Bug 787298 - null pointer dereference, remote DoS
null pointer dereference, remote DoS
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: xchat-ruby (Show other bugs)
16
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Conrad Meyer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-03 15:43 EST by Roland Pallai
Modified: 2012-02-12 17:48 EST (History)
1 user (show)

See Also:
Fixed In Version: xchat-ruby-1.2-11.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-12 17:48:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Fix for the bug (823 bytes, patch)
2012-02-03 15:43 EST, Roland Pallai
no flags Details | Diff

  None (edit)
Description Roland Pallai 2012-02-03 15:43:49 EST
Created attachment 559361 [details]
Fix for the bug

Description of problem:

In src/xchat-ruby.c functions

 static_ruby_custom_command_hook(char *word[], char *word_eol[], void *userdata)
 static_ruby_custom_server_hook(char *word[], char *word_eol[], void *userdata)

parameter 'word' used in a for cycle without break [1]
 for( i = 1; word[i][0] != '\0'; i++ )

The problem is word[PDIWORDS] always set to NULL by xchat. So if the input contains more words than PDIWORDS (32) [2], the NULL pointer will be dereferenced.

This bug remote triggerable over IRC networks if one or more ruby plugin uses hook_server().

[1] http://bazaar.launchpad.net/~vcs-imports/xchat/trunk/view/head:/src/common/proto-irc.c#L1150
[2] http://bazaar.launchpad.net/~vcs-imports/xchat/trunk/view/head:/src/common/xchat.h#L76

Fix attached.


Version-Release number of selected component (if applicable):
1.2-9.fc15

How reproducible:
100%

Steps to Reproduce:
1. Use a simple xchat ruby plugin which uses hook_server()
2. Connect to IRC network with xchat
3. Write a lot of words (more than 32) for yourself in one line
  
Actual results:
xchat got SIGSEGV

Expected results:
xchat keeps running

Additional info:
Comment 2 Fedora Update System 2012-02-03 21:11:41 EST
xchat-ruby-1.2-11.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/xchat-ruby-1.2-11.fc16
Comment 3 Fedora Update System 2012-02-03 21:11:49 EST
xchat-ruby-1.2-11.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xchat-ruby-1.2-11.fc15
Comment 4 Conrad Meyer 2012-02-03 21:15:49 EST
Updates submitted -- please try it and give feedback if you can. Thanks!
Comment 5 Fedora Update System 2012-02-04 18:51:39 EST
Package xchat-ruby-1.2-11.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xchat-ruby-1.2-11.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1325/xchat-ruby-1.2-11.fc15
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-02-12 17:48:26 EST
xchat-ruby-1.2-11.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-02-12 17:48:37 EST
xchat-ruby-1.2-11.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.