Bug#461067: ngircd: CVE-2008-0285 remote denial of service via crafted part message

Wed, 16 Jan 2008 04:50:29 -0800 

Forgot the attachment.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u ngircd-0.10.3/debian/changelog ngircd-0.10.3/debian/changelog
--- ngircd-0.10.3/debian/changelog
+++ ngircd-0.10.3/debian/changelog
@@ -1,3 +1,13 @@
+ngircd (0.10.3-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issue:
+    - A crafted PART message could lead to referencing invalid
+      memory and thus causing a denial of service situation
+      (CVE-2008-0285; Closes: #461067).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Wed, 16 Jan 2008 13:15:06 +0100
+
 ngircd (0.10.3-1) unstable; urgency=low
 
   * New maintainer E-Mail address.
diff -u ngircd-0.10.3/debian/patches/00list ngircd-0.10.3/debian/patches/00list
--- ngircd-0.10.3/debian/patches/00list
+++ ngircd-0.10.3/debian/patches/00list
@@ -1,0 +2 @@
+CVE-2008-0285
only in patch2:
unchanged:
--- ngircd-0.10.3.orig/debian/patches/CVE-2008-0285.dpatch
+++ ngircd-0.10.3/debian/patches/CVE-2008-0285.dpatch
@@ -0,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-0285.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad ngircd-0.10.3~/src/ngircd/irc-channel.c ngircd-0.10.3/src/ngircd/irc-channel.c
+--- ngircd-0.10.3~/src/ngircd/irc-channel.c	2007-07-31 20:57:06.000000000 +0200
++++ ngircd-0.10.3/src/ngircd/irc-channel.c	2008-01-16 13:14:46.000000000 +0100
+@@ -270,7 +270,8 @@
+ 	assert( Req != NULL );
+ 
+ 	/* Falsche Anzahl Parameter? */
+-	if(( Req->argc > 2 )) return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
++	if((Req->argc < 1) ||  (Req->argc > 2 ))
++		return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
+ 
+ 	/* Wer ist der Absender? */
+ 	if( Client_Type( Client ) == CLIENT_SERVER ) target = Client_Search( Req->prefix );
+@@ -278,15 +279,9 @@
+ 	if( ! target ) return IRC_WriteStrClient( Client, ERR_NOSUCHNICK_MSG, Client_ID( Client ), Req->prefix );
+ 
+ 	/* Channel-Namen durchgehen */
+-	chan = strtok( Req->argv[0], "," );
+-	while( chan )
+-	{
+-		if( ! Channel_Part( target, Client, chan, Req->argc > 1 ? Req->argv[1] : Client_ID( target )))
+-		{
+-			/* naechsten Namen ermitteln */
+-			chan = strtok( NULL, "," );
+-			continue;
+-		}
++	chan = strtok(Req->argv[0], ",");
++	while (chan) {
++		Channel_Part(target, Client, chan, Req->argc > 1 ? Req->argv[1] : Client_ID(target));
+ 
+ 		/* naechsten Namen ermitteln */
+ 		chan = strtok( NULL, "," );
only in patch2:
unchanged:

Attachment: pgpARN9Aswh4R.pgp
Description: PGP signature

Reply via email to