ircd-hybrid: CVE-2013-0238 Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()

Debian Bug report logs - #699267
ircd-hybrid: CVE-2013-0238 Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()

Date: Tue, 29 Jan 2013 17:38:36 +0200

Package: ircd-hybrid
Version: 1:7.2.2.dfsg.2-6.2
Severity: grave
Tags: security

Mr. Bob Nomnomnom from Torland reported a denial of service security
vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is
using strtoul to parse masks. Documentation says strtoul can parse "-number" as
well. Validation of input does not catch evil bits. I can give proof of concept
if needed.

Fixed in commit: http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786
Fixed in: ircd-hybrid 8.0.6

I have requested CVE identifier for this vulnerability.

Program received signal SIGSEGV, Segmentation fault.
0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:229
229     addb[bits / 8] &= ~((1 << (8 - bits % 8)) - 1);
(gdb) bt
#0  0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:229
#1  parse_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:255
#2  0x000000000040c4ab in add_id (client_p=0x7ffff7f9a058, chptr=0x11264e8, banid=<value optimized out>, 
    type=<value optimized out>) at channel_mode.c:233
#3  0x000000000040cd28 in chm_ban (client_p=0x7ffff7f9a058, source_p=0x7ffff7f9a058, chptr=0x11264e8, 
    parc=<value optimized out>, parn=0x7ffff7565580, parv=0x2f, errors=0x7fffffffdd08, alev=2, dir=1, c=98 'b', d=0x0, 
    chname=0x1126774 "#foo") at channel_mode.c:803
#4  0x000000000040baac in set_channel_mode (client_p=<value optimized out>, source_p=<value optimized out>, 
    chptr=<value optimized out>, member=<value optimized out>, parc=2, parv=0x8ed410, chname=0x1126774 "#foo")
    at channel_mode.c:1785
#5  0x00007fffee7655a4 in m_mode (client_p=0x7ffff7f9a058, source_p=0x7ffff7f9a058, parc=4, parv=0x8ed400) at m_mode.c:115
#6  0x0000000000422d9f in parse_client_queued (client_p=0x7ffff7f9a058) at packet.c:216
#7  0x0000000000422ee5 in read_packet (fd=0x10faa18, data=<value optimized out>) at packet.c:359
#8  0x0000000000423ead in comm_select () at s_bsd_epoll.c:204
#9  0x000000000041f7f8 in io_loop (argc=0, argv=0x7fffffffe588) at ircd.c:237
#10 main (argc=0, argv=0x7fffffffe588) at ircd.c:670

--
Henri Salo

Message #10 received at 699267@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Henri Salo <henri@nerv.fi>, 699267@bugs.debian.org

Subject: Re: Bug#699267: ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()

Date: Tue, 29 Jan 2013 22:57:58 +0100

Control: retitle -1 ircd-hybrid: CVE-2013-0238 Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()
Hi

On Tue, Jan 29, 2013 at 05:38:36PM +0200, Henri Salo wrote:
> I have requested CVE identifier for this vulnerability.

Was assigned now: CVE-2013-0238

Regards,
Salvatore

Message #17 received at 699267-done@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 699267-done@bugs.debian.org

Subject: tested

Date: Fri, 1 Feb 2013 14:33:45 +0200

All Debian packages tested not to be affected by this issue. I wonder who made
these changes to Debian packages code as she/he did not report these issues to
upstream (or didn't know about the problem).

--
Henri Salo

Message #22 received at 699267@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 699267@bugs.debian.org, control@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>

Subject: Re: Bug#699267: marked as done (ircd-hybrid: CVE-2013-0238 Denial of service vulnerability in hostmask.c:try_parse_v4_netmask())

Date: Fri, 1 Feb 2013 23:13:13 +0000

reopen 699267
thanks

On Fri, Feb 01, 2013 at 12:36:03PM +0000, Debian Bug Tracking System wrote:
> Fixed in commit: http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786
> Fixed in: ircd-hybrid 8.0.6

....

> All Debian packages tested not to be affected by this issue. I wonder who made
> these changes to Debian packages code as she/he did not report these issues to
> upstream (or didn't know about the problem).

This source code change isn't in Debian, but we haven't worked out why
the problem isn't reproducible. Until this is understood, the bug should
remain open.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #31 received at 699267@bugs.debian.org (full text, mbox, reply):

From: Mark Cunningham <contact@markcunningham.ie>

To: 699267@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>

Subject: exists in experimental

Date: Sat, 2 Feb 2013 21:01:07 +0000

It might be useful to know this exists in the experimental version
however this is probably not surprising. I rebuilt my version with ssl
support using the debian rules

ii  ircd-hybrid                             1:8.0.4.dfsg.1-1.ssl1
  amd64        high-performance secure IRC server

Mark

Message #36 received at 699267@bugs.debian.org (full text, mbox, reply):

From: Mark Cunningham <contact@markcunningham.ie>

To: 699267@bugs.debian.org

Subject: reproduced succesfully in squeeze build

Date: Sat, 2 Feb 2013 21:18:32 +0000

Should have waited till i tested it more before posting. I've actually
got the version in squeeze (1:7.2.2.dfsg.2-6.2 ) to crash on me.

Mark

Message #43 received at 699267-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 699267-close@bugs.debian.org

Subject: Bug#699267: fixed in ircd-hybrid 1:8.0.6.dfsg.1-1

Date: Sun, 03 Feb 2013 00:32:33 +0000

Source: ircd-hybrid
Source-Version: 1:8.0.6.dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
ircd-hybrid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated ircd-hybrid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 03 Feb 2013 00:12:38 +0000
Source: ircd-hybrid
Binary: ircd-hybrid hybrid-dev
Architecture: source all i386
Version: 1:8.0.6.dfsg.1-1
Distribution: experimental
Urgency: low
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 hybrid-dev - development files for ircd-hybrid
 ircd-hybrid - high-performance secure IRC server
Closes: 698027 698087 699267
Changes: 
 ircd-hybrid (1:8.0.6.dfsg.1-1) experimental; urgency=low
 .
   * New upstream release
     - Fixed build on GNU/Hurd (Closes: #698087)
     - Improved logging of configuration file issues (Closes: #698027)
     - nick and topic lengths are now configurable via ircd.conf; remove
       --with-nicklen and --with-topiclen from debian/rules, and note
       change in NEWS.Debian
     - update ircd.confs to reflect changes in upstream example.conf
     - Linux RT signal support for notification of socket events has been
       dropped; remove --enable-rtsigio from debian/rules
     - [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask()
       (Closes: #699267)
   * Correct Vcs-Git URL
   * Add prep-new-tarball script to assist in the creation of dfsg tarball
Checksums-Sha1: 
 20128aad005f156df33544224749fde4de79a90b 1387 ircd-hybrid_8.0.6.dfsg.1-1.dsc
 c5588e60270e4a6b3d328475d83c8cb769c82310 1110579 ircd-hybrid_8.0.6.dfsg.1.orig.tar.gz
 37808c9669d26fdad0eb7871c92e2f08c0763767 60024 ircd-hybrid_8.0.6.dfsg.1-1.debian.tar.gz
 77cb21b5e721d710ad4e8019dfab7a59a7b21f11 109344 hybrid-dev_8.0.6.dfsg.1-1_all.deb
 18f3715fb8ef1d892413241013233c8f99bbcc26 552346 ircd-hybrid_8.0.6.dfsg.1-1_i386.deb
Checksums-Sha256: 
 74aa2ed6ba7db99539e1b311f7d7117e8fee1f74553d56724e8b19dfa05eb4f9 1387 ircd-hybrid_8.0.6.dfsg.1-1.dsc
 30b1e75a33fd1f06eedb8f85eb6155855d2dbbb246d10dbbac2fc4fbe5baa59a 1110579 ircd-hybrid_8.0.6.dfsg.1.orig.tar.gz
 bb8a17f9b5252965c0ffe17bfed6e2deaa67a44419320b736414d4c8b5ee2514 60024 ircd-hybrid_8.0.6.dfsg.1-1.debian.tar.gz
 3d362383c1b959f3c2d07ad3f9d3fd5fd00eec1b885bde8d320ebc6aa891410b 109344 hybrid-dev_8.0.6.dfsg.1-1_all.deb
 2f72aee01333b04380e957d6b80a70fc8697f81c0b13e63807386715b778f3fa 552346 ircd-hybrid_8.0.6.dfsg.1-1_i386.deb
Files: 
 efd4fc61748860ecdf190759c15f516f 1387 net optional ircd-hybrid_8.0.6.dfsg.1-1.dsc
 a4f446ad324fde0842fb5e78b05da926 1110579 net optional ircd-hybrid_8.0.6.dfsg.1.orig.tar.gz
 cd9f3f0d120afcfc8af757540cbcff75 60024 net optional ircd-hybrid_8.0.6.dfsg.1-1.debian.tar.gz
 a0941354189468bd34c67fc8730d51d1 109344 devel optional hybrid-dev_8.0.6.dfsg.1-1_all.deb
 3081671a85c4171f06429f596c569068 552346 net optional ircd-hybrid_8.0.6.dfsg.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRDa1aYzuFKFF44qURAqdBAKD6/sICSD4Ii6Hh6ZOOlGuPFGhKxACfV1Ul
rwnXfO5NUFVZr+i+y6n7S+U=
=THXX
-----END PGP SIGNATURE-----

Message #50 received at 699267-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 699267-close@bugs.debian.org

Subject: Bug#699267: fixed in ircd-hybrid 1:7.2.2.dfsg.2-10

Date: Sun, 03 Feb 2013 01:02:34 +0000

Source: ircd-hybrid
Source-Version: 1:7.2.2.dfsg.2-10

We believe that the bug you reported is fixed in the latest version of
ircd-hybrid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated ircd-hybrid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 03 Feb 2013 00:54:15 +0000
Source: ircd-hybrid
Binary: ircd-hybrid hybrid-dev
Architecture: source all i386
Version: 1:7.2.2.dfsg.2-10
Distribution: unstable
Urgency: high
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 hybrid-dev - development files for ircd-hybrid
 ircd-hybrid - high-performance secure IRC server
Closes: 699267
Changes: 
 ircd-hybrid (1:7.2.2.dfsg.2-10) unstable; urgency=high
 .
   * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask()
     (Closes: #699267)
Checksums-Sha1: 
 c5f2021e49e5ea53e67b4c05f2dcfea5df99105f 1348 ircd-hybrid_7.2.2.dfsg.2-10.dsc
 e8efc0ddc9b6b673e7a18440847d605d23f34fa0 118745 ircd-hybrid_7.2.2.dfsg.2-10.diff.gz
 1b014cf383abe0d6bd66e2346097a56b91b64f2e 66182 hybrid-dev_7.2.2.dfsg.2-10_all.deb
 679271c29ddcd5d704d0dad4bf6d8b83003c16bf 584364 ircd-hybrid_7.2.2.dfsg.2-10_i386.deb
Checksums-Sha256: 
 55b1c087480d5c506a16fb73b4a256579ef6901f6c3709e43ce081f563b8042b 1348 ircd-hybrid_7.2.2.dfsg.2-10.dsc
 43ad33c5afc28e267e4f1bd1d323ea392edb87bdba678f0c789a14abc0c2f4f0 118745 ircd-hybrid_7.2.2.dfsg.2-10.diff.gz
 c64614b68d6498904d474b5d1bb199502cb474eca54df30a05945aaaa9b60b79 66182 hybrid-dev_7.2.2.dfsg.2-10_all.deb
 3e8bc78d774179e5be833a2696b5c551955cd46ab44c73365d419a67ce9b2dbb 584364 ircd-hybrid_7.2.2.dfsg.2-10_i386.deb
Files: 
 8712f883489f1482572c53040127caec 1348 net optional ircd-hybrid_7.2.2.dfsg.2-10.dsc
 649a228e800ee22c23a131738ec148c3 118745 net optional ircd-hybrid_7.2.2.dfsg.2-10.diff.gz
 8f6335203c8a6e50b239fc77d4de5869 66182 devel optional hybrid-dev_7.2.2.dfsg.2-10_all.deb
 cb7f26eeb233f65707727288d6efa7ff 584364 net optional ircd-hybrid_7.2.2.dfsg.2-10_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRDbaSYzuFKFF44qURAh66AJ0feaskdlyl2pvO9IBXwT9l29zA1gCff/Ei
mmJYhyjm6y86cBtjUzkFSI4=
=o3fN
-----END PGP SIGNATURE-----

Message #55 received at 699267@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: team@security.debian.org, 699267@bugs.debian.org

Subject: Re: Bug#699267: ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()

Date: Sun, 3 Feb 2013 01:30:44 +0000

[Message part 1 (text/plain, inline)]

On Tue, Jan 29, 2013 at 05:38:36PM +0200, Henri Salo wrote:
> Mr. Bob Nomnomnom from Torland reported a denial of service security
> vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is
> using strtoul to parse masks. Documentation says strtoul can parse "-number" as
> well. Validation of input does not catch evil bits. I can give proof of concept
> if needed.
> 
> Fixed in commit: http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786
> Fixed in: ircd-hybrid 8.0.6

Hi security team.

I've fixed this in experimental and unstable, and the attached debdiff
fixes it for stable too. Please let me know if I may upload.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

[ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.debdiff (text/plain, attachment)]

Message #60 received at 699267@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 699267@bugs.debian.org

Subject: update

Date: Sun, 3 Feb 2013 15:19:43 +0200

I do not know what I did wrong when I was reproducing this issue. Sorry about
false information to bug-report. At least we got it fixed.

--
Henri Salo

Message #65 received at 699267-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 699267-close@bugs.debian.org

Subject: Bug#699267: fixed in ircd-hybrid 1:7.2.2.dfsg.2-6.2+squeeze1

Date: Sun, 10 Feb 2013 15:02:05 +0000

Source: ircd-hybrid
Source-Version: 1:7.2.2.dfsg.2-6.2+squeeze1

We believe that the bug you reported is fixed in the latest version of
ircd-hybrid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated ircd-hybrid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 03 Feb 2013 22:51:37 +0000
Source: ircd-hybrid
Binary: ircd-hybrid hybrid-dev
Architecture: source all i386
Version: 1:7.2.2.dfsg.2-6.2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 hybrid-dev - development files for ircd-hybrid
 ircd-hybrid - high-performance secure IRC server
Closes: 699267
Changes: 
 ircd-hybrid (1:7.2.2.dfsg.2-6.2+squeeze1) stable-security; urgency=high
 .
   * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask()
     (Closes: #699267)
Checksums-Sha1: 
 05e1cbc6c92d9c864b91f4d5da14d2a683082494 1238 ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.dsc
 7a98ed3944cbae9bfca7e9bd6071493d4b035def 756749 ircd-hybrid_7.2.2.dfsg.2.orig.tar.gz
 8a8600d185d56a92f3f59e7fde7f98fe1de2e882 118609 ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.diff.gz
 dd146414e996de2e317fe903bd449e1011a6ebd2 65548 hybrid-dev_7.2.2.dfsg.2-6.2+squeeze1_all.deb
 6219b569596335f29d2c4990d04630870d477893 594038 ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1_i386.deb
Checksums-Sha256: 
 b9aac13a57ce9c9b5f6962338cc25fb89b79646438613260aea9e460147f4b4f 1238 ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.dsc
 2c2f646d06678ea5dbb6edd5a17287497ec09f5a82ac6d0464bdf7810073cc89 756749 ircd-hybrid_7.2.2.dfsg.2.orig.tar.gz
 6c7f8414ab4be845b12c8dcb7346dd5af4f0e54245d718f94d03a45eb01b034b 118609 ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.diff.gz
 bc36fd039b69c301be96437c0be0fccbf7f6a07a7611a393ad801dffba26e00c 65548 hybrid-dev_7.2.2.dfsg.2-6.2+squeeze1_all.deb
 81a7a0838ee975d6f50e9610bb68baf18c96f21d936124737d9de4eacd7e1e11 594038 ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1_i386.deb
Files: 
 c9797f03d6f9e6f82a6db52618260f7e 1238 net optional ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.dsc
 75896381ea6330aea860b35fff3c34bb 756749 net optional ircd-hybrid_7.2.2.dfsg.2.orig.tar.gz
 c7704e63eaa357c8de2fac04fd07e382 118609 net optional ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1.diff.gz
 d97771f84b1f565220935827c423a0e6 65548 devel optional hybrid-dev_7.2.2.dfsg.2-6.2+squeeze1_all.deb
 f568efa66677d084a7eed6a5e657022e 594038 net optional ircd-hybrid_7.2.2.dfsg.2-6.2+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFRDuqxYzuFKFF44qURAutbAJ43pyDkvf1pvXCLDVpvikiQRDoNtACg676c
blf0n/JfwgBFkM/thRKgGf0=
=8Zxa
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.