Package: tirc
Version: 1.2-11
Severity: grave
Justification: renders package unusable
Go to irc.freeonode.net and identify yourself with /msg nickserv,
the response will be with numeric reply 901 and makes tirc crash with a
segmentation fault. ("tirc -d" shows the server response.)
This will happen with many other irc servers as well;
http://www.alien.net.au/irc/irc2numerics.html shows that numeric
responses above 599 are common nowadays.
tirc has a hard limit on 599 and will use a function array with the
unchecked number.
I am attaching a patch which raises the limit to 999 making tirc
usable again and also introducing a check before going into the array
which will prevent a crash even if the number is higher (just to be on
the save side).
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages tirc depends on:
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libncurses5 5.5-5 Shared libraries for terminal hand
tirc recommends no packages.
-- no debconf information
--- tirc-1.2/Changelog 1999-05-14 22:02:47.000000000 +0200
+++ tirc-1.2.fixed/Changelog 2008-06-24 18:46:38.840723750 +0200
@@ -1,5 +1,12 @@
# $Old: Changelog,v 1.118 1998/02/24 18:30:16 mkb Exp $
+20080624 [EMAIL PROTECTED]
+ o raised the range of accepted numeric server replies up to 999,
+ check out http://www.alien.net.au/irc/irc2numerics.html which
+ shows that larger numbers than 599 are widespread.
+ o fixed code not crash, but to warn and ignore the line
+ when a higher numeric reply number is encountered.
+
1.1 -> 1.2 1999/03/12
o do not expect getsid to be around
o fixed a small printf-missing-arg bug
diff -ur tirc-1.2/irc.c tirc-1.2.fixed/irc.c
--- tirc-1.2/irc.c 2008-06-24 18:42:43.000000000 +0200
+++ tirc-1.2.fixed/irc.c 2008-06-24 18:41:18.372695750 +0200
@@ -565,6 +565,20 @@
dispose_msg(&msg);
}
+ /*
+ * Take precausing against malicious servers
+ * sending higher numbers
+ */
+ if (sm.sm_num >= MAXSCMD) {
+ /* cry out and discard line*/
+ iw_printf(COLI_WARN, "%s%sServer send \
+numeric reply %d exceeding my internal MAXSCMD of %d; \
+ignoring the line! %s%s\n",
+ TBOLD, ppre, sm.sm_num, MAXSCMD,
+ timestamp(), TBOLD);
+ continue;
+ }
+
/* React on command */
(*reacttbl[sm.sm_num])(&sm);
diff -ur tirc-1.2/tirc.h tirc-1.2.fixed/tirc.h
--- tirc-1.2/tirc.h 2008-06-24 18:42:43.000000000 +0200
+++ tirc-1.2.fixed/tirc.h 2008-06-24 18:41:54.238937250 +0200
@@ -71,7 +71,7 @@
#define CNAMESZ 201 /* size of a channel name + NUL */
#define MSGSZ 513 /* size of an IRC message + NUL */
#define BUFSZ 4000 /* general buffer size */
-#define MAXSCMD 600 /* highest command number in IRC
protocol */
+#define MAXSCMD 1000 /* highest command number in IRC
protocol+1 */
#define MAXINPUT 510 /* length of editor line */
#define HISTORY 100 /* number of lines in input history */
#define BACKSCROLL 1200 /* number of lines in window backscroll */
