Ubuntu
inspircd package

Merge lp:~jtaylor/ubuntu/oneiric/inspircd/CVE-2012-1836 into lp:ubuntu/oneiric/inspircd

  1. Oneiric (11.10)
  2. CVE-2012-1836
  3. Merge into oneiric
Proposed by Julian Taylor
Status: Merged
Merge reported by: Martin Pitt
Merged at revision: not available
Proposed branch: lp:~jtaylor/ubuntu/oneiric/inspircd/CVE-2012-1836
Merge into: lp:ubuntu/oneiric/inspircd
Diff against target: 157 lines (+137/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/00list (+1/-0)
debian/patches/06_CVE-2012-1836.dpatch (+127/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/oneiric/inspircd/CVE-2012-1836
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+102037@code.launchpad.net
To post a comment you must log in.
lp:~jtaylor/ubuntu/oneiric/inspircd/CVE-2012-1836 updated
13. By Julian Taylor

add missing patch

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-09-12 14:07:29 +0000
3+++ debian/changelog 2012-04-15 19:06:27 +0000
4@@ -1,3 +1,12 @@
5+inspircd (1.1.22+dfsg-4ubuntu1.1) oneiric-security; urgency=low
6+
7+ * SECURITY UPDATE: remote code execution (LP: #982509)
8+ - debian/patches/06_CVE-2012-1836.dpatch:
9+ Fix buffer overflow in dns.cpp, thanks to Jonathan Wiltshire
10+ - CVE-2012-1836
11+
12+ -- Julian Taylor <jtaylor@ubuntu.com> Sun, 15 Apr 2012 20:33:41 +0200
13+
14 inspircd (1.1.22+dfsg-4ubuntu1) oneiric; urgency=low
15
16 * Fix link order to list libraries after the objects that require them
17
18=== modified file 'debian/patches/00list'
19--- debian/patches/00list 2011-09-12 14:07:29 +0000
20+++ debian/patches/00list 2012-04-15 19:06:27 +0000
21@@ -3,3 +3,4 @@
22 03_use_pkg-config_gnutls.dpatch
23 04_gcc44_fixes.dpatch
24 05_link_order.dpatch
25+06_CVE-2012-1836.dpatch
26
27=== added file 'debian/patches/06_CVE-2012-1836.dpatch'
28--- debian/patches/06_CVE-2012-1836.dpatch 1970-01-01 00:00:00 +0000
29+++ debian/patches/06_CVE-2012-1836.dpatch 2012-04-15 19:06:27 +0000
30@@ -0,0 +1,127 @@
31+#! /bin/sh /usr/share/dpatch/dpatch-run
32+## 06_CVE-2012-1836.dpatch by Jonathan Wiltshire <jmw@debian.org>
33+##
34+## All lines beginning with `## DP:' are a description of the patch.
35+## DP: Protect against buffer overflow in src/dns.cpp
36+## DP: CVE-2012-1836 (#667914)
37+
38+@DPATCH@
39+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd-1.1.22+dfsg~/src/dns.cpp inspircd-1.1.22+dfsg/src/dns.cpp
40+--- inspircd-1.1.22+dfsg~/src/dns.cpp 2012-04-07 23:14:55.000000000 +0100
41++++ inspircd-1.1.22+dfsg/src/dns.cpp 2012-04-07 23:16:01.292193775 +0100
42+@@ -45,6 +45,8 @@
43+ using irc::sockets::OpenTCPSocket;
44+ using irc::sockets::NonBlocking;
45+
46++#define DN_COMP_BITMASK 0xC000 /* highest 6 bits in a DN label header */
47++
48+ /** Masks to mask off the responses we get from the DNSRequest methods
49+ */
50+ enum QueryInfo
51+@@ -105,7 +107,7 @@
52+
53+ DNSRequest(InspIRCd* Instance, DNS* dns, int id, const std::string &original);
54+ ~DNSRequest();
55+- DNSInfo ResultIsReady(DNSHeader &h, int length);
56++ DNSInfo ResultIsReady(DNSHeader &h, unsigned length);
57+ int SendRequests(const DNSHeader *header, const int length, QueryType qt);
58+ };
59+
60+@@ -155,7 +157,10 @@
61+ /* Allocate the processing buffer */
62+ DNSRequest::DNSRequest(InspIRCd* Instance, DNS* dns, int id, const std::string &original) : dnsobj(dns)
63+ {
64+- res = new unsigned char[512];
65++ /* hardening against overflow here: make our work buffer twice the theoretical
66++ * maximum size so that hostile input doesn't screw us over.
67++ */
68++ res = new unsigned char[sizeof(DNSHeader) * 2];
69+ *res = 0;
70+ orig = original;
71+ RequestTimeout* RT = new RequestTimeout(Instance->Config->dns_timeout ? Instance->Config->dns_timeout : 5, Instance, this, id);
72+@@ -776,11 +781,11 @@
73+ }
74+
75+ /** A result is ready, process it */
76+-DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
77++DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, unsigned length)
78+ {
79+- int i = 0;
80++ unsigned i = 0, o;
81+ int q = 0;
82+- int curanswer, o;
83++ int curanswer;
84+ ResourceRecord rr;
85+ unsigned short ptr;
86+
87+@@ -875,17 +880,31 @@
88+
89+ switch (rr.type)
90+ {
91++ /*
92++ * CNAME and PTR are compressed. We need to decompress them.
93++ */
94+ case DNS_QUERY_CNAME:
95+- /* CNAME and PTR have the same processing code */
96+ case DNS_QUERY_PTR:
97+ o = 0;
98+ q = 0;
99+ while (q == 0 && i < length && o + 256 < 1023)
100+ {
101++ /* DN label found (byte over 63) */
102+ if (header.payload[i] > 63)
103+ {
104+ memcpy(&ptr,&header.payload[i],2);
105+- i = ntohs(ptr) - 0xC000 - 12;
106++
107++ i = ntohs(ptr);
108++
109++ /* check that highest two bits are set. if not, we've been had */
110++ if (!(i & DN_COMP_BITMASK))
111++ return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus");
112++
113++ /* mask away the two highest bits. */
114++ i &= ~DN_COMP_BITMASK;
115++
116++ /* and decrease length by 12 bytes. */
117++ i =- 12;
118+ }
119+ else
120+ {
121+@@ -898,7 +917,11 @@
122+ res[o] = 0;
123+ if (o != 0)
124+ res[o++] = '.';
125+- memcpy(&res[o],&header.payload[i + 1],header.payload[i]);
126++
127++ if (o + header.payload[i] > sizeof(DNSHeader))
128++ return std::make_pair((unsigned char *) NULL, "DN label decompression is impossible -- malformed/hostile packet?");
129++
130++ memcpy(&res[o], &header.payload[i + 1], header.payload[i]);
131+ o += header.payload[i];
132+ i += header.payload[i] + 1;
133+ }
134+@@ -907,16 +930,21 @@
135+ res[o] = 0;
136+ break;
137+ case DNS_QUERY_AAAA:
138++ if (rr.rdlength != sizeof(struct in6_addr))
139++ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
140++
141+ memcpy(res,&header.payload[i],rr.rdlength);
142+ res[rr.rdlength] = 0;
143+ break;
144+ case DNS_QUERY_A:
145++ if (rr.rdlength != sizeof(struct in_addr))
146++ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
147++
148+ memcpy(res,&header.payload[i],rr.rdlength);
149+ res[rr.rdlength] = 0;
150+ break;
151+ default:
152+- memcpy(res,&header.payload[i],rr.rdlength);
153+- res[rr.rdlength] = 0;
154++ return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
155+ break;
156+ }
157+ return std::make_pair(res,"No error");;

Subscribers

People subscribed via source and target branches

to all changes: