Bug 787298 - null pointer dereference, remote DoS
Summary: null pointer dereference, remote DoS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: xchat-ruby
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Conrad Meyer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-03 20:43 UTC by Roland Pallai
Modified: 2012-02-12 22:48 UTC (History)
1 user (show)

Fixed In Version: xchat-ruby-1.2-11.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-12 22:48:26 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Fix for the bug (823 bytes, patch)
2012-02-03 20:43 UTC, Roland Pallai 		no flags Details | Diff
View All

Description Roland Pallai 2012-02-03 20:43:49 UTC 
Created attachment 559361 [details]
Fix for the bug

Description of problem:

In src/xchat-ruby.c functions

 static_ruby_custom_command_hook(char *word[], char *word_eol[], void *userdata)
 static_ruby_custom_server_hook(char *word[], char *word_eol[], void *userdata)

parameter 'word' used in a for cycle without break [1]
 for( i = 1; word[i][0] != '\0'; i++ )

The problem is word[PDIWORDS] always set to NULL by xchat. So if the input contains more words than PDIWORDS (32) [2], the NULL pointer will be dereferenced.

This bug remote triggerable over IRC networks if one or more ruby plugin uses hook_server().

[1] http://bazaar.launchpad.net/~vcs-imports/xchat/trunk/view/head:/src/common/proto-irc.c#L1150
[2] http://bazaar.launchpad.net/~vcs-imports/xchat/trunk/view/head:/src/common/xchat.h#L76

Fix attached.


Version-Release number of selected component (if applicable):
1.2-9.fc15

How reproducible:
100%

Steps to Reproduce:
1. Use a simple xchat ruby plugin which uses hook_server()
2. Connect to IRC network with xchat
3. Write a lot of words (more than 32) for yourself in one line
  
Actual results:
xchat got SIGSEGV

Expected results:
xchat keeps running

Additional info:
Comment 1 Conrad Meyer 2012-02-04 02:05:29 UTC 
Fixed and built in rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761672
F16: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761674
F15: http://koji.fedoraproject.org/koji/taskinfo?taskID=3761676
Comment 2 Fedora Update System 2012-02-04 02:11:41 UTC 
xchat-ruby-1.2-11.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/xchat-ruby-1.2-11.fc16
Comment 3 Fedora Update System 2012-02-04 02:11:49 UTC 
xchat-ruby-1.2-11.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xchat-ruby-1.2-11.fc15
Comment 4 Conrad Meyer 2012-02-04 02:15:49 UTC 
Updates submitted -- please try it and give feedback if you can. Thanks!
Comment 5 Fedora Update System 2012-02-04 23:51:39 UTC 
Package xchat-ruby-1.2-11.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xchat-ruby-1.2-11.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1325/xchat-ruby-1.2-11.fc15
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-02-12 22:48:26 UTC 
xchat-ruby-1.2-11.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-02-12 22:48:37 UTC 
xchat-ruby-1.2-11.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.