Bug#478573: intent to NMU

Nico Golde Fri, 02 May 2008 04:07:03 -0700

Hi,
uploading 0-day NMU with maintainers permission.
debdiff attached and also archived on:
http://people.debian.org/~nion/nmu-diff/peercast-0.1218+svn20080104-1_0.1218+svn20080104-1.1.patch


Note, looking at the debdiff you will see that 
dh_listpackages were added in some log files. I did not do 
this, they are added automatically. Should be fixed in the 
build system later :)

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u peercast-0.1218+svn20080104/debian/changelog peercast-0.1218+svn20080104/debian/changelog
--- peercast-0.1218+svn20080104/debian/changelog
+++ peercast-0.1218+svn20080104/debian/changelog
@@ -1,3 +1,14 @@
+peercast (0.1218+svn20080104-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * This update addresses the following security issue:
+    - CVE-2008-2040: stack-based buffer overfow in the
+      HTTP::getAuthUserPass function leading to remote DoS
+      or arbitrary code execution if peercast is configured
+      to use http-basic authentication (Closes: #478573).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Fri, 02 May 2008 12:44:34 +0200
+
 peercast (0.1218+svn20080104-1) unstable; urgency=low
 
   * New upstream release
diff -u peercast-0.1218+svn20080104/debian/patches/series peercast-0.1218+svn20080104/debian/patches/series
--- peercast-0.1218+svn20080104/debian/patches/series
+++ peercast-0.1218+svn20080104/debian/patches/series
@@ -2,0 +3 @@
+CVE-2008-2040.patch
only in patch2:
unchanged:
--- peercast-0.1218+svn20080104.orig/debian/peercast-servent.debhelper.log
+++ peercast-0.1218+svn20080104/debian/peercast-servent.debhelper.log
@@ -0,0 +1 @@
+dh_listpackages
only in patch2:
unchanged:
--- peercast-0.1218+svn20080104.orig/debian/peercast-handlers.debhelper.log
+++ peercast-0.1218+svn20080104/debian/peercast-handlers.debhelper.log
@@ -0,0 +1 @@
+dh_listpackages
only in patch2:
unchanged:
--- peercast-0.1218+svn20080104.orig/debian/peercast.debhelper.log
+++ peercast-0.1218+svn20080104/debian/peercast.debhelper.log
@@ -0,0 +1 @@
+dh_listpackages
only in patch2:
unchanged:
--- peercast-0.1218+svn20080104.orig/debian/patches/CVE-2008-2040.patch
+++ peercast-0.1218+svn20080104/debian/patches/CVE-2008-2040.patch
@@ -0,0 +1,122 @@
+diff -Nurad peercast-0.1218+svn20080104/core/common/channel.cpp peercast-0.1218+svn20080104.new/core/common/channel.cpp
+--- peercast-0.1218+svn20080104/core/common/channel.cpp	2008-04-01 13:59:52.000000000 +0200
++++ peercast-0.1218+svn20080104.new/core/common/channel.cpp	2008-04-30 17:45:28.000000000 +0200
+@@ -440,7 +440,7 @@
+ 		if (http.isHeader(PCX_HS_POS))
+ 			streamPos = atoi(arg);
+ 		else
+-			Servent::readICYHeader(http, info, NULL);
++			Servent::readICYHeader(http, info, NULL, 0);
+ 
+ 		LOG_CHANNEL("Channel fetch: %s",http.cmdLine);
+ 	}
+diff -Nurad peercast-0.1218+svn20080104/core/common/http.cpp peercast-0.1218+svn20080104.new/core/common/http.cpp
+--- peercast-0.1218+svn20080104/core/common/http.cpp	2008-04-01 13:59:52.000000000 +0200
++++ peercast-0.1218+svn20080104.new/core/common/http.cpp	2008-04-30 17:45:28.000000000 +0200
+@@ -102,7 +102,7 @@
+ 		return 0;
+ }
+ //-----------------------------------------
+-void HTTP::getAuthUserPass(char *user, char *pass)
++void HTTP::getAuthUserPass(char *user, char *pass, size_t ulen, size_t plen)
+ {
+ 	if (arg)
+ 	{
+@@ -119,10 +119,14 @@
+ 			if (s)
+ 			{
+ 				*s = 0;
+-				if (user)
+-					strcpy(user,str.cstr());
+-				if (pass)
+-					strcpy(pass,s+1);
++				if (user){
++					strncpy(user,str.cstr(), ulen);
++					user[ulen - 1] = 0;
++				}
++				if (pass){
++					strncpy(pass,s+1, plen);
++					pass[plen - 1] = 0;
++				}
+ 			}			
+ 		}
+ 	}
+diff -Nurad peercast-0.1218+svn20080104/core/common/http.h peercast-0.1218+svn20080104.new/core/common/http.h
+--- peercast-0.1218+svn20080104/core/common/http.h	2008-04-01 13:59:52.000000000 +0200
++++ peercast-0.1218+svn20080104.new/core/common/http.h	2008-04-30 17:45:28.000000000 +0200
+@@ -176,7 +176,7 @@
+ 	char	*getArgStr();
+ 	int		getArgInt();
+ 
+-	void	getAuthUserPass(char *, char *);
++	void	getAuthUserPass(char *, char *, size_t, size_t);
+ 
+ 	char	cmdLine[8192],*arg;
+ 
+diff -Nurad peercast-0.1218+svn20080104/core/common/servent.h peercast-0.1218+svn20080104.new/core/common/servent.h
+--- peercast-0.1218+svn20080104/core/common/servent.h	2008-04-01 13:59:52.000000000 +0200
++++ peercast-0.1218+svn20080104.new/core/common/servent.h	2008-04-30 17:45:28.000000000 +0200
+@@ -206,7 +206,7 @@
+ 	void	sendPCPChannel();
+ 	void	checkPCPComms(Channel *, AtomStream &);
+ 
+-	static void	readICYHeader(HTTP &, ChanInfo &, char *);
++	static void	readICYHeader(HTTP &, ChanInfo &, char *, size_t);
+ 	bool	canStream(Channel *);
+ 
+ 	bool	isConnected() {return status == S_CONNECTED;}
+diff -Nurad peercast-0.1218+svn20080104/core/common/servhs.cpp peercast-0.1218+svn20080104.new/core/common/servhs.cpp
+--- peercast-0.1218+svn20080104/core/common/servhs.cpp	2008-04-01 13:59:52.000000000 +0200
++++ peercast-0.1218+svn20080104.new/core/common/servhs.cpp	2008-04-30 17:45:28.000000000 +0200
+@@ -587,7 +587,7 @@
+ 		{
+ 			case ServMgr::AUTH_HTTPBASIC:
+ 				if (http.isHeader("Authorization"))
+-					http.getAuthUserPass(user,pass);
++					http.getAuthUserPass(user,pass, sizeof(user), sizeof(pass));
+ 				break;
+ 			case ServMgr::AUTH_COOKIE:
+ 				if (http.isHeader("Cookie"))
+@@ -1405,7 +1405,7 @@
+ 
+ }
+ // -----------------------------------
+-void Servent::readICYHeader(HTTP &http, ChanInfo &info, char *pwd)
++void Servent::readICYHeader(HTTP &http, ChanInfo &info, char *pwd, size_t plen)
+ {
+ 	char *arg = http.getArgStr();
+ 	if (!arg) return;
+@@ -1429,8 +1429,10 @@
+ 		info.desc.set(arg,String::T_ASCII);
+ 		info.desc.convertTo(String::T_UNICODE);
+ 
+-	}else if (http.isHeader("Authorization"))
+-		http.getAuthUserPass(NULL,pwd);
++	}else if (http.isHeader("Authorization")){
++		if(pwd)
++			http.getAuthUserPass(NULL,pwd, 0, plen);
++    }
+ 	else if (http.isHeader(PCX_HS_CHANNELID))
+ 		info.id.fromStr(arg);
+ 	else if (http.isHeader("ice-password"))
+@@ -1501,7 +1503,7 @@
+ 	while (http.nextHeader())
+ 	{
+ 		LOG_DEBUG("ICY %s",http.cmdLine);
+-		readICYHeader(http,info,loginPassword.cstr());
++		readICYHeader(http,info,loginPassword.cstr(), String::MAX_LEN);
+ 	}
+ 
+ 
+diff -Nurad peercast-0.1218+svn20080104/core/common/url.cpp peercast-0.1218+svn20080104.new/core/common/url.cpp
+--- peercast-0.1218+svn20080104/core/common/url.cpp	2008-04-01 13:59:52.000000000 +0200
++++ peercast-0.1218+svn20080104.new/core/common/url.cpp	2008-04-30 17:45:28.000000000 +0200
+@@ -171,7 +171,7 @@
+ 				LOG_CHANNEL("Fetch HTTP: %s",http.cmdLine);
+ 
+ 				ChanInfo tmpInfo = ch->info;
+-				Servent::readICYHeader(http,ch->info,NULL);
++				Servent::readICYHeader(http,ch->info,NULL, 0);
+ 
+ 				if (!tmpInfo.name.isEmpty())
+ 					ch->info.name = tmpInfo.name;

pgpjWLRo8PNFk.pgp
Description: PGP signature

Bug#478573: intent to NMU

Reply via email to