Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Romain Beauxis <toots@rastageeks.org>.
(full text, mbox, link).
Package: peercast
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
I found a security issue in the peercast server in the
HTTP::getAuthUserPass function. I already contacted the upstream author 6 days
ago and didn't get an answer yet so I am publishing this now.
From core/common/http.cpp:
105 void HTTP::getAuthUserPass(char *user, char *pass)
106 {
107 if (arg)
108 {
109 char *s = stristr(arg,"Basic");
110 if (s)
111 {
112 while (*s)
113 if (*s++ == ' ')
114 break;
115 String str;
116 str.set(s,String::T_BASE64);
117 str.convertTo(String::T_ASCII);
118 s = strstr(str.cstr(),":");
119 if (s)
120 {
121 *s = 0;
122 if (user)
123 strcpy(user,str.cstr());
124 if (pass)
125 strcpy(pass,s+1);
This function is used if authentication to the peercast server is done by basic http auth
rather than by a cookie. In line 116 the base64 encoded string is copied into str.
Note the set method is peercasts own implementation of set since it reimplements the String
class. set looks like this:
From core/common/sys.h:
38 MAX_LEN = 256
...
62 void set(const char *p, TYPE t=T_ASCII)
63 {
64 strncpy(data,p,MAX_LEN-1);
65 data[MAX_LEN-1] = 0;
66 type = t;
67 }
In line 117 the string gets decoded and in line 118 and
following the part before ':' in the decoded string gets copied
into user and the part after it into pass.
From core/common/servhs.cpp:
558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local)
559 {
560 char user[64],pass[64];
561 user[0] = pass[0] = 0;
...
580 while (http.nextHeader())
581 {
582 char *arg = http.getArgStr();
583 if (!arg)
584 continue;
585
586 switch (servMgr->authType)
587 {
588 case ServMgr::AUTH_HTTPBASIC:
589 if (http.isHeader("Authorization"))
590 http.getAuthUserPass(user,pass);
591 break;
user and pass are only declared to have 64 bytes (line 558) while the buffer used for
copy can store up to MAX_LEN (256) bytes (ok minus the : here). Servent::handshakeAuth calls then
the getAuthUserPass function triggering a buffer overflow.
It's thus possible to crash the server and execute arbitrary code if the server
allows http-basic authentication.
I already requested a CVE id for this.
An example configuration and PoC is attached.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>: Bug#478573; Package peercast.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>.
(full text, mbox, link).
retitle 478680 [gnome-peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function
retitle 478573 [peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function
thanks
Hi,
CVE-2008-2040 was assigned to that, please mention the CVE
id in the changelog if you fix this bug.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Changed Bug title to `[peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function' from `[peercast] stack-based buffer overflow in HTTP::getAuthUserPass function'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 14:45:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#478573; Package peercast.
(full text, mbox, link).
Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
To: Nico Golde <nion@debian.org>,
478573@bugs.debian.org
Subject: Re: Bug#478573: got CVE id
Date: Wed, 30 Apr 2008 16:56:24 +0200
Le Wednesday 30 April 2008 16:41:51 Nico Golde, vous avez écrit :
> Hi,
Hi !
> CVE-2008-2040 was assigned to that, please mention the CVE
> id in the changelog if you fix this bug.
Do you have fix by the way ?
Romain
--
We sick an' tired of-a your ism-skism game -
Dyin' 'n' goin' to heaven in-a Jesus' name, Lord.
We know when we understand:
Almighty God is a living man.
Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>: Bug#478573; Package peercast.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>.
(full text, mbox, link).
Hi Romain,
* Romain Beauxis <toots@rastageeks.org> [2008-04-30 17:03]:
> Le Wednesday 30 April 2008 16:41:51 Nico Golde, vous avez écrit :
> > CVE-2008-2040 was assigned to that, please mention the CVE
> > id in the changelog if you fix this bug.
>
> Do you have fix by the way ?
Currently writing one.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>: Bug#478573; Package peercast.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>.
(full text, mbox, link).
tags 478680 + patch
tags 478573 + patch
thanks
Hi,
attached is a patch to fix this issue.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 16:18:23 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>: Bug#478573; Package peercast.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>.
(full text, mbox, link).
Hi,
uploading 0-day NMU with maintainers permission.
debdiff attached and also archived on:
http://people.debian.org/~nion/nmu-diff/peercast-0.1218+svn20080104-1_0.1218+svn20080104-1.1.patch
Note, looking at the debdiff you will see that
dh_listpackages were added in some log files. I did not do
this, they are added automatically. Should be fixed in the
build system later :)
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Subject: Bug#478573: fixed in peercast 0.1218+svn20080104-1.1
Date: Fri, 02 May 2008 11:02:08 +0000
Source: peercast
Source-Version: 0.1218+svn20080104-1.1
We believe that the bug you reported is fixed in the latest version of
peercast, which is due to be installed in the Debian FTP archive:
peercast-handlers_0.1218+svn20080104-1.1_all.deb
to pool/main/p/peercast/peercast-handlers_0.1218+svn20080104-1.1_all.deb
peercast-servent_0.1218+svn20080104-1.1_all.deb
to pool/main/p/peercast/peercast-servent_0.1218+svn20080104-1.1_all.deb
peercast_0.1218+svn20080104-1.1.diff.gz
to pool/main/p/peercast/peercast_0.1218+svn20080104-1.1.diff.gz
peercast_0.1218+svn20080104-1.1.dsc
to pool/main/p/peercast/peercast_0.1218+svn20080104-1.1.dsc
peercast_0.1218+svn20080104-1.1_amd64.deb
to pool/main/p/peercast/peercast_0.1218+svn20080104-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 478573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated peercast package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 02 May 2008 12:44:34 +0200
Source: peercast
Binary: peercast-servent peercast peercast-handlers
Architecture: source all amd64
Version: 0.1218+svn20080104-1.1
Distribution: unstable
Urgency: high
Maintainer: Romain Beauxis <toots@rastageeks.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
peercast - P2P audio and video streaming servent
peercast-handlers - P2P audio and video streaming handlers
peercast-servent - P2P audio and video streaming servent (dummy package)
Closes: 478573
Changes:
peercast (0.1218+svn20080104-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update addresses the following security issue:
- CVE-2008-2040: stack-based buffer overfow in the
HTTP::getAuthUserPass function leading to remote DoS
or arbitrary code execution if peercast is configured
to use http-basic authentication (Closes: #478573).
Checksums-Sha1:
9c44bc5d221a820b5c65dd45fec7594a4642b35c 1142 peercast_0.1218+svn20080104-1.1.dsc
edc177024da645e969838f61c56ce9c93e519e32 9956 peercast_0.1218+svn20080104-1.1.diff.gz
8ac38683d3a489c31584c04614c272e91da4b53d 3784 peercast-servent_0.1218+svn20080104-1.1_all.deb
529e8c1fca0ece55d8af14d6e9332bb0ce7bd270 6908 peercast-handlers_0.1218+svn20080104-1.1_all.deb
6bba22f7e8a28a2c0464e07825734c2633d07dd9 200278 peercast_0.1218+svn20080104-1.1_amd64.deb
Checksums-Sha256:
27bb594d4b66138131a53d6204e0fe4fcf690f943b4782395eaa8540fc08cb87 1142 peercast_0.1218+svn20080104-1.1.dsc
5cdcaac114a132202c6258603953fbdecb9f6941a8dc2431e577d9544406069a 9956 peercast_0.1218+svn20080104-1.1.diff.gz
5259ec71211bbb91b0bf7447bc50e074ca2a0e19362f57999e62489ee818a9ce 3784 peercast-servent_0.1218+svn20080104-1.1_all.deb
4713b8d72e5afbcc48f5f849442b3c14aee4206193e8f687101354cf6dfc175a 6908 peercast-handlers_0.1218+svn20080104-1.1_all.deb
c7bd5525327058b207702ea36dc12decd8cd95b1b184cbf1fdea7e5e6d3ba56f 200278 peercast_0.1218+svn20080104-1.1_amd64.deb
Files:
31301f18409e31ddac40f89dc8ac2b3f 1142 sound optional peercast_0.1218+svn20080104-1.1.dsc
98cbcc57586e3c39488adbd075d71908 9956 sound optional peercast_0.1218+svn20080104-1.1.diff.gz
cfd41041fb026aed4240214017c14c88 3784 sound optional peercast-servent_0.1218+svn20080104-1.1_all.deb
a54955b37b0205e005bbbb93efac0164 6908 sound optional peercast-handlers_0.1218+svn20080104-1.1_all.deb
3c7c94e943a2f5ebeb7b3835a6ebf009 200278 sound optional peercast_0.1218+svn20080104-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIGvNRHYflSXNkfP8RAn8wAKCi22X2JDvzM4VTVEctcccqskhKmgCfUTuO
wRlEneLrE9SIy9zUZTFcaWA=
=5cuj
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>: Bug#478573; Package peercast.
(full text, mbox, link).
Acknowledgement sent to Takuo Kitame <kitame@debian.org>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>.
(full text, mbox, link).
Subject: Bug#478573: fixed in peercast 0.1217.toots.20060314-1etch1
Date: Thu, 05 Jun 2008 07:52:23 +0000
Source: peercast
Source-Version: 0.1217.toots.20060314-1etch1
We believe that the bug you reported is fixed in the latest version of
peercast, which is due to be installed in the Debian FTP archive:
libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
to pool/main/p/peercast/peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
peercast_0.1217.toots.20060314-1etch1.diff.gz
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.diff.gz
peercast_0.1217.toots.20060314-1etch1.dsc
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.dsc
peercast_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 478573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated peercast package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 18 May 2008 03:28:44 +0200
Source: peercast
Binary: libpeercast0 peercast-handlers peercast-servent peercast libpeercast0-dev
Architecture: source amd64 all
Version: 0.1217.toots.20060314-1etch1
Distribution: stable-security
Urgency: low
Maintainer: Romain Beauxis <toots@rastageeks.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description:
libpeercast0 - P2P audio and video streaming server libraries
libpeercast0-dev - P2P audio and video streaming server -- development
peercast - P2P audio and video streaming server metapackage
peercast-handlers - P2P audio and video streaming handlers
peercast-servent - P2P audio and video streaming servent
Closes: 478573
Changes:
peercast (0.1217.toots.20060314-1etch1) stable-security; urgency=low
.
* Fixed CVE-2008-2040:
| stack-based buffer overfow in the
| HTTP::getAuthUserPass function leading
| to remote DoS or arbitrary code execution
| if peercast is configured to use http-basic
| authentication
Closes: #478573
Thanks to Nico Golde <nion@debian.org> for reporting and fixing
the issue.
Files:
10e545471f649cd37409dc9cbfd7960a 1070 sound optional peercast_0.1217.toots.20060314-1etch1.dsc
c7fc173230621f05137a6420a48b3347 7458 sound optional peercast_0.1217.toots.20060314-1etch1.diff.gz
ac385ad05a69ba429c2e300920ff1192 6828 sound optional peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
0a0bd5ef6f4c6632d3f904100474f66a 2924 sound optional peercast_0.1217.toots.20060314-1etch1_amd64.deb
d42cf469c93a79a328d7e8e31bc9c90c 50774 sound optional peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
2378fddac9eea542ee891cb96d77b8d4 172136 libs optional libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
53638a13906e1599c5938d067ffe729b 323944 libdevel optional libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSDLETgC5aaocqV0ZAQIWmgf/Y3afdxpaURG/frqBCDTdqs5Bw2RD5GRJ
VqeCaWerXVnYAODF+Ao3nWfz5mpB4kZCwKLaaymONyX/0O14Yl4y3URJTAHjZxyr
ci8Vq8MGHwiOWUxLfbkBgf+eNtuXK6MN/lobPcAICusFgwz0ttDDfaqpvwF24kWM
534PxFdNbwofEMlY6XloJdf0N3X7NUwrWGx1ei4N66HH5KX4Ckycs1qdRsFqCsCo
2lcB1ew23byijfe4JlpX3ZAY1vUDBZSqDl9wEroZh5LIuih6XBnmAsy/RcEj8Do3
FgewdgSwsOfWiI9neYmM17+o01XQpSfjmlindHFPNwnK2BS5nw9JxQ==
=s9DG
-----END PGP SIGNATURE-----
Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#478573: fixed in peercast 0.1217.toots.20060314-1etch1
Date: Sat, 26 Jul 2008 09:57:49 +0000
Source: peercast
Source-Version: 0.1217.toots.20060314-1etch1
We believe that the bug you reported is fixed in the latest version of
peercast, which is due to be installed in the Debian FTP archive:
libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
to pool/main/p/peercast/peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
peercast_0.1217.toots.20060314-1etch1.diff.gz
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.diff.gz
peercast_0.1217.toots.20060314-1etch1.dsc
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.dsc
peercast_0.1217.toots.20060314-1etch1_amd64.deb
to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 478573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated peercast package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 18 May 2008 03:28:44 +0200
Source: peercast
Binary: libpeercast0 peercast-handlers peercast-servent peercast libpeercast0-dev
Architecture: source amd64 all
Version: 0.1217.toots.20060314-1etch1
Distribution: stable-security
Urgency: low
Maintainer: Romain Beauxis <toots@rastageeks.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description:
libpeercast0 - P2P audio and video streaming server libraries
libpeercast0-dev - P2P audio and video streaming server -- development
peercast - P2P audio and video streaming server metapackage
peercast-handlers - P2P audio and video streaming handlers
peercast-servent - P2P audio and video streaming servent
Closes: 478573
Changes:
peercast (0.1217.toots.20060314-1etch1) stable-security; urgency=low
.
* Fixed CVE-2008-2040:
| stack-based buffer overfow in the
| HTTP::getAuthUserPass function leading
| to remote DoS or arbitrary code execution
| if peercast is configured to use http-basic
| authentication
Closes: #478573
Thanks to Nico Golde <nion@debian.org> for reporting and fixing
the issue.
Files:
10e545471f649cd37409dc9cbfd7960a 1070 sound optional peercast_0.1217.toots.20060314-1etch1.dsc
c7fc173230621f05137a6420a48b3347 7458 sound optional peercast_0.1217.toots.20060314-1etch1.diff.gz
ac385ad05a69ba429c2e300920ff1192 6828 sound optional peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
0a0bd5ef6f4c6632d3f904100474f66a 2924 sound optional peercast_0.1217.toots.20060314-1etch1_amd64.deb
d42cf469c93a79a328d7e8e31bc9c90c 50774 sound optional peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
2378fddac9eea542ee891cb96d77b8d4 172136 libs optional libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
53638a13906e1599c5938d067ffe729b 323944 libdevel optional libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSDLETgC5aaocqV0ZAQIWmgf/Y3afdxpaURG/frqBCDTdqs5Bw2RD5GRJ
VqeCaWerXVnYAODF+Ao3nWfz5mpB4kZCwKLaaymONyX/0O14Yl4y3URJTAHjZxyr
ci8Vq8MGHwiOWUxLfbkBgf+eNtuXK6MN/lobPcAICusFgwz0ttDDfaqpvwF24kWM
534PxFdNbwofEMlY6XloJdf0N3X7NUwrWGx1ei4N66HH5KX4Ckycs1qdRsFqCsCo
2lcB1ew23byijfe4JlpX3ZAY1vUDBZSqDl9wEroZh5LIuih6XBnmAsy/RcEj8Do3
FgewdgSwsOfWiI9neYmM17+o01XQpSfjmlindHFPNwnK2BS5nw9JxQ==
=s9DG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 08:30:55 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.