subject:"Bug#334089\: remotely segfaultable, DOS"

Bug#334089: remotely segfaultable, DOS

2005-11-19 Thread Steve Langasek

tags 334089 patch
thanks

Hello,

I've tracked this bug in centericq down to a failure to deal with short
packets (or packets declaring their own length to be zero).  The attached
patch fixes this segfault, by stopping without further processing of the
packet when its length is determined to be zero.

Someone should also check what happens when the parser reads a packet length
value of 1 or 2; there may be other bugs handling those cases as well.

I don't see any obvious way that this bug could be exploited to gain remote
access, but unfortunately there may be a non-obvious way...  I've cc:ed the
security team, so they can evaluate whether this warrants a security upload
-- perhaps the DoS alone is enough reason for an update.

Also, I've attached a second patch, unrelated to any known crasher bugs,
that includes some fixes for memory handling which turned up when trying to
valgrind centericq.  I don't suspect that it's relevant to a stable security
update, but the maintainer may want to consider including it in his next
upload to unstable.

Thanks,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/
diff -u centericq-4.21.0/debian/changelog centericq-4.21.0/debian/changelog
--- centericq-4.21.0/debian/changelog
+++ centericq-4.21.0/debian/changelog
@@ -1,3 +1,11 @@
+centericq (4.21.0-3.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix for ICQ direct client handler, which fails to handle undersized
+requests from remote hosts, leading to a segfault (closes: #334089).
+
+ -- Steve Langasek [EMAIL PROTECTED]  Sat, 19 Nov 2005 05:16:12 -0800
+
 centericq (4.21.0-3) unstable; urgency=low
 
   * Applied patch from Guillaume Libersat [EMAIL PROTECTED]
only in patch2:
unchanged:
--- centericq-4.21.0.orig/libicq2000-0.1/src/DirectClient.cpp
+++ centericq-4.21.0/libicq2000-0.1/src/DirectClient.cpp
@@ -162,6 +162,7 @@
 
   m_recv.setLittleEndian();
   m_recv  length;
+  if (length == 0) return; // short read, toss it back (nothing to do)
   if (length  Incoming_Packet_Limit) throw ParseException(Received too 
long incoming packet);
   if (m_recv.remains()  length) return; // waiting for more of the packet
 
diff -u centericq-4.21.0/debian/changelog centericq-4.21.0/debian/changelog
--- centericq-4.21.0/debian/changelog
+++ centericq-4.21.0/debian/changelog
@@ -3,6 +3,7 @@
   * Non-maintainer upload.
   * Fix for ICQ direct client handler, which fails to handle undersized
 requests from remote hosts, leading to a segfault (closes: #334089).
+  * Miscellaneous other memory handling clean-ups
 
  -- Steve Langasek [EMAIL PROTECTED]  Sat, 19 Nov 2005 05:16:12 -0800
 
only in patch2:
unchanged:
--- centericq-4.21.0.orig/src/icqface.cc
+++ centericq-4.21.0/src/icqface.cc
@@ -2003,7 +2003,7 @@
mvaddchnstr(i-1, sizeWArea.x1+1, logline, 
sizeWArea.x2-sizeWArea.x1);
}
 
-   delete logline;
+   delete[] logline;
 
if(text.size()  sizeWArea.x2-sizeWArea.x1-2) 
text.resize(sizeWArea.x2-sizeWArea.x1-2);
mvhline(LINES-3, sizeWArea.x1+2, ' ', sizeWArea.x2-sizeWArea.x1-2);
only in patch2:
unchanged:
--- centericq-4.21.0.orig/kkstrtext-0.1/kkstrtext.cc
+++ centericq-4.21.0/kkstrtext-0.1/kkstrtext.cc
@@ -907,8 +907,8 @@
r += soutbuf;
text.erase(0, text.size()-inleft);
 
-   delete soutbuf;
-   delete sinbuf;
+   delete[] soutbuf;
+   free(sinbuf);
 
if(res == -1  errno != EILSEQ)
break;


signature.asc
Description: Digital signature

Bug#334089: remotely segfaultable, DOS

2005-11-19 Thread Martin Schulze

Hi!

Steve Langasek wrote:
 I've tracked this bug in centericq down to a failure to deal with short
 packets (or packets declaring their own length to be zero).  The attached
 patch fixes this segfault, by stopping without further processing of the
 packet when its length is determined to be zero.

Two words: You rock!

 I don't see any obvious way that this bug could be exploited to gain remote
 access, but unfortunately there may be a non-obvious way...  I've cc:ed the
 security team, so they can evaluate whether this warrants a security upload
 -- perhaps the DoS alone is enough reason for an update.

Crashing arbitrary user applications has been considered a vulnerability
since it's a remote denial of service in this case.  I guess that we should
update.

To Julien: Please let me know the version in sid that will fix this
problem.  I'll provide a CVE name asap.

Regards,

Joey

-- 
GNU GPL: The source will be with you... always.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#334089: remotely segfaultable, DOS

2005-10-15 Thread Nico Golde

Package: centericq
Version: 4.21.0-3
Severity: grave
Tags: security
Hi,
Yesterday I discovered the same bug as described on:
https://bugs.gentoo.org/show_bug.cgi?id=100519

All versions of centericq in Debian are vulnerable.
You can find a backtrace, coredump and strace on:
http://nion.modprobe.de/centericq-bug/
Regards Nico


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) (ignored: 
LC_ALL set to [EMAIL PROTECTED])

Versions of packages centericq depends on:
ii  centericq-common  4.21.0-3   A text-mode multi-protocol instant
ii  libc6 2.3.5-6GNU C Library: Shared libraries an
ii  libcurl3  7.14.1-5   Multi-protocol file transfer libra
ii  libgcc1   1:4.0.2-2  GCC support library
ii  libgnutls12   1.2.6-1the GNU TLS library - runtime libr
ii  libgpg-error0 1.1-4  library for common error values an
ii  libgpgme111.1.0-1GPGME - GnuPG Made Easy
ii  libidn11  0.5.18-1   GNU libidn library, implementation
ii  libjpeg62 6b-10  The Independent JPEG Group's JPEG 
ii  libncurses5   5.4-9  Shared libraries for terminal hand
ii  libssl0.9.7   0.9.7g-4   SSL shared libraries
ii  libstdc++64.0.2-2The GNU Standard C++ Library v3
ii  zlib1g1:1.2.3-4  compression library - runtime

Versions of packages centericq recommends:
ii  dillo [www-browser]   0.8.5-1GTK-based web browser
ii  elinks [www-browser]  0.10.6-1   advanced text-mode WWW browser
ii  links2 [www-browser]  2.1pre18-2 Web browser running in both graphi
ii  lynx [www-browser]2.8.5-2Text-mode WWW Browser
ii  mozilla-firefox [www-browser] 1.0.7-1lightweight web browser based on M
ii  sox   12.17.8-1  A universal sound sample translato
ii  w3m [www-browser] 0.5.1-4WWW browsable pager with excellent

-- no debconf information

-- 
Nico Golde - JAB: [EMAIL PROTECTED] | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org 
$ route add default roma.it


signature.asc
Description: Digital signature

Bug#334089: remotely segfaultable, DOS

Bug#334089: remotely segfaultable, DOS

Bug#334089: remotely segfaultable, DOS

3 matches

Site Navigation

Mail list logo

Footer information