Package: peercast Version: 0.1217.toots.20060314-1 Severity: grave Tags: security patch
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for peercast. CVE-2007-6454[0]: | Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp | in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote | attackers to cause a denial of service and possibly execute arbitrary | code via a long SOURCE request. If you fix this vulnerability please also include the CVE id in your changelog entry. Attached is a patch extracted from the upstream svn to fix this. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6454 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Index: servhs.cpp
===================================================================
--- servhs.cpp (revision 328)
+++ servhs.cpp (revision 347)
@@ -43,6 +43,8 @@
{
if (!*cp)
return NULL;
+
+ int cnt=0;
// fetch command
while (*cp)
@@ -51,10 +53,15 @@
if (c == '=')
break;
else
- *cmd++ = c;
+ *cmd++ = c;
+
+ cnt++;
+ if (cnt >= (MAX_CGI_LEN-1))
+ break;
}
*cmd = 0;
-
+
+ cnt=0;
// fetch arg
while (*cp)
{
@@ -62,7 +69,11 @@
if (c == '&')
break;
else
- *arg++ = c;
+ *arg++ = c;
+
+ cnt++;
+ if (cnt >= (MAX_CGI_LEN-1))
+ break;
}
*arg = 0;
@@ -302,13 +313,13 @@
mount[-1] = 0; // password preceeds
break;
}
- strcpy(loginPassword,in+7);
+ loginPassword.set(in+7);
- LOG_DEBUG("ICY client: %s %s",loginPassword,mount?mount:"unknown");
+ LOG_DEBUG("ICY client: %s %s",loginPassword.cstr(),mount?mount:"unknown");
}
if (mount)
- strcpy(loginMount,mount);
+ loginMount.set(mount);
handshakeICY(Channel::SRC_ICECAST,isHTTP);
sock = NULL; // socket is taken over by channel, so don`t close it
@@ -318,7 +329,7 @@
if (!isAllowed(ALLOW_BROADCAST))
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
- strcpy(loginPassword,servMgr->password); // pwd already checked
+ loginPassword.set(servMgr->password); // pwd already checked
sock->writeLine("OK2");
sock->writeLine("icy-caps:11");
@@ -640,9 +651,9 @@
// -----------------------------------
void Servent::handshakeCMD(char *cmd)
{
- char result[256];
- char arg[512];
- char curr[256];
+ char result[MAX_CGI_LEN];
+ char arg[MAX_CGI_LEN];
+ char curr[MAX_CGI_LEN];
char jumpStr[128];
char *jumpArg=NULL;
@@ -831,6 +842,8 @@
// connections
else if (strcmp(curr,"maxcin")==0)
servMgr->maxControl = getCGIargINT(arg);
+ else if (strcmp(curr,"maxsin")==0)
+ servMgr->maxServIn = getCGIargINT(arg);
else if (strcmp(curr,"maxup")==0)
servMgr->maxBitrateOut = getCGIargINT(arg);
@@ -1488,15 +1501,15 @@
while (http.nextHeader())
{
LOG_DEBUG("ICY %s",http.cmdLine);
- readICYHeader(http,info,loginPassword);
+ readICYHeader(http,info,loginPassword.cstr());
}
// check password before anything else, if needed
- if (strcmp(servMgr->password,loginPassword)!=0)
+ if (loginPassword != servMgr->password)
{
- if (!sock->host.isLocalhost() || strlen(loginPassword))
+ if (!sock->host.isLocalhost() || !loginPassword.isEmpty())
throw HTTPException(HTTP_SC_UNAUTHORIZED,401);
}
@@ -1510,7 +1523,7 @@
info.id = chanMgr->broadcastID;
- info.id.encode(NULL,info.name.cstr(),loginMount,info.bitrate);
+ info.id.encode(NULL,info.name.cstr(),loginMount.cstr(),info.bitrate);
LOG_DEBUG("Incoming source: %s : %s",info.name.cstr(),ChanInfo::getTypeStr(info.contentType));
@@ -1531,7 +1544,7 @@
info.comment = chanMgr->broadcastMsg;
info.bcID = chanMgr->broadcastID;
- c = chanMgr->createChannel(info,loginMount);
+ c = chanMgr->createChannel(info,loginMount.cstr());
if (!c)
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
pgp0oGiDZNXMX.pgp
Description: PGP signature
