x62f540 "warren__!~warren.redhat.com", type = 2}, cmd = 0x62f460 "PRIVMSG", params = 0x631390, numparams = 2, orig = 0x62f690 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001", paramstarts = 0x62d260} squelch = 0 important = 0 #1 0x000000000040be92 in _ircserver_data (p=0x62e680, sock=7) at irc_server.c:436 str = 0x630070 ":warren__!~warren.redhat.com PRIVMSG #test :\001ACTION \001" #2 0x000000000041cc89 in net_poll () at net.c:916 can_read = 1 can_write = 0 s = (struct sockinfo *) 0x62f5f0 ns = 3 nr = 1 sn = 2 now = 1191533455 func = 0x427e68 "poll" ufds = (struct pollfd *) 0x62ebb0 m_ns = 3 #3 0x00000000004028e8 in main (argc=3, argv=0x7fff1e183708) at main.c:319 ns = 3 nt = 1 status = 0 pid = -1 optc = -1 show_help = 0 show_version = 0 show_usage = 0 local_file = 0x62d030 "`�b" cmd_listen_port = 0x0 cmd_pid_file = 0x0 inetd_mode = 0 no_daemon = 0 #4 0x00000031de41e0b4 in __libc_start_main (main=0x402308 <main>, argc=3, ubp_av=0x7fff1e183708, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff1e1836f8) at libc-start.c:220 result = <value optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {214165466048, -8705122560259286313, 0, 140733698291456, 0, 0, 8705190998673824471, -8695732190868170025}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x41ddb0, 0x7fff1e183708}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4316592}}} not_first_call = <value optimized out> #5 0x0000000000402259 in _start () No symbol table info available.
Looks like this is probably the same thing as http://dircproxy.securiweb.net/ticket/89
Here is the fix. Building into rawhide now. --- dircproxy-1.2.0-beta2.orig/src/irc_server.c 2006-10-07 17:07:08.000000000 -0400 +++ dircproxy-1.2.0-beta2/src/irc_server.c 2007-10-04 17:45:57.000000000 -0400 @@ -1155,7 +1155,7 @@ if (!strcmp(cmsg.cmd, "ACTION")) { irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig, - "%s", cmsg.paramstarts[0]); + "%s", (cmsg.paramstarts != NULL) ? cmsg.paramstarts[0]: "none"); } else if (!strcmp(cmsg.cmd, "DCC") && p->conn_class->dcc_proxy_incoming) {
CVE id CVE-2007-5226 was assigned to this issue.
dircproxy-1.2.0-0.6beta2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.