Debian Bug report logs - #365680
[CVE-2006-2148] cgiirc: buffer overflow in client.c

version graph

Package: cgiirc; Maintainer for cgiirc is Damián Viano <des@debian.org>;

Reported by: Paul Wise <pabs@debian.org>

Date: Tue, 2 May 2006 02:33:01 UTC

Severity: grave

Tags: confirmed, patch, security

Found in version cgiirc/0.5.4

Fixed in version cgiirc/0.5.9-1

Done: Damián Viano <debian@damianv.com.ar>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs3@bonedaddy.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs3@bonedaddy.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cgiirc: buffer overflow in client.c
Date: Tue, 02 May 2006 10:15:37 +0800
[Message part 1 (text/plain, inline)]
Package: cgiirc
Version: 0.5.4
Severity: grave
Tags: security
Justification: user security hole

Upstream has just released 0.5.8, which fixes a buffer overflow in
client.c amongst other things. The 0.5.8 timeline can be seen here:

http://cvs.cgiirc.org/timeline?d=300&e=2006-Apr-30&c=2&px=&s=0&dm=1&x=1&m=1

The patches can be seen here:

http://cvs.cgiirc.org/chngview?cn=283
http://cvs.cgiirc.org/chngview?cn=263

There is no CVE assigned yet as far as I know.

0.5.8 also adds a login secret feature to help stop flooding:

> I have also added a feature which hopefully will stop some of the  
> lamer attacks on CGI:IRC. If you set the 'login secret' option then  
> an authentication token is added to the URL so it is not enough to  
> simply request nph-irc.cgi like some flooding scripts have done.

http://cvs.cgiirc.org/chngview?cn=277

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #10 received at 365680@bugs.debian.org (full text, mbox):

From: Elrond <elrond+bugs.debian.org@samba-tng.org>
To: Paul Wise <pabs3@bonedaddy.net>, 365680@bugs.debian.org
Subject: Re: Bug#365680: cgiirc: buffer overflow in client.c
Date: Tue, 2 May 2006 17:50:07 +0200
package cgiirc
tags 365680 + confirmed
thanks


On Tue, May 02, 2006 at 10:15:37AM +0800, Paul Wise wrote:
[...]
> Upstream has just released 0.5.8, which fixes a buffer overflow in
> client.c amongst other things. The 0.5.8 timeline can be seen here:
[...]

Okay, I can confirm the buffer overflow.


> http://cvs.cgiirc.org/chngview?cn=283
> http://cvs.cgiirc.org/chngview?cn=263

Okay, that helped in fixing it, my upcoming patch is based
on this.


> There is no CVE assigned yet as far as I know.

I don't know, if the security team requires this.


> 0.5.8 also adds a login secret feature to help stop flooding:
> 
> > I have also added a feature which hopefully will stop some of the  
> > lamer attacks on CGI:IRC. If you set the 'login secret' option then  
> > an authentication token is added to the URL so it is not enough to  
> > simply request nph-irc.cgi like some flooding scripts have done.
> 
> http://cvs.cgiirc.org/chngview?cn=277

I have decided to not backport this for the security
release of 0.5.4. If the security team decides, that this
is needed, I leave that to them.

But AFAIK, it's only raising the DoS-burden a little.


     Elrond



Tags added: confirmed Request was from Elrond <elrond+bugs.debian.org@samba-tng.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #17 received at 365680@bugs.debian.org (full text, mbox):

From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
To: Paul Wise <pabs3@bonedaddy.net>
Cc: 365680@bugs.debian.org
Subject: Re: Bug#365680: cgiirc: buffer overflow in client.c
Date: Tue, 2 May 2006 18:30:49 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Tue, May 02, 2006 at 10:15:37AM +0800, Paul Wise wrote:
> Upstream has just released 0.5.8, which fixes a buffer overflow in
> client.c amongst other things. The 0.5.8 timeline can be seen here:

Just as a short-term reply and for documentation reasons regarding this
issue:
The Debian package ships with a safe default configuration and is thus
not per-se vulnerable.
However, of course it is vulnerable if the configuration is changed to
use client.cgi instead of client-perl.cgi.


regards
   Mario
-- 
I've never been certain whether the moral of the Icarus story should
only be, as is generally accepted, "Don't try to fly too high," or
whether it might also be thought of as, "Forget the wax and feathers
and do a better job on the wings."            -- Stanley Kubrick
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #22 received at 365680@bugs.debian.org (full text, mbox):

From: micah <micah@riseup.net>
To: 365680@bugs.debian.org, 365680-submitter@bugs.debian.org
Subject: I have requested a CVE assignment
Date: Tue, 02 May 2006 12:48:07 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I have requested a CVE assignment for this vulnerability, and will send
it on as soon as it is obtained. Please include this reference in any
changelog resolving this issue so that it can be appropriately tracked.

>> There is no CVE assigned yet as far as I know.
>I don't know, if the security team requires this.

Yes, it is required for DSAs, and for tracking issues.

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEV41H9n4qXRzy1ioRAsNEAJ42NM4+aDK/IeHFXIq662nz8GkYvwCeLYvv
zHX7nGwuG1i3V4DrH2q0PPc=
=usJH
-----END PGP SIGNATURE-----



Message sent on to Paul Wise <pabs3@bonedaddy.net>:
Bug#365680. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to David Leadbeater <dgl@dgl.cx>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #30 received at 365680@bugs.debian.org (full text, mbox):

From: David Leadbeater <dgl@dgl.cx>
To: 365680@bugs.debian.org
Subject: It does affect all installs
Date: Tue, 2 May 2006 20:46:28 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mario: It does affect all configurations, just because the  
configuration file says client-perl.cgi it doesn't stop someone  
accessing client.cgi as the package builds client.cgi and puts it  
into the cgi-bin directory.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFEV7cWyZNxBNbUB0QRAos8AJ48GZP/9Q/74Sxz8Rhnx+dFJR0kAgCfURUi
B648ihWJFHLkAMhbYYBYBmU=
=sFJ+
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #35 received at 365680@bugs.debian.org (full text, mbox):

From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
To: David Leadbeater <dgl@dgl.cx>, 365680@bugs.debian.org
Subject: Re: Bug#365680: It does affect all installs
Date: Tue, 2 May 2006 21:58:06 +0200
[Message part 1 (text/plain, inline)]
On Tue, May 02, 2006 at 08:46:28PM +0100, David Leadbeater wrote:
> Mario: It does affect all configurations, just because the  
> configuration file says client-perl.cgi it doesn't stop someone  
> accessing client.cgi as the package builds client.cgi and puts it  

Yes, i missed that in the first look iteration.
We've quite finished an intermediate security release.


Mario
-- 
We are the Bore. Resistance is futile. You will be bored.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #40 received at 365680@bugs.debian.org (full text, mbox):

From: Elrond <elrond+bugs.debian.org@samba-tng.org>
To: 365680@bugs.debian.org
Cc: David Leadbeater <dgl@dgl.cx>
Subject: Bug#365680: Patch for 0.5.4-6
Date: Tue, 2 May 2006 22:30:11 +0200
[Message part 1 (text/plain, inline)]
Hi,

The appended patch should fix this issue.
It's based on the upstream patches in 0.5.8.

This is the result of Mario already reviewing it.
Everybody else is invited to review it too.


To create a new package:

- Place the .dpatch in debian/patches
- Add 50_client-c_bufferoverflow_fix.dpatch to
  debian/patches/
- Create a new changelog entry.


To Do / Done:

* I verified, that the above builds a fresh package
* Testing is needed
* Tag this bug "patch"
* Let the security team to their job


    Elrond
[50_client-c_bufferoverflow_fix.dpatch (text/plain, inline)]
#! /bin/sh /usr/share/dpatch/dpatch-run
## 50_client-c_bufferoverflow_fix.dpatch by Elrond <elrond+debian.org@samba-tng.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix various buffer overflows in client.c.


--- cgiirc-0.5.4/client.c.orig	2002-05-11 16:52:18.000000000 +0200
+++ cgiirc-0.5.4/client.c	2006-05-02 21:04:19.000000000 +0200
@@ -1,5 +1,5 @@
 /* CGI:IRC C Helper CGI
- * Copyright (c) David Leadbeater 2002
+ * Copyright (c) David Leadbeater 2002-2006
  * Released Under the GNU GPLv2 or Later
  * NO WARRANTY - See GNU GPL for more
  * $Id: client.c,v 1.9 2002/05/11 14:52:18 dgl Exp $
@@ -20,9 +20,9 @@
 
 int unix_connect(char *where);
 int error(char *error);
-int readinput(char *params);
-int get_rand(char *params, char *rand);
-int get_cookie(char *cookie);
+int readinput(char *params, size_t len);
+int get_rand(char *params, char *rand, size_t len);
+int get_cookie(char *cookie, size_t len);
 
 int main(void) {
    int fd;
@@ -31,20 +31,23 @@
    char tmp[2148]; /* I decided to stop adding comments after here */
    char cookie[100];
    
-   if(!readinput(params)) error("No input found\n");
-   if(!get_rand(params, rand)) error("Random Value not found\n");
+   if(!readinput(params, sizeof params)) error("No input found\n");
+   if(!get_rand(params, rand, sizeof rand)) error("Random Value not found\n");
 
-   if(get_cookie(cookie)) {
+   if(get_cookie(cookie, sizeof(cookie))) {
       char tmp2[2148]; /* I'm sure there's a better way of doing this.. */
-      strncpy(tmp2, params, 2147);
-      snprintf(params, 2148, "COOKIE=%s&%s", cookie, tmp2);
+      strncpy(tmp2, params, sizeof tmp2);
+      tmp2[sizeof(tmp2) - 1] = '\0';
+      snprintf(params, sizeof params, "COOKIE=%s&%s", cookie, tmp2);
+      params[sizeof(params) - 1] = '\0';
    }
 
    fd = unix_connect(rand);
    send(fd, params, strlen(params), 0);
    send(fd, "\n", 1, 0);
 
-   while(read(fd, tmp, 2048) > 0) {
+   while(read(fd, tmp, sizeof(tmp) - 1) > 0) {
+	  tmp[sizeof(tmp) - 1] = '\0';
 	  printf("%s",tmp);
    }
 
@@ -57,7 +60,7 @@
    exit(1);
 }
 
-int readinput(char *params) {
+int readinput(char *params, size_t len) {
    char request[10];
 
    if(!getenv("REQUEST_METHOD")) return 0;
@@ -66,8 +69,8 @@
    if(!strlen(request)) return 0;
 
    if(strncmp(request, "GET", 3) == 0) {
-	  strncpy(params, getenv("QUERY_STRING"), 2048);
-	  params[2048] = 0;
+	  strncpy(params, getenv("QUERY_STRING"), len);
+	  params[len - 1] = 0;
 	  if(!strlen(params)) return 0;
       return 1;
    }else if(strncmp(request, "POST", 4) == 0) {
@@ -75,7 +78,8 @@
 	  if(!getenv("CONTENT_LENGTH")) return 0;
 	  length = atoi(getenv("CONTENT_LENGTH"));
 	  if(!length || length == 0) return 0;
-	  fread(params, length > 2048 ? 2048 : length, 1, stdin);
+	  length = (length >= len ? len - 1 : length);
+	  fread(params, length, 1, stdin);
 	  params[length] = 0;
 	  return 1;
    }else{
@@ -83,7 +87,7 @@
    }
 }
 
-int get_rand(char *params, char *rand) { 
+int get_rand(char *params, char *rand, size_t len) { 
    char *ptr, *end_ptr;
    int r = 0, i = 0;
    ptr = params;
@@ -92,7 +96,7 @@
    for(;ptr < end_ptr; ptr++) {
 	  if(r == 1) {
 		 if(*ptr == '&') break;
-		 if(i > 48) break;
+		 if(i > len - 2) break;
 		 if(isalpha(*ptr) || isdigit(*ptr)) {
 		    rand[i] = *ptr;
 		    i++;
@@ -107,26 +111,22 @@
    return 0;
 }
 
-int get_cookie(char *cookie) {
+int get_cookie(char *cookie, size_t len) {
    char ctmp[1024];
-   char *sptr, *end_ptr;
-   int i;
+   char *sptr;
+   size_t i;
 
    if(!getenv("HTTP_COOKIE")) return 0;
-   strncpy(ctmp, getenv("HTTP_COOKIE"), 1023);
+   strncpy(ctmp, getenv("HTTP_COOKIE"), sizeof ctmp - 1);
+   ctmp[sizeof(ctmp) - 1] = '\0';
 
    sptr = strstr(ctmp, "cgiircauth=");
    if(sptr == NULL) return 0;
    if(strlen(sptr) < 12) return 0;
    sptr += 11;
-   end_ptr = sptr + (strlen(sptr) < 99 ? strlen(sptr) : 99);
 
-   i = 0;
-   while((int)sptr < (int)end_ptr && *sptr != ';') {
+   for (i = 0; *sptr && *sptr != ';' && i < (len-1); i++, sptr++)
       cookie[i] = *sptr;
-      sptr++;
-      i++;
-   }
    cookie[i] = '\0';
    return 1;
 }
@@ -138,15 +138,17 @@
    char filename[100], errmsg[100];
 
    len = strlen(TMPLOCATION) + strlen(where) + 6;
-   if(len > 100) error("Too long");
-   snprintf(filename, len, "%s%s/sock", TMPLOCATION, where);
-   filename[len] = 0;
+   if(len > sizeof(filename))
+     error("Too long");
+   snprintf(filename, sizeof(filename), "%s%s/sock", TMPLOCATION, where);
+   filename[len-1] = 0;
 
    sock = socket(AF_UNIX, SOCK_STREAM, 0);
    if(sock == -1) error("socket() error\n");
 
    saddr.sun_family = AF_UNIX;
-   strcpy(saddr.sun_path, filename);
+   strncpy(saddr.sun_path, filename, sizeof(saddr.sun_path));
+   saddr.sun_path[sizeof(saddr.sun_path) - 1] = '\0';
 
    if(connect(sock, (struct sockaddr *)&saddr, SUN_LEN(&saddr)) == -1) {
           switch(errno) {

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #45 received at 365680@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@riseup.net>
Cc: 365680@bugs.debian.org, 365680-submitter@bugs.debian.org, David Leadbeater <dgl@dgl.cx>
Subject: Re: I have requested a CVE assignment
Date: Tue, 02 May 2006 17:21:41 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2006-2148 was assigned for this vulnerability.

Micah

micah wrote:
> 
> I have requested a CVE assignment for this vulnerability, and will send
> it on as soon as it is obtained. Please include this reference in any
> changelog resolving this issue so that it can be appropriately tracked.
> 
> 
>>>>There is no CVE assigned yet as far as I know.
>>>
>>>I don't know, if the security team requires this.
> 
> 
> Yes, it is required for DSAs, and for tracking issues.
> 
> Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEV81k9n4qXRzy1ioRAiQNAJsHAGA3glInKVggdudeH6EwM1nGzwCdFSrL
F2/2SpikmyxoAi/dL4YgwOc=
=a0fE
-----END PGP SIGNATURE-----



Message sent on to Paul Wise <pabs3@bonedaddy.net>:
Bug#365680. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #53 received at 365680@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: team@security.debian.org, debian-cgiirc@Wunder-Nett.org
Cc: 365680@bugs.debian.org
Subject: Re: CGIIRC vulnerability (Bug#365680)
Date: Thu, 4 May 2006 16:55:39 +0200
Elrond wrote:
> Nearly all the relevant information, that is currently
> available regarding this issue, is in the bug logs.
> (see: <http://bugs.debian.org/365680>)

Are you going to update the package in sid as well?
Or should the package propagate via stable-security?

Regards,

	Joey

-- 
It's practically impossible to look at a penguin and feel angry.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #58 received at 365680@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: team@security.debian.org, debian-cgiirc@Wunder-Nett.org
Cc: 365680@bugs.debian.org
Subject: Re: CGIIRC vulnerability (Bug#365680)
Date: Thu, 4 May 2006 16:50:55 +0200
Elrond wrote:
> Nearly all the relevant information, that is currently
> available regarding this issue, is in the bug logs.
> (see: <http://bugs.debian.org/365680>)
> 
> Very Short summary:
> 
> * bufferoverflow in C code
> * remotely exploitable
> * CVE has been requested by micah
> * Untested patch exists
> 
> I _might_ be able to test, wether the package still works
> with the patch within the next 24 to 48 hours, but don't
> hold your breath on this.

Please let us know.

> As this has been disclosed publicly now anyway, I'd suggest
> keeping all important (new) information in the bug logs for
> easy review by interested parties.

Update prepared.

Regards,

	Joey

-- 
It's practically impossible to look at a penguin and feel angry.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #63 received at 365680@bugs.debian.org (full text, mbox):

From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
To: Elrond <elrond+bugs.debian.org@samba-tng.org>
Cc: 365680@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#365680: Patch for 0.5.4-6
Date: Fri, 5 May 2006 18:38:15 +0200
[Message part 1 (text/plain, inline)]
package cgiirc
tags 365680 + patch
thanks

On Tue, May 02, 2006 at 10:30:11PM +0200, Elrond wrote:
> To create a new package:
> - Place the .dpatch in debian/patches
> - Add 50_client-c_bufferoverflow_fix.dpatch to
>   debian/patches/

- Add 50_client-c_bufferoverflow_fix to debian/patches/00list

> - Create a new changelog entry.
> 
> To Do / Done:
> * I verified, that the above builds a fresh package

Dito. It does also install/upgrade clean :)

> * Testing is needed

I did my best :)

> * Tag this bug "patch"

On the way.

> * Let the security team to their job

Okay :)


regards
   Mario
-- 
There is nothing more deceptive than an obvious fact.
             -- Sherlock Holmes by Arthur Conan Doyle
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #70 received at 365680@bugs.debian.org (full text, mbox):

From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, debian-cgiirc@Wunder-Nett.org, 365680@bugs.debian.org
Subject: Re: Bug#365680: CGIIRC vulnerability (Bug#365680)
Date: Fri, 5 May 2006 19:10:57 +0200
[Message part 1 (text/plain, inline)]
On Thu, May 04, 2006 at 04:55:39PM +0200, Martin Schulze wrote:
> Are you going to update the package in sid as well?

We're preparing a new version for sid, which of course will include the
fix, too. But this will take a few days longer, so...

> Or should the package propagate via stable-security?

Yes, for the first it should be okay to propagate the package via
stable-security.

On Thu, May 04, 2006 at 04:50:55PM +0200, Martin Schulze wrote:
> Elrond wrote:
> > I _might_ be able to test, wether the package still works
> Please let us know.

Tests are done. Everything seems to work well.

> Update prepared.

Go on :)
Please make sure you did also add 50_client-c_bufferoverflow_fix to
debian/patches/00list in order to really make it active, since Elrond
did forget to mention this in his original ToDo list.


Thanks for your work & best regards
   Mario
-- 
File names are infinite in length where infinity is set to 255 characters.
                                -- Peter Collinson, "The Unix File System"
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #75 received at 365680@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>
Cc: Debian Security Team <team@security.debian.org>, debian-cgiirc@Wunder-Nett.org, 365680@bugs.debian.org
Subject: Re: Bug#365680: CGIIRC vulnerability (Bug#365680)
Date: Sat, 6 May 2006 10:07:17 +0200
Mario 'BitKoenig' Holbe wrote:
> > Elrond wrote:
> > > I _might_ be able to test, wether the package still works
> > Please let us know.
> 
> Tests are done. Everything seems to work well.
> 
> > Update prepared.
> 
> Go on :)
> Please make sure you did also add 50_client-c_bufferoverflow_fix to
> debian/patches/00list in order to really make it active, since Elrond
> did forget to mention this in his original ToDo list.

Yup, did that.

Regards,

	Joey

-- 
It's practically impossible to look at a penguin and feel angry.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #80 received at 365680@bugs.debian.org (full text, mbox):

From: Elrond <elrond+bugs.debian.org@samba-tng.org>
To: Martin Schulze <joey@infodrom.org>, team@security.debian.org, 365680@bugs.debian.org
Subject: Re: Bug#365680: CGIIRC vulnerability (Bug#365680)
Date: Sat, 6 May 2006 12:37:41 +0200
package cgiirc
retitle 365680 [CVE-2006-2148] cgiirc: buffer overflow in client.c
thanks

On Fri, May 05, 2006 at 07:10:57PM +0200, Mario 'BitKoenig' Holbe wrote:
> On Thu, May 04, 2006 at 04:55:39PM +0200, Martin Schulze wrote:
> > Are you going to update the package in sid as well?
> 
> We're preparing a new version for sid, which of course will include the
> fix, too. But this will take a few days longer, so...
> 
> > Or should the package propagate via stable-security?
> 
> Yes, for the first it should be okay to propagate the package via
> stable-security.

If people using testing or sid (which has the same version
of cgiirc still) will get that version then too (until we
have 0.5.8-1 out), that would be cool too.


    Elrond



Changed Bug title. Request was from Elrond <elrond+bugs.debian.org@samba-tng.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #87 received at 365680@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Elrond <elrond+bugs.debian.org@samba-tng.org>
Cc: Debian Security Team <team@security.debian.org>, 365680@bugs.debian.org
Subject: Re: Bug#365680: CGIIRC vulnerability (Bug#365680)
Date: Mon, 8 May 2006 06:49:38 +0200
Elrond wrote:
> On Sun, May 07, 2006 at 09:16:35AM +0200, Martin Schulze wrote:
> [...]
> > If an update enters stable-security and the version in testing ist the
> > same as in stable, then the new version propagates into testing.  If,
> > additionally, the version in unstable is the same, this very version
> > will propagate into unstable as well.
> > 
> > So, it'll propagate automatically if you're not updating the package before.
> 
> Very nice!
> 
> What's missing for the DSA? (just curious / wanting to
> know, if there's something I should do)

Nothing else required by you.

Regards,

	Joey

-- 
It's practically impossible to look at a penguin and feel angry.

Please always Cc to me when replying to me on the lists.



Reply sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Wise <pabs3@bonedaddy.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #92 received at 365680-close@bugs.debian.org (full text, mbox):

From: Elrond <elrond+bugs.debian.org@samba-tng.org>
To: 365680-close@bugs.debian.org
Subject: Fixed in security.d.o
Date: Wed, 10 May 2006 13:44:44 +0200
Version: 0.5.4-6sarge1

This has been fixed in security.

DSA: http://www.debian.org/security/2006/dsa-1052


    Elrond



Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #97 received at 365680@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 365680@bugs.debian.org, control@bugs.debian.org
Subject: [CVE-2006-2148] cgiirc: buffer overflow in client.c not fixed in sid
Date: Wed, 7 Jun 2006 01:16:11 +0200
package cgiirc
reopen 365680
thanks

the fix has not been uploaded to unstable yet, but the BTS claims [1] 
that it is resolved. Is this a bug in the version tracking of the 
BTS?

http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cgiirc



Bug reopened, originator not changed. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #104 received at 365680@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: 365680@bugs.debian.org
Subject: Re: Bug#365680: [CVE-2006-2148] cgiirc: buffer overflow in client.c not fixed in sid
Date: Wed, 07 Jun 2006 20:35:57 +0200
* Stefan Fritsch:

> the fix has not been uploaded to unstable yet, but the BTS claims [1] 
> that it is resolved. Is this a bug in the version tracking of the 
> BTS?
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cgiirc

In fact, the sarge version should propagate to etch and sid.  I don't
know why this hasn't happened yet.



Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #109 received at 365680@bugs.debian.org (full text, mbox):

From: Elrond <elrond+bugs.debian.org@samba-tng.org>
To: Florian Weimer <fw@deneb.enyo.de>, 365680@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#365680: [CVE-2006-2148] cgiirc: buffer overflow in client.c not fixed in sid
Date: Thu, 8 Jun 2006 12:57:59 +0200
On Wed, Jun 07, 2006 at 08:35:57PM +0200, Florian Weimer wrote:
> * Stefan Fritsch:
> 
> > the fix has not been uploaded to unstable yet, but the BTS claims [1] 
> > that it is resolved. Is this a bug in the version tracking of the 
> > BTS?
> >
> > http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cgiirc
> 
> In fact, the sarge version should propagate to etch and sid.  I don't
> know why this hasn't happened yet.

Who should we contact to help this?


(I'm working on a new upload, but having the fixed version
propagate first would really be nice.)


    Elrond



Tags added: pending Request was from Elrond <elrond+bugs.debian.org@samba-tng.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Damián Viano <debian@damianv.com.ar>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Wise <pabs3@bonedaddy.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #116 received at 365680-close@bugs.debian.org (full text, mbox):

From: Damián Viano <debian@damianv.com.ar>
To: 365680-close@bugs.debian.org
Subject: Bug#365680: fixed in cgiirc 0.5.9-1
Date: Mon, 19 Jun 2006 20:17:03 -0700
Source: cgiirc
Source-Version: 0.5.9-1

We believe that the bug you reported is fixed in the latest version of
cgiirc, which is due to be installed in the Debian FTP archive:

cgiirc_0.5.9-1.diff.gz
  to pool/main/c/cgiirc/cgiirc_0.5.9-1.diff.gz
cgiirc_0.5.9-1.dsc
  to pool/main/c/cgiirc/cgiirc_0.5.9-1.dsc
cgiirc_0.5.9-1_i386.deb
  to pool/main/c/cgiirc/cgiirc_0.5.9-1_i386.deb
cgiirc_0.5.9.orig.tar.gz
  to pool/main/c/cgiirc/cgiirc_0.5.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 365680@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damián Viano <debian@damianv.com.ar> (supplier of updated cgiirc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Jun 2006 19:44:44 -0300
Source: cgiirc
Binary: cgiirc
Architecture: source i386
Version: 0.5.9-1
Distribution: unstable
Urgency: high
Maintainer: Damián Viano <debian@damianv.com.ar>
Changed-By: Damián Viano <debian@damianv.com.ar>
Description: 
 cgiirc     - web based irc client
Closes: 296114 338181 365680
Changes: 
 cgiirc (0.5.9-1) unstable; urgency=high
 .
   * New maintainer
   * New upstream release (Closes: #296114)
     + Fixed security-related bug, and thus set urgency=high (Closes: #365680)
   * Debian specific patches removed (they are all dated or applied):
     + 50_allow-port
     + 50_select-and-input
     + 50_viewconnects-times
     + 50_decode-cmdline
     + 50_http-client_ip
     + 50_multiple-ipaccess+always-close-ipaccess
     + 50_reconnect-link
     + 60_config-in-etc.after.multiple-ipaccess
     + 60_select-and-input-mine
     + 70_select-table-ie-fix
   * Rewrote copyright file
     + Added copyright information for modules/IRC/UniqueHash.pm
     + Correctly differentiate between copyright and license (Closes: #338181)
   * Updated watch file
   * Updated standards version to 3.7.2
     + moved images to /usr/share/images/cgiirc
     + added dependency on httpd-cgi and removed redundant recommends
   * Updated compat level for debhelper to 5
Files: 
 12cd3d33ef5828a18a1936cb91693734 561 net extra cgiirc_0.5.9-1.dsc
 2ca89a52ca51fcc7287a832701b6915f 135163 net extra cgiirc_0.5.9.orig.tar.gz
 cdc2ecf030afb893c15773d49e68d68a 4554 net extra cgiirc_0.5.9-1.diff.gz
 444b6b6a24c521a2a07757b8a8922687 128218 net extra cgiirc_0.5.9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEl1smlAuUx1tI/64RAqHYAKCcS+koLsKPVYfhPyRKu6sytf3hSACgiiRL
/qim+EZaFRNbYJiNQiCRcG4=
=8FqF
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>:
Bug#365680; Package cgiirc. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>. Full text and rfc822 format available.

Message #121 received at 365680@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: debian@damianv.com.ar, 365680@bugs.debian.org
Subject: mention CVE ID # (Re: Bug#338181: marked as done (cgiirc: Improper copyright file))
Date: Tue, 20 Jun 2006 08:15:57 -0400
>    * New maintainer
Thanks for maintaining cgiirc :)

>    * New upstream release (Closes: #296114)
>      + Fixed security-related bug, and thus set urgency=high (Closes: #365680)
Please mention the CVE ID [CVE-2006-2148] in the changelog; adding it
to this entry in the next revision is fine.  I think the security
teams use this to generate their "nonvuln" lists and their vuln
matrices and such.

Justin



Changed Bug submitter from Paul Wise <pabs3@bonedaddy.net> to Paul Wise <pabs@debian.org>. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 18:05:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:49:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.