inspircd: CVE-2012-1836 patch incorrect

Debian Bug report logs - #780880
inspircd: CVE-2012-1836 patch incorrect

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Adam <adam@anope.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: inspircd: CVE-2012-1836 patch incorrect

Date: Fri, 20 Mar 2015 22:05:29 +0000

Package: inspircd
Version: 2.0.5-1+b1
Severity: grave
Tags: security
Justification: user security hole

Hi,

I am an upstream maintainer for InspIRCd. The patch you have for CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch
we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It appears to be a a version of this commit: https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684.
However this commit was never in a release, and was only in git for about 6 days (due to someone other than me pulling it in). I looked at the CVE and addressed it with two followup
commits later.

This commit and your patch do not fix the problem. You can still send maliciously crafted packets and cause remote code execution. This was fixed
in https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, prior to the 2.0.7 release.

Furthermore, your patch introduces a buffer underflow where it has "i =- 12" and not "i -= 12". This causes it to start reading from before the packet's buffer. It is unclear
to me what this can cause.

Additionally, at the same time I commited 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from causing InspIRCd to infinite loop. This is not a part of the CVE
as it does not allow remote code execution, but is still a critical problem due to the potential for denial of service.

You should perhaps apply these two patches on top of your existing ones, or maybe fetch the dns.cpp file off of 2.0.7 here: https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp.
It does not change much.

I would be willing to go through and provide a proper set of patches for this and other less-severe issues if requested. I do not want to do it up front because it would be a lot
of work, and I am not sure whether or not it would be accepted. You have a very, very old InspIRCd version, and there is a lot of stuff to sift through (about 3 years). Let me know.

Thanks,

Adam

Message #12 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guillaume Delacour <gui@iroqwa.org>

To: Adam <adam@anope.org>, 780880@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#780880: inspircd: CVE-2012-1836 patch incorrect

Date: Wed, 25 Mar 2015 23:06:39 +0100

[Message part 1 (text/plain, inline)]

Le vendredi 20 mars 2015 à 22:05 +0000, Adam a écrit :
> Package: inspircd
> Version: 2.0.5-1+b1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> I am an upstream maintainer for InspIRCd. The patch you have for CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch
> we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It appears to be a a version of this commit: https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684.
> However this commit was never in a release, and was only in git for about 6 days (due to someone other than me pulling it in). I looked at the CVE and addressed it with two followup
> commits later.
> 
> This commit and your patch do not fix the problem. You can still send maliciously crafted packets and cause remote code execution. This was fixed
> in https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, prior to the 2.0.7 release.
> 
> Furthermore, your patch introduces a buffer underflow where it has "i =- 12" and not "i -= 12". This causes it to start reading from before the packet's buffer. It is unclear
> to me what this can cause.
> 
> Additionally, at the same time I commited 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from causing InspIRCd to infinite loop. This is not a part of the CVE
> as it does not allow remote code execution, but is still a critical problem due to the potential for denial of service.
> 
> You should perhaps apply these two patches on top of your existing ones, or maybe fetch the dns.cpp file off of 2.0.7 here: https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp.
> It does not change much.
> 
> I would be willing to go through and provide a proper set of patches for this and other less-severe issues if requested. I do not want to do it up front because it would be a lot
> of work, and I am not sure whether or not it would be accepted. You have a very, very old InspIRCd version, and there is a lot of stuff to sift through (about 3 years). Let me know.

I'll try to apply diff for src/dns.cpp between the 2.0.5 and 2.0.7
releases as you suggest it and will test (yes i use personally use
inspircd).
When done, i'll contact the Debian security team for an upload in the
security archive.

As the new stable version Debian 8 Jessie is to be freezed/released, i
don't think i'll find a sponsor to upload a 2.0.17 backport of inspircd
for the current Debian 7 Wheezy.

> 
> Thanks,
> 
> Adam
> 

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 780880@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Guillaume Delacour <gui@iroqwa.org>

Cc: debian-lts@lists.debian.org, 780880@bugs.debian.org

Subject: squeeze update of inspircd?

Date: Fri, 10 Apr 2015 21:50:44 +0200

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of inspircd:
https://security-tracker.debian.org/tracker/source-package/inspircd

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #27 received at 780880@bugs.debian.org (full text, mbox, reply):

From: Adam <adam@sigterm.info>

To: <780880@bugs.debian.org>

Cc: <debian-lts@lists.debian.org>

Subject: squeeze update of inspircd?

Date: Mon, 13 Apr 2015 18:03:28 -0400

[Message part 1 (text/plain, inline)]

Hi,

InspIRCd is a rather fast moving project. 1.1 has been considered EOL by us
for over 6 years (and considered “old” for 8), and we don’t have anyone left
who developed 1.1, or have anyone with any working knowledge of it in any
way as far as I’m aware. If you want to patch it you’re on your own, we
would recommend removing the package. We think that there are other major
problems with it, but we’ve forgotten what they are.

As far as 2.0.5, I have combined the various commits in the original report
here:
https://github.com/Adam-/inspircd/commit/e953a402add27edfbb31337ee6510b79462
a3c96. I have also made an entire branch forked off of 2.0.5 including
important fixes seen here: https://github.com/Adam-/inspircd/commits/debian7
if you choose to take any of them. The other fixes here are non-security
related, but are stability related.

I do not wish to directly fix this myself, but am open to questions/support
etc.

Adam

 

On Fri, 10 Apr 2015 21:50:44 +0200 Raphael Hertzog <hertzog@debian.org>
wrote: 
> Hello dear maintainer(s), 
> 
> the Debian LTS team would like to fix the security issues which are 
> currently open in the Squeeze version of inspircd: 
> https://security-tracker.debian.org/tracker/source-package/inspircd 
> 
> Would you like to take care of this yourself? We are still understaffed so

> any help is always highly appreciated. 
> 
> If yes, please follow the workflow we have defined here: 
> http://wiki.debian.org/LTS/Development 
> 
> If that workflow is a burden to you, feel free to just prepare an 
> updated source package and send it to debian-lts@lists.debian.org 
> (via a debdiff, or with an URL pointing to the the source package, 
> or even with a pointer to your packaging repository), and the members 
> of the LTS team will take care of the rest. Indicate clearly whether you 
> have tested the updated package or not. 
> 
> If you don't want to take care of this update, it's not a problem, we 
> will do our best with your package. Just let us know whether you would 
> like to review and/or test the updated package before it gets released. 
> 
> Thank you very much. 
> 
> Raphaël Hertzog, 
>   on behalf of the Debian LTS team. 
> 
> PS: A member of the LTS team might start working on this update at 
> any point in time. You can verify whether someone is registered 
> on this update in 

[Message part 2 (text/html, inline)]

Message #32 received at 780880-close@bugs.debian.org (full text, mbox, reply):

From: Guillaume Delacour <gui@iroqwa.org>

To: 780880-close@bugs.debian.org

Subject: Bug#780880: fixed in inspircd 2.0.5-1+deb7u1

Date: Wed, 15 Apr 2015 21:32:29 +0000

Source: inspircd
Source-Version: 2.0.5-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
inspircd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780880@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillaume Delacour <gui@iroqwa.org> (supplier of updated inspircd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Mar 2015 22:32:45 +0000
Source: inspircd
Binary: inspircd inspircd-dbg
Architecture: source amd64
Version: 2.0.5-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
Changed-By: Guillaume Delacour <gui@iroqwa.org>
Description: 
 inspircd   - Modular IRCd written in C++
 inspircd-dbg - Modular IRCd written in C++ - debugging symbols
Closes: 780880
Changes: 
 inspircd (2.0.5-1+deb7u1) wheezy-security; urgency=high
 .
   * CVE-2012-1836 was partially fixed; refresh 03_CVE-2012-1836 patch by
     importing 2.0.7 src/dns.cpp changes (Closes: #780880)
Checksums-Sha1: 
 b00b461a62c7c06adcb593e6c321d09db439c3d7 1989 inspircd_2.0.5-1+deb7u1.dsc
 2f316e33e1e53b70513fd55089206fe13f4287fa 575852 inspircd_2.0.5.orig.tar.bz2
 2dc8158f7a2d1bd606bb04aa3f363b17eb128903 15681 inspircd_2.0.5-1+deb7u1.debian.tar.gz
 f3ce7c6be25e45ac9d50bdc83abdd6217c3d19fe 2494058 inspircd_2.0.5-1+deb7u1_amd64.deb
 629ff992bf201cbc94b9258e378a1198daeb9852 1280892 inspircd-dbg_2.0.5-1+deb7u1_amd64.deb
Checksums-Sha256: 
 838602a6566a83e8f3bad62db163cc5b5cf7592c8ef28bebedfdde6ec32169b1 1989 inspircd_2.0.5-1+deb7u1.dsc
 425bf79ae1348b398ce6d2348f6cc8baeebe8125f62337e98c136942223f4fc6 575852 inspircd_2.0.5.orig.tar.bz2
 c231ca5611e324cb2177cb9981856e88f51510330dcbc13aaf180c22b592aebb 15681 inspircd_2.0.5-1+deb7u1.debian.tar.gz
 1a7511057f7c266088a627d081ba426527e168d59b47cfdd1ca8c8fd28f72e04 2494058 inspircd_2.0.5-1+deb7u1_amd64.deb
 5012085809a6e32bb772c0e186f8b3234e62e2388713e915a4941af0da13bb46 1280892 inspircd-dbg_2.0.5-1+deb7u1_amd64.deb
Files: 
 1c5fbe7e5f39cc5c2d498fa562c5c128 1989 net optional inspircd_2.0.5-1+deb7u1.dsc
 60dec04bdc8f8c473f3c7bd774a1f153 575852 net optional inspircd_2.0.5.orig.tar.bz2
 b14fb5e6f45fb861287b576c81fd5144 15681 net optional inspircd_2.0.5-1+deb7u1.debian.tar.gz
 58b3bfb21b053d3286b19166675a6297 2494058 net optional inspircd_2.0.5-1+deb7u1_amd64.deb
 eba72d982ce906df682d05c6dc0076aa 1280892 debug extra inspircd-dbg_2.0.5-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVLYU7AAoJEBC+iYPz1Z1kKNcIAM22tSjyDv0OQYEJr2YqyhRR
yA4RlzpVKiUMYQ3+VeMaExCS3H4mJafDCqYvJ3Kb1/8Rcy1dt/MwtPMe0bsWdoES
Bi2jwKqlz0ggTwCac9u3ZzCplqB9HasocRoFplNSDRcAYHWnULatvgNZJkjK1HJf
QYRu/7QgZ7UD3QobX28lKWEuxgwYjK+OIhmsh4Gl8I/tyqfXEpNn1R7rIHAUIPXu
WPB9hll6XEwiBKdIJivcAdXJmRx0iDmvFB/BkDnax+w/9E5xh7lOiW9bBAJF7c9S
rQGeiv1Oaz8BiDG8TMbI8sXeBv3mJGd4F3nwxQlvV/bz9pjWKzWNPL4cEGcEt7s=
=yDDn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.