Package: inspircd
Version: 2.0.27-1+deb10u1
Severity: normal
Tags: patch upstream
Dear Maintainer,
I found a bug affecting (mostly?) local SSL connections vie GnuTLS.
Sometimes the data sent by the client is seen by the server only when
follwing data has been sent. See
https://github.com/inspircd/inspircd/issues/1848 (Messages from SSL
client are not always handled when available (inspircd v2))
The appended patch fixed the issue for me.
-- System Information:
Debian Release: 10.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.10.0-1127.8.2.vz7.151.14 (SMP w/1 CPU core)
Kernel taint flags: TAINT_WARN, TAINT_CRAP, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages inspircd depends on:
ii libc6 2.28-10
ii libgcc1 1:8.3.0-6
ii libgeoip1 1.6.12-1
ii libgnutls30 3.6.7-4+deb10u6
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u6
ii libmariadb3 1:10.3.27-0+deb10u1
ii libpcre3 2:8.43-1+0~20200703.7+debian9~1.gbpbfc49f
ii libpq5 11.10-0+deb10u1
ii libsqlite3-0 3.27.2-3+deb10u1
ii libstdc++6 8.3.0-6
ii libtre5 0.8.0-6
ii lsb-base 10.2019051400
inspircd recommends no packages.
Versions of packages inspircd suggests:
ii default-mysql-server 1.0.5
pn gnutls-bin <none>
pn ldap-server <none>
pn postgresql <none>
ii sqlite3 3.27.2-3+deb10u1
-- Configuration Files:
/etc/default/inspircd changed [not included]
/etc/inspircd/inspircd.conf [Errno 13] Permission denied:
'/etc/inspircd/inspircd.conf'
/etc/inspircd/inspircd.motd [Errno 13] Permission denied:
'/etc/inspircd/inspircd.motd'
/etc/inspircd/inspircd.rules [Errno 13] Permission denied:
'/etc/inspircd/inspircd.rules'
-- no debconf information
diff -Nru inspircd-2.0.27/debian/changelog inspircd-2.0.27/debian/changelog
--- inspircd-2.0.27/debian/changelog 2020-09-11 07:59:09.000000000 +0200
+++ inspircd-2.0.27/debian/changelog 2021-02-21 21:34:31.000000000 +0100
@@ -1,3 +1,10 @@
+inspircd (2.0.27-1+deb10u1.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Patch gnutls module may not fully read available data
+
+ -- Michael Kosinets <gnutls.10.h4x...@spamgourmet.com> Sun, 21 Feb 2021
21:34:31 +0100
+
inspircd (2.0.27-1+deb10u1) buster-security; urgency=high
* Patch denial-of-service security vulnerabilities (Closes: #960650)
diff -Nru inspircd-2.0.27/debian/patches/07_gnutls_delayed_data.patch
inspircd-2.0.27/debian/patches/07_gnutls_delayed_data.patch
--- inspircd-2.0.27/debian/patches/07_gnutls_delayed_data.patch 1970-01-01
01:00:00.000000000 +0100
+++ inspircd-2.0.27/debian/patches/07_gnutls_delayed_data.patch 2021-02-21
21:32:13.000000000 +0100
@@ -0,0 +1,16 @@
+diff -Naur inspircd-2.0.27.orig/src/modules/extra/m_ssl_gnutls.cpp
inspircd-2.0.27/src/modules/extra/m_ssl_gnutls.cpp
+--- inspircd-2.0.27.orig/src/modules/extra/m_ssl_gnutls.cpp 2021-02-19
22:47:56.846343368 +0100
++++ inspircd-2.0.27/src/modules/extra/m_ssl_gnutls.cpp 2021-02-21
21:31:08.536997908 +0100
+@@ -703,9 +703,11 @@
+ if (ret > 0)
+ {
+ recvq.append(buffer, ret);
++ int mask = FD_WANT_POLL_READ;
+ // Schedule a read if there is still data in
the GnuTLS buffer
+ if (gnutls_record_check_pending(session->sess)
> 0)
+-
ServerInstance->SE->ChangeEventMask(user, FD_ADD_TRIAL_READ);
++ mask |= FD_ADD_TRIAL_READ;
++ ServerInstance->SE->ChangeEventMask(user, mask);
+ return 1;
+ }
+ else if (ret == GNUTLS_E_AGAIN || ret ==
GNUTLS_E_INTERRUPTED)
diff -Nru inspircd-2.0.27/debian/patches/series
inspircd-2.0.27/debian/patches/series
--- inspircd-2.0.27/debian/patches/series 2020-09-11 07:59:09.000000000
+0200
+++ inspircd-2.0.27/debian/patches/series 2021-02-21 21:33:01.000000000
+0100
@@ -3,3 +3,4 @@
04_reproducible_builds.diff
05_cve-2019-20917.diff
06_cve-2020-25269.diff
+07_gnutls_delayed_data.patch
