Package: tirc Version: 1.2-11 Severity: grave Justification: renders package unusable
Go to irc.freeonode.net and identify yourself with /msg nickserv, the response will be with numeric reply 901 and makes tirc crash with a segmentation fault. ("tirc -d" shows the server response.) This will happen with many other irc servers as well; http://www.alien.net.au/irc/irc2numerics.html shows that numeric responses above 599 are common nowadays. tirc has a hard limit on 599 and will use a function array with the unchecked number. I am attaching a patch which raises the limit to 999 making tirc usable again and also introducing a check before going into the array which will prevent a crash even if the number is higher (just to be on the save side). -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages tirc depends on: ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libncurses5 5.5-5 Shared libraries for terminal hand tirc recommends no packages. -- no debconf information
--- tirc-1.2/Changelog 1999-05-14 22:02:47.000000000 +0200 +++ tirc-1.2.fixed/Changelog 2008-06-24 18:46:38.840723750 +0200 @@ -1,5 +1,12 @@ # $Old: Changelog,v 1.118 1998/02/24 18:30:16 mkb Exp $ +20080624 [EMAIL PROTECTED] + o raised the range of accepted numeric server replies up to 999, + check out http://www.alien.net.au/irc/irc2numerics.html which + shows that larger numbers than 599 are widespread. + o fixed code not crash, but to warn and ignore the line + when a higher numeric reply number is encountered. + 1.1 -> 1.2 1999/03/12 o do not expect getsid to be around o fixed a small printf-missing-arg bug diff -ur tirc-1.2/irc.c tirc-1.2.fixed/irc.c --- tirc-1.2/irc.c 2008-06-24 18:42:43.000000000 +0200 +++ tirc-1.2.fixed/irc.c 2008-06-24 18:41:18.372695750 +0200 @@ -565,6 +565,20 @@ dispose_msg(&msg); } + /* + * Take precausing against malicious servers + * sending higher numbers + */ + if (sm.sm_num >= MAXSCMD) { + /* cry out and discard line*/ + iw_printf(COLI_WARN, "%s%sServer send \ +numeric reply %d exceeding my internal MAXSCMD of %d; \ +ignoring the line! %s%s\n", + TBOLD, ppre, sm.sm_num, MAXSCMD, + timestamp(), TBOLD); + continue; + } + /* React on command */ (*reacttbl[sm.sm_num])(&sm); diff -ur tirc-1.2/tirc.h tirc-1.2.fixed/tirc.h --- tirc-1.2/tirc.h 2008-06-24 18:42:43.000000000 +0200 +++ tirc-1.2.fixed/tirc.h 2008-06-24 18:41:54.238937250 +0200 @@ -71,7 +71,7 @@ #define CNAMESZ 201 /* size of a channel name + NUL */ #define MSGSZ 513 /* size of an IRC message + NUL */ #define BUFSZ 4000 /* general buffer size */ -#define MAXSCMD 600 /* highest command number in IRC protocol */ +#define MAXSCMD 1000 /* highest command number in IRC protocol+1 */ #define MAXINPUT 510 /* length of editor line */ #define HISTORY 100 /* number of lines in input history */ #define BACKSCROLL 1200 /* number of lines in window backscroll */