Debian Bug report logs -
#595409
bip can be crashed remotely by unauthenticated users
Reported by: Uli Schlachter <psychon@znc.in>
Date: Fri, 3 Sep 2010 18:24:01 UTC
Severity: grave
Tags: security
Found in versions 0.8.5, bip/0.8.5-1, bip/0.8.2-1
Fixed in versions bip/0.8.6-1, bip/0.8.2-1squeeze2
Done: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Cornet <acornet@debian.org>:
Bug#595409; Package bip.
(Fri, 03 Sep 2010 18:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Uli Schlachter <psychon@znc.in>:
New Bug report received and forwarded. Copy sent to Arnaud Cornet <acornet@debian.org>.
(Fri, 03 Sep 2010 18:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bip
Version: 0.8.2-1
Severity: grave
Tags: security
Unauthenticated users can easily cause a NULL pointer dereference in bip (bip is
listening at localhost:7778):
$ echo USER | telnet localhost 7778
<other window>
==25787== Process terminating with default action of signal 11 (SIGSEGV)
==25787== Access not within mapped region at address 0x0
==25787== at 0x11BE5C: bip_on_event (irc.c:2483)
==25787== by 0x11BF4A: irc_main (irc.c:2554)
==25787== by 0x113A97: main (bip.c:1316)
The NULL pointer dereference happens in this code:
if (r == ERR_PROTOCOL) {
mylog(LOG_ERROR, "[%s] Error in protocol, closing...",
LINK(lc)->name);
goto prot_err_lines;
}
AFAIK this has been reported upstream. However, I haven't talked directly with
any bip developer about this so far.
Cheers,
Uli
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (50, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bip depends on:
ii adduser 3.112 add and remove users and groups
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libssl0.9.8 0.9.8o-2 SSL shared libraries
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
bip recommends no packages.
bip suggests no packages.
-- Configuration Files:
/etc/bip.conf [Errno 13] Keine Berechtigung: u'/etc/bip.conf'
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Cornet <acornet@debian.org>:
Bug#595409; Package bip.
(Tue, 07 Sep 2010 19:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Uli Schlachter <psychon@znc.in>:
Extra info received and forwarded to list. Copy sent to Arnaud Cornet <acornet@debian.org>.
(Tue, 07 Sep 2010 19:27:03 GMT) (full text, mbox, link).
Message #10 received at 595409@bugs.debian.org (full text, mbox, reply):
Hi,
I just found out that someone at redhat cares. This was assigned CVE-2010-3071.
http://seclists.org/oss-sec/2010/q3/276
http://seclists.org/oss-sec/2010/q3/289
Cheers,
Uli
--
- Buck, when, exactly, did you lose your mind?
- Three months ago. I woke up one morning married to a pineapple.
An ugly pineapple... But I loved her
Bug Marked as found in versions 0.8.5.
Request was from Sebastien Delafond <seb@debian.org>
to control@bugs.debian.org.
(Fri, 10 Sep 2010 09:18:05 GMT) (full text, mbox, link).
Bug Marked as found in versions bip/0.8.5-1.
Request was from Sebastien Delafond <seb@debian.org>
to control@bugs.debian.org.
(Fri, 10 Sep 2010 09:21:04 GMT) (full text, mbox, link).
Reply sent
to Arnaud Cornet <acornet@debian.org>:
You have taken responsibility.
(Sun, 12 Sep 2010 17:18:12 GMT) (full text, mbox, link).
Notification sent
to Uli Schlachter <psychon@znc.in>:
Bug acknowledged by developer.
(Sun, 12 Sep 2010 17:18:12 GMT) (full text, mbox, link).
Message #19 received at 595409-close@bugs.debian.org (full text, mbox, reply):
Source: bip
Source-Version: 0.8.6-1
We believe that the bug you reported is fixed in the latest version of
bip, which is due to be installed in the Debian FTP archive:
bip_0.8.6-1.debian.tar.gz
to main/b/bip/bip_0.8.6-1.debian.tar.gz
bip_0.8.6-1.dsc
to main/b/bip/bip_0.8.6-1.dsc
bip_0.8.6-1_amd64.deb
to main/b/bip/bip_0.8.6-1_amd64.deb
bip_0.8.6.orig.tar.gz
to main/b/bip/bip_0.8.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arnaud Cornet <acornet@debian.org> (supplier of updated bip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 12 Sep 2010 17:58:22 +0100
Source: bip
Binary: bip
Architecture: source amd64
Version: 0.8.6-1
Distribution: unstable
Urgency: low
Maintainer: Arnaud Cornet <acornet@debian.org>
Changed-By: Arnaud Cornet <acornet@debian.org>
Description:
bip - multiuser irc proxy with conversation replay and more
Closes: 595409
Changes:
bip (0.8.6-1) unstable; urgency=low
.
* New upstream release (Closes: #595409).
Checksums-Sha1:
fb9545daefd994c8298c361af0b333db44c52c8b 997 bip_0.8.6-1.dsc
6568154bc1b616f69705e63ade3b77bf5d4de988 220246 bip_0.8.6.orig.tar.gz
a3c2872bba6ec5725c35b3444bc855f32e64d374 8201 bip_0.8.6-1.debian.tar.gz
1c7acdad10761b0262a507c1103cd160c16a8839 151108 bip_0.8.6-1_amd64.deb
Checksums-Sha256:
5586686109d9914d799bde15c85b88093b3394ce42fa2c10d7542175c22ac449 997 bip_0.8.6-1.dsc
a488060858a9f257d3a07e632162a8f7df79a002915cdb629082d191917762fe 220246 bip_0.8.6.orig.tar.gz
0c774fad9bcbf2f22f0c74fdfd9f64202cc952f0b089ece2459609086976b85e 8201 bip_0.8.6-1.debian.tar.gz
75f36e36e805b383e7a8eccd694bd5446d60a47e81d55113588a0044ae748c4a 151108 bip_0.8.6-1_amd64.deb
Files:
c37585a21802e0282af704418fd0c6bd 997 net optional bip_0.8.6-1.dsc
a6026d6da8587220332b2f96a7385fc9 220246 net optional bip_0.8.6.orig.tar.gz
baf03e72e19cad34ec462618282ae0cd 8201 net optional bip_0.8.6-1.debian.tar.gz
f49912b8aa0bb4316a642a63a33c8cce 151108 net optional bip_0.8.6-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyNBy8ACgkQsk+dgCIlhI5eAQCeMAECtoYTM6kQ1oAnyyfEkChB
XE0AoI1UxJ2oazBLNYGdqxe3ROthS0dc
=a9M/
-----END PGP SIGNATURE-----
Reply sent
to Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>:
You have taken responsibility.
(Wed, 22 Sep 2010 08:36:04 GMT) (full text, mbox, link).
Notification sent
to Uli Schlachter <psychon@znc.in>:
Bug acknowledged by developer.
(Wed, 22 Sep 2010 08:36:04 GMT) (full text, mbox, link).
Message #24 received at 595409-close@bugs.debian.org (full text, mbox, reply):
Source: bip
Source-Version: 0.8.2-1squeeze2
We believe that the bug you reported is fixed in the latest version of
bip, which is due to be installed in the Debian FTP archive:
bip_0.8.2-1squeeze2.diff.gz
to main/b/bip/bip_0.8.2-1squeeze2.diff.gz
bip_0.8.2-1squeeze2.dsc
to main/b/bip/bip_0.8.2-1squeeze2.dsc
bip_0.8.2-1squeeze2_amd64.deb
to main/b/bip/bip_0.8.2-1squeeze2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> (supplier of updated bip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 13 Sep 2010 01:06:26 +0200
Source: bip
Binary: bip
Architecture: source amd64
Version: 0.8.2-1squeeze2
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Changed-By: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Description:
bip - multiuser irc proxy with conversation replay and more
Closes: 595409
Changes:
bip (0.8.2-1squeeze2) testing-proposed-updates; urgency=low
.
* New maintainer (with Nohar's blessing).
* Fix CVE-2010-3071: null pointer deference (remote DoS). (Closes: #595409)
Checksums-Sha1:
ef9be86ea8b79db80b6fb97da9266b2084469ff9 1074 bip_0.8.2-1squeeze2.dsc
2b8f01e59e1ab32dd7c5a65611bd43c5db469b2f 8183 bip_0.8.2-1squeeze2.diff.gz
e90e0f1640b2b0a0736a10f1e0380f313dd16266 146066 bip_0.8.2-1squeeze2_amd64.deb
Checksums-Sha256:
edce5f4dac20bbcbe9915eaf28e3b88ba2b400816c8c6409deb15c05e5c2df48 1074 bip_0.8.2-1squeeze2.dsc
5ef84f99ab24f0f68fc21011118b68f480183bffe95d03208f0e3f094716031a 8183 bip_0.8.2-1squeeze2.diff.gz
8b8128cd3f36c130ad41f81cb0102fbf07a90097f8e2d8b55679d93ea8292679 146066 bip_0.8.2-1squeeze2_amd64.deb
Files:
940e9245094b8c4f360829373a4967aa 1074 net optional bip_0.8.2-1squeeze2.dsc
77c2348613f8b93d4a5101364fa24b41 8183 net optional bip_0.8.2-1squeeze2.diff.gz
c19cd033c8434a4d741cdd2f03fb164e 146066 net optional bip_0.8.2-1squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyZumMACgkQsk+dgCIlhI6Y2QCeJRyGcLLweOLlIzjhppx8BWAq
AJYAmwaParo9GlkhFBVumVg0k8yoDm2I
=g0CZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 21 Oct 2010 07:30:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:16:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon