Date: Tue, 01 Jan 2013 00:07:39 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Mustapha Rabiu <muztapha@...il.com>, William Pitcock <nenolod@...eferenced.org> Subject: Re: Charybdis: Improper assumptions in the server handshake code may lead to a remote crash -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/31/2012 02:57 PM, Mustapha Rabiu wrote: > Hi. > > > Can we get a CVE for the following > > -- > > Access vector: network Access complexity: low Authentication > requirement: none > > Confidentiality impact: none Integrity impact: none Availability > impact: complete > > CVSSv2 temporal score: 6.4 > > Exploitability: functional exploit exists Remediation level: > official fix Report confidence: confirmed > > Summary: > > All versions of Charybdis are vulnerable to a remotely-triggered > crash bug caused by code originating from ircd-ratbox 2.0. > (Incidentally, this means all versions since ircd-ratbox 2.0 are > also vulnerable.) > > The bug has to do with server capability negotiation. A malformed > request will trigger a crash due to invalid assumptions. > > Mitigation: > > A patch for all affected versions of ircd-ratbox and charybdis is > available from the charybdis GIT repository: > https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch > > To apply the patch, go to your IRCd source tree and run the > following commands: $ patch -p1 < > /path/to/downloaded/patchfile.patch $ make $ make install > > Then you may hotfix the IRCd by running /MODRESTART as a server > admin. > > Details: > > In ratbox-2, the following code was added to m_capab.c: char *t = > LOCAL_COPY(parv[i]); > > The other logic was then modified to make use of that > stack-allocated buffer rather than the original. LOCAL_COPY() is a > macro which expands to alloca() and strlcpy(), and the bug > effectively is caused by this expansion calling strlen(NULL). > > > -- > > > Thanks. > > > Mustapha Rabiu Ah sorry just noticed this as well, repeating so it's not missed: Please use CVE-2012-6084 for this issue. Same as http://seclists.org/oss-sec/2012/q4/545 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ4os7AAoJEBYNRVNeJnmTKPYQAL1E+pwprii4USuJDVV+alk8 pmmPQqmUZXGy/hLG+RFBRvjyLTV8kZi/p5H+x3d2JZXPBDTexnaXckJSkE2ItDnt iKB9ZCJWJF01DnViTmDycZsy69k7D2FvpfJdll6TySq5L8bnBL1kkc0eCSNql0/5 9kTeG4O8kGCgB/ouBSr22WhGKzfIHQL77pLf+P7PDLLJnfkIpQyA82F1WcpNiJLj wcS2pUv6ycHxZpjLsucmOA2Pqz1waRTyEg8BTGQBJLQazFrjmy8hSLalNc0NLYGZ 0TwXSUI+rjYzRo/4lcwTIr+OnrhAyvUR5SZ5HX7bEq+R20POE+i1wOBXbyj65Vci Z7uprd9Ky3UjEfxLzJRveEnRX7jYgPTLtYnNfRIQ/yfxqQxZ0csNTDTRcXHrixDt 6SOFPhFi+qA2+SQY3f/eNQK66x7z/7XD1nRLO7Xqp8MtFxX7ARr3I31G5tgRiqw9 NbNvLRc77jLFfAtz6bAgQa2MJGehGYWjtK4HEwiTVnURDByb0rMakZVsrBp8IpIE yCNtEN5pCRTvRb4TT2DJyp1Nmfc9VIO5ubBt9Eg4SOEZ6D+XDD1/2BuagOtw6fbs R/aASmpMmhPwNENLSnNJ6OXqX+YlhAoyDkaSR3vG1xjWW6F2Y+FTrJk0tkYOL2nk eovf7/4p8AU1TAH+rzOJ =zCqa -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ