Bug#697092: charybdis: CVE-2012-6084: remote denial of service

[John Paul Adrian Glaubitz]

Package: charybdis
Followup-For: Bug #697092

Hi,

attaching proposed debdiff containing the upstream patch as well
an updated debian/changelog for an NMU. Would be willing to do
the NMU if no one else volunteers.

Cheers,

Adrian
diff -Nru charybdis-3.3.0/debian/changelog charybdis-3.3.0-CVE-2012-6084/debian/changelog
--- charybdis-3.3.0/debian/changelog	2011-11-30 00:17:54.0 +0100
+++ charybdis-3.3.0-CVE-2012-6084/debian/changelog	2013-01-02 20:58:33.748765147 +0100
@@ -1,3 +1,11 @@
+charybdis (3.3.0-7.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix remote denial of service vulnerability
+CVE-2012-6084 (Closes: #697092).
+
+ -- John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de  Wed, 02 Jan 2013 20:57:36 +0100
+
 charybdis (3.3.0-7) unstable; urgency=low
 
   * patch: default NICKLEN to 30 to fit a commonly used value and the new
diff -Nru charybdis-3.3.0/debian/patches/CVE-2012-6084.patch charybdis-3.3.0-CVE-2012-6084/debian/patches/CVE-2012-6084.patch
--- charybdis-3.3.0/debian/patches/CVE-2012-6084.patch	1970-01-01 01:00:00.0 +0100
+++ charybdis-3.3.0-CVE-2012-6084/debian/patches/CVE-2012-6084.patch	2013-01-02 20:57:08.790958689 +0100
@@ -0,0 +1,26 @@
+From ac0707aa61d9c20e9b09062294701567c9f41595 Mon Sep 17 00:00:00 2001
+From: William Pitcock neno...@dereferenced.org
+Date: Mon, 31 Dec 2012 13:13:05 -0600
+Subject: [PATCH] m_capab: fix a possible remote crash triggered by the CAPAB
+ parsing code.
+
+---
+ modules/m_capab.c |2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/m_capab.c b/modules/m_capab.c
+index 54e9a53..b03fb3f 100644
+--- a/modules/m_capab.c
 b/modules/m_capab.c
+@@ -38,7 +38,7 @@
+ 
+ struct Message capab_msgtab = {
+ 	CAPAB, 0, 0, 0, MFLG_SLOW | MFLG_UNREG,
+-	{{mr_capab, 0}, mg_ignore, mg_ignore, mg_ignore, mg_ignore, mg_ignore}
++	{{mr_capab, 2}, mg_ignore, mg_ignore, mg_ignore, mg_ignore, mg_ignore}
+ };
+ struct Message gcap_msgtab = {
+ 	GCAP, 0, 0, 0, MFLG_SLOW,
+-- 
+1.7.10
+
diff -Nru charybdis-3.3.0/debian/patches/series charybdis-3.3.0-CVE-2012-6084/debian/patches/series
--- charybdis-3.3.0/debian/patches/series	2011-11-30 00:17:54.0 +0100
+++ charybdis-3.3.0-CVE-2012-6084/debian/patches/series	2013-01-02 20:57:31.618369271 +0100
@@ -5,3 +5,4 @@
 no-rpath
 cleanup-bandb-properly
 default_nicklen
+CVE-2012-6084.patch
diff -Nru charybdis-3.3.0/debian/patches/series~ charybdis-3.3.0-CVE-2012-6084/debian/patches/series~
--- charybdis-3.3.0/debian/patches/series~	1970-01-01 01:00:00.0 +0100
+++ charybdis-3.3.0-CVE-2012-6084/debian/patches/series~	2011-11-30 00:17:54.0 +0100
@@ -0,0 +1,7 @@
+fix-paths
+ircd.conf
+no_hardcoded_bandb_dpath
+non-static-sqlite
+no-rpath
+cleanup-bandb-properly
+default_nicklen

Bug#697092: charybdis: CVE-2012-6084: remote denial of service

[Antoine Beaupré]

On 2013-01-02, John Paul Adrian Glaubitz wrote:
 Hi,

 attaching proposed debdiff containing the upstream patch as well
 an updated debian/changelog for an NMU. Would be willing to do
 the NMU if no one else volunteers.

Please do NMU, but the following chunk should be removed from the patch:

 diff -Nru charybdis-3.3.0/debian/patches/series~ 
 charybdis-3.3.0-CVE-2012-6084/debian/patches/series~
 --- charybdis-3.3.0/debian/patches/series~1970-01-01 01:00:00.0 
 +0100
 +++ charybdis-3.3.0-CVE-2012-6084/debian/patches/series~  2011-11-30 
 00:17:54.0 +0100
 @@ -0,0 +1,7 @@
 +fix-paths
 +ircd.conf
 +no_hardcoded_bandb_dpath
 +non-static-sqlite
 +no-rpath
 +cleanup-bandb-properly
 +default_nicklen

Thanks!

-- 
Les écrivains qui ont recours à leurs doigts pour savoir s'ils ont leur
compte de pieds ne sont pas des poètes, ce sont des dactylographes.
- Léo Ferré, Préface


pgpDweFJg9HVx.pgp
Description: PGP signature