1186590 – (CVE-2015-1554) CVE-2015-1554 kgb-bot: network traffic can trigger crash

Bug 1186590 (CVE-2015-1554) - CVE-2015-1554 kgb-bot: network traffic can trigger crash

Summary: CVE-2015-1554 kgb-bot: network traffic can trigger crash

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-1554
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1186592 1186591
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-28 05:40 UTC by Kurt Seifried
Modified:	2019-09-29 13:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-10 21:03:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2015-01-28 05:40:37 UTC

Joey Hess reports:

Source: kgb-bot
Version: 1.33-2
Severity: important
Tags: security

2015.01.19 18:08:39: Listening on http://0.0.0.0:9999?session=KGB
2015.01.19 18:08:43: Connected to freenode (holmes.freenode.net)
2015.01.19 18:08:43: Joining #commits...
2015.01.19 18:08:43: Connected to oftc (graviton.oftc.net)
2015.01.19 18:08:43: Joining #ikiwiki #vcs-home #git-annex...
Did not get DONE/CLOSE event for Wheel ID 73 from IP 222.186.34.155 at
/usr/share/perl5/POE/Component/Server/SimpleHTTP.pm line 221.
I had a problem posting to event Got_Request of session SOAPServer for
DIR handler '.*'. As reported by Kernel: 'No such file or directory',
perhaps the session name is spelled incorrectly for this handler? at
/usr/share/perl5/POE/Session.pm line 483.

This has happened to me twice now, and it takes the bot down.

root@elephant:/home/joey>systemctl  status kgb-bot.service 
● kgb-bot.service - LSB: Collaborative IRC helper
   Loaded: loaded (/etc/init.d/kgb-bot)
   Active: active (exited) since Mon 2015-01-19 14:08:39 JEST; 1 weeks 1 days ago
  Process: 26584 ExecReload=/etc/init.d/kgb-bot reload (code=exited, status=0/SUCCESS)

Jan 26 03:57:27 elephant kgb-bot[26584]: Reloading Collaborative IRC helper: kgb-bot.

systemd thinks the service is running ok, but the daemon has in fact crashed or
exited because of the event logged above. Both "service kbg-bot start" and
"systemctl start kgb-bot" do nothing. I have to "service kgb-bot stop" to get
out of this state. (It seems that this could stand to be improved, by eg,
writing a systemd service file that doesn't let the daemon fork, so systemd
can handle logging and know when the process has exited.)

Here's the log from the previous time it happened:

2015.01.15 23:05:33: Connected to freenode (wolfe.freenode.net)
2015.01.15 23:05:33: Joining #commits...
Did not get DONE/CLOSE event for Wheel ID 1089 from IP 222.186.34.155 at /usr/share/perl5/POE/Component/Server/SimpleHTTP.pm line 221.
I had a problem posting to event Got_Request of session SOAPServer for DIR handler '.*'. As reported by Kernel: 'No such file or directory', perhaps the session name is spelled incorrectly for this handler? at /usr/share/perl5/POE/Session.pm line 483.

I don't know the IP 222.186.34.155. I assume it is trying to exploit my
server with its DIR .*

Since this appears to be at least a DOS, I've tagged the bug as a minor
security issue.

External reference:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776424

Comment 1 Kurt Seifried 2015-01-28 05:41:14 UTC

Created kgb-bot tracking bugs for this issue:

Affects: fedora-all [bug 1186591]
Affects: epel-7 [bug 1186592]

Note You need to log in before you can comment on or make changes to this bug.