Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 01 Jan 2013 00:07:39 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Mustapha Rabiu <muztapha@...il.com>,
        William Pitcock <nenolod@...eferenced.org>
Subject: Re: Charybdis: Improper assumptions in the server
 handshake code may lead to a remote crash

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/31/2012 02:57 PM, Mustapha Rabiu wrote:
> Hi.
> 
> 
> Can we get a CVE for the following
> 
> --
> 
> Access vector: network Access complexity: low Authentication
> requirement: none
> 
> Confidentiality impact: none Integrity impact: none Availability
> impact: complete
> 
> CVSSv2 temporal score: 6.4
> 
> Exploitability: functional exploit exists Remediation level:
> official fix Report confidence: confirmed
> 
> Summary:
> 
> All versions of Charybdis are vulnerable to a remotely-triggered
> crash bug caused by code originating from ircd-ratbox 2.0.
> (Incidentally, this means all versions since ircd-ratbox 2.0 are
> also vulnerable.)
> 
> The bug has to do with server capability negotiation.  A malformed
> request will trigger a crash due to invalid assumptions.
> 
> Mitigation:
> 
> A patch for all affected versions of ircd-ratbox and charybdis is
> available from the charybdis GIT repository: 
> https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
>
>  To apply the patch, go to your IRCd source tree and run the
> following commands: $ patch -p1 <
> /path/to/downloaded/patchfile.patch $ make $ make install
> 
> Then you may hotfix the IRCd by running /MODRESTART as a server
> admin.
> 
> Details:
> 
> In ratbox-2, the following code was added to m_capab.c: char *t =
> LOCAL_COPY(parv[i]);
> 
> The other logic was then modified to make use of that
> stack-allocated buffer rather than the original.  LOCAL_COPY() is a
> macro which expands to alloca() and strlcpy(), and the bug
> effectively is caused by this expansion calling strlen(NULL).
> 
> 
> --
> 
> 
> Thanks.
> 
> 
> Mustapha Rabiu


Ah sorry just noticed this as well, repeating so it's not missed:

Please use CVE-2012-6084 for this issue.

Same as http://seclists.org/oss-sec/2012/q4/545


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ4os7AAoJEBYNRVNeJnmTKPYQAL1E+pwprii4USuJDVV+alk8
pmmPQqmUZXGy/hLG+RFBRvjyLTV8kZi/p5H+x3d2JZXPBDTexnaXckJSkE2ItDnt
iKB9ZCJWJF01DnViTmDycZsy69k7D2FvpfJdll6TySq5L8bnBL1kkc0eCSNql0/5
9kTeG4O8kGCgB/ouBSr22WhGKzfIHQL77pLf+P7PDLLJnfkIpQyA82F1WcpNiJLj
wcS2pUv6ycHxZpjLsucmOA2Pqz1waRTyEg8BTGQBJLQazFrjmy8hSLalNc0NLYGZ
0TwXSUI+rjYzRo/4lcwTIr+OnrhAyvUR5SZ5HX7bEq+R20POE+i1wOBXbyj65Vci
Z7uprd9Ky3UjEfxLzJRveEnRX7jYgPTLtYnNfRIQ/yfxqQxZ0csNTDTRcXHrixDt
6SOFPhFi+qA2+SQY3f/eNQK66x7z/7XD1nRLO7Xqp8MtFxX7ARr3I31G5tgRiqw9
NbNvLRc77jLFfAtz6bAgQa2MJGehGYWjtK4HEwiTVnURDByb0rMakZVsrBp8IpIE
yCNtEN5pCRTvRb4TT2DJyp1Nmfc9VIO5ubBt9Eg4SOEZ6D+XDD1/2BuagOtw6fbs
R/aASmpMmhPwNENLSnNJ6OXqX+YlhAoyDkaSR3vG1xjWW6F2Y+FTrJk0tkYOL2nk
eovf7/4p8AU1TAH+rzOJ
=zCqa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ