Package: ircd-hybrid Version: 1:7.2.2.dfsg.2-6.2 Severity: grave Tags: security
Mr. Bob Nomnomnom from Torland reported a denial of service security vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is using strtoul to parse masks. Documentation says strtoul can parse "-number" as well. Validation of input does not catch evil bits. I can give proof of concept if needed. Fixed in commit: http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786 Fixed in: ircd-hybrid 8.0.6 I have requested CVE identifier for this vulnerability. Program received signal SIGSEGV, Segmentation fault. 0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:229 229 addb[bits / 8] &= ~((1 << (8 - bits % 8)) - 1); (gdb) bt #0 0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:229 #1 parse_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:255 #2 0x000000000040c4ab in add_id (client_p=0x7ffff7f9a058, chptr=0x11264e8, banid=<value optimized out>, type=<value optimized out>) at channel_mode.c:233 #3 0x000000000040cd28 in chm_ban (client_p=0x7ffff7f9a058, source_p=0x7ffff7f9a058, chptr=0x11264e8, parc=<value optimized out>, parn=0x7ffff7565580, parv=0x2f, errors=0x7fffffffdd08, alev=2, dir=1, c=98 'b', d=0x0, chname=0x1126774 "#foo") at channel_mode.c:803 #4 0x000000000040baac in set_channel_mode (client_p=<value optimized out>, source_p=<value optimized out>, chptr=<value optimized out>, member=<value optimized out>, parc=2, parv=0x8ed410, chname=0x1126774 "#foo") at channel_mode.c:1785 #5 0x00007fffee7655a4 in m_mode (client_p=0x7ffff7f9a058, source_p=0x7ffff7f9a058, parc=4, parv=0x8ed400) at m_mode.c:115 #6 0x0000000000422d9f in parse_client_queued (client_p=0x7ffff7f9a058) at packet.c:216 #7 0x0000000000422ee5 in read_packet (fd=0x10faa18, data=<value optimized out>) at packet.c:359 #8 0x0000000000423ead in comm_select () at s_bsd_epoll.c:204 #9 0x000000000041f7f8 in io_loop (argc=0, argv=0x7fffffffe588) at ircd.c:237 #10 main (argc=0, argv=0x7fffffffe588) at ircd.c:670 -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
