Debian Bug report logs - #550389
hybserv: misparsing when sent commands with tabs

version graph

Package: hybserv; Maintainer for hybserv is Dominic Hargreaves <dom@earth.li>; Source for hybserv is src:hybserv.

Reported by: Julien Cristau <jcristau@debian.org>

Date: Fri, 9 Oct 2009 19:15:02 UTC

Severity: grave

Tags: patch, security

Found in version hybserv/1.9.2-4

Fixed in versions hybserv/1.9.2-4.1, hybserv/1.9.2-4+lenny2, hybserv/1.9.2-4+etch1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Aurélien GÉRÔME <ag@roxor.cx>:
Bug#550389; Package hybserv. (Fri, 09 Oct 2009 19:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
New Bug report received and forwarded. Copy sent to Aurélien GÉRÔME <ag@roxor.cx>. (Fri, 09 Oct 2009 19:15:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hybserv: misparsing when sent commands with tabs
Date: Fri, 9 Oct 2009 20:59:41 +0200
Package: hybserv
Version: 1.9.2-4
Severity: important
Tags: patch

Hi,

sending 'PRIVMSG memoserv :help \t' crashes hybserv.
GiveHelp is called with command="\t", so SplitBuf(command, &cav) at
helpserv.c:365 returns 0, and the next line calls strlcpy() with src ==
NULL.
I fixed this by replacing "while (*buf == ' ')" with "while
(IsSpace(*buf))" in mystring.c:145.  This way the first parsing in
ms_process() returns 1, and m_help() calls GiveHelp with command ==
NULL, avoiding the crash.
All of mystring.c, memoserv.c and helpserv.c seem to be unchanged
between 1.9.2 and 1.9.4 so I'm pretty sure it's not fixed in any
upstream release.

Cheers,
Julien

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Severity set to 'grave' from 'important' Request was from Steffen Joeris <white@debian.org> to control@bugs.debian.org. (Wed, 27 Jan 2010 22:36:04 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Steffen Joeris <white@debian.org> to control@bugs.debian.org. (Wed, 27 Jan 2010 22:36:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Aurélien GÉRÔME <ag@roxor.cx>:
Bug#550389; Package hybserv. (Fri, 29 Jan 2010 13:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Aurélien GÉRÔME <ag@roxor.cx>. (Fri, 29 Jan 2010 13:39:03 GMT) Full text and rfc822 format available.

Message #14 received at 550389@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 550389@bugs.debian.org
Subject: NMU patch
Date: Fri, 29 Jan 2010 14:35:33 +0100
[Message part 1 (text/plain, inline)]
Hi

Please find attached the NMU patch for this issue and an issue with open 
debconf file descriptors that left the postinst script hanging.

Cheers
Steffen
[hybserv-nmu.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Aurélien GÉRÔME <ag@roxor.cx>:
Bug#550389; Package hybserv. (Fri, 29 Jan 2010 13:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Aurélien GÉRÔME <ag@roxor.cx>. (Fri, 29 Jan 2010 13:45:06 GMT) Full text and rfc822 format available.

Message #19 received at 550389@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 550389@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>
Subject: CVE id
Date: Fri, 29 Jan 2010 14:42:11 +0100
[Message part 1 (text/plain, inline)]
Hi

For the record, this issue got CVE-2010-0303 assigned.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Fri, 29 Jan 2010 13:51:08 GMT) Full text and rfc822 format available.

Notification sent to Julien Cristau <jcristau@debian.org>:
Bug acknowledged by developer. (Fri, 29 Jan 2010 13:51:08 GMT) Full text and rfc822 format available.

Message #24 received at 550389-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 550389-close@bugs.debian.org
Subject: Bug#550389: fixed in hybserv 1.9.2-4.1
Date: Fri, 29 Jan 2010 13:47:41 +0000
Source: hybserv
Source-Version: 1.9.2-4.1

We believe that the bug you reported is fixed in the latest version of
hybserv, which is due to be installed in the Debian FTP archive:

hybserv_1.9.2-4.1.diff.gz
  to main/h/hybserv/hybserv_1.9.2-4.1.diff.gz
hybserv_1.9.2-4.1.dsc
  to main/h/hybserv/hybserv_1.9.2-4.1.dsc
hybserv_1.9.2-4.1_i386.deb
  to main/h/hybserv/hybserv_1.9.2-4.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550389@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated hybserv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 14:30:27 +0100
Source: hybserv
Binary: hybserv
Architecture: source i386
Version: 1.9.2-4.1
Distribution: unstable
Urgency: high
Maintainer: Aurélien GÉRÔME <ag@roxor.cx>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 hybserv    - IRC services for IRCD-Hybrid
Closes: 550389
Changes: 
 hybserv (1.9.2-4.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix DoS via commands with tabs (Closes: #550389)
     Fixes: CVE-2010-0303
   * Add db_stop into hybserv.postinst to avoid that the postinst script
     hangs due to open debconf file descriptors
     Thanks to Julien Cristau
Checksums-Sha1: 
 7ced83be9e24e62d817c85af03a3942d6ab2336b 980 hybserv_1.9.2-4.1.dsc
 e7dadf556b43cc4ed1c2ac279ac0afa20e2b1db1 12946 hybserv_1.9.2-4.1.diff.gz
 8432987fde84342ddc728266dd3e0013bd7186c4 212000 hybserv_1.9.2-4.1_i386.deb
Checksums-Sha256: 
 339e87560ffd8c9dbf8d5eee839d6107043be6ee5ef70b798a0420893d2ffd57 980 hybserv_1.9.2-4.1.dsc
 131ac9243089630ad556bce67ab4c1e4a387659616e57038623b0c22b217fee5 12946 hybserv_1.9.2-4.1.diff.gz
 a6593da4598d2d9b1341c624cfc139d7d7995fbbf4fad8dff01e3246f489d18b 212000 hybserv_1.9.2-4.1_i386.deb
Files: 
 57bb4ed34dfb0bfd41e16d007819bf7c 980 net extra hybserv_1.9.2-4.1.dsc
 f0c32f632f67779c7cfbb3d66ceea232 12946 net extra hybserv_1.9.2-4.1.diff.gz
 c45860d825c29f039833381255efd821 212000 net extra hybserv_1.9.2-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkti5DEACgkQ62zWxYk/rQdArgCfa6/LAkDkqxDd2nzsLkxcEvbV
1okAn3TqILfkTdIYyrI3qtzrHheN0C8F
=e8ve
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Mon, 01 Feb 2010 20:04:21 GMT) Full text and rfc822 format available.

Notification sent to Julien Cristau <jcristau@debian.org>:
Bug acknowledged by developer. (Mon, 01 Feb 2010 20:04:21 GMT) Full text and rfc822 format available.

Message #29 received at 550389-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 550389-close@bugs.debian.org
Subject: Bug#550389: fixed in hybserv 1.9.2-4+lenny2
Date: Mon, 01 Feb 2010 19:52:36 +0000
Source: hybserv
Source-Version: 1.9.2-4+lenny2

We believe that the bug you reported is fixed in the latest version of
hybserv, which is due to be installed in the Debian FTP archive:

hybserv_1.9.2-4+lenny2.diff.gz
  to main/h/hybserv/hybserv_1.9.2-4+lenny2.diff.gz
hybserv_1.9.2-4+lenny2.dsc
  to main/h/hybserv/hybserv_1.9.2-4+lenny2.dsc
hybserv_1.9.2-4+lenny2_i386.deb
  to main/h/hybserv/hybserv_1.9.2-4+lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550389@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated hybserv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 14:21:54 +0100
Source: hybserv
Binary: hybserv
Architecture: source i386
Version: 1.9.2-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Aurélien GÉRÔME <ag@roxor.cx>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 hybserv    - IRC services for IRCD-Hybrid
Closes: 550389
Changes: 
 hybserv (1.9.2-4+lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix DoS via commands with tabs (Closes: #550389)
     Fixes: CVE-2010-0303
   * Add db_stop to hybserv.postinst to make sure it doesn't hang due to
     the open file descriptors by debconf
     Thanks to Julien Cristau
Checksums-Sha1: 
 61da885044f8ff99cb2058566c002eaddab27f62 1000 hybserv_1.9.2-4+lenny2.dsc
 f41caaad90e4a91dc088ccc05cf8fb1e4b438028 418829 hybserv_1.9.2.orig.tar.gz
 cf25411dd39db36e41d62fc52d287a9ee4fe5737 12958 hybserv_1.9.2-4+lenny2.diff.gz
 3f91402a6d854ba8431336bf6e1f126d44aca41c 210102 hybserv_1.9.2-4+lenny2_i386.deb
Checksums-Sha256: 
 404d70c737052583a3484ec654b4a99081380010c438487284bf8cd7eb04b011 1000 hybserv_1.9.2-4+lenny2.dsc
 57ced45c09561851e0981bf09361644c2f6bfd2622e989715c3427d5dece3d39 418829 hybserv_1.9.2.orig.tar.gz
 63a9c1bca4ec949f58d885973633184fe8a1612881b6f5e95be3483e34a70fc5 12958 hybserv_1.9.2-4+lenny2.diff.gz
 67179604ccc9b540ad27e2d5518a85c4988162f24c55ab59d141cb24042808ae 210102 hybserv_1.9.2-4+lenny2_i386.deb
Files: 
 1e53e47576f3165f8dff86114b5fbf9d 1000 net extra hybserv_1.9.2-4+lenny2.dsc
 b0ebd0027c2b858ef8db6f06ac0d284b 418829 net extra hybserv_1.9.2.orig.tar.gz
 5af569d594f3208c96a3e02ee84ec4ba 12958 net extra hybserv_1.9.2-4+lenny2.diff.gz
 3e6afd1df128671cf09fb5ccc0ad475b 210102 net extra hybserv_1.9.2-4+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkti5TMACgkQ62zWxYk/rQd7FgCfWjx0afIgl5S6KqckBrvz964H
OxUAmwaqiDCCWDvDZpwjUjaWEjOyoO+2
=cRVu
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Tue, 23 Feb 2010 20:00:24 GMT) Full text and rfc822 format available.

Notification sent to Julien Cristau <jcristau@debian.org>:
Bug acknowledged by developer. (Tue, 23 Feb 2010 20:00:24 GMT) Full text and rfc822 format available.

Message #34 received at 550389-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 550389-close@bugs.debian.org
Subject: Bug#550389: fixed in hybserv 1.9.2-4+etch1
Date: Tue, 23 Feb 2010 19:57:12 +0000
Source: hybserv
Source-Version: 1.9.2-4+etch1

We believe that the bug you reported is fixed in the latest version of
hybserv, which is due to be installed in the Debian FTP archive:

hybserv_1.9.2-4+etch1.diff.gz
  to main/h/hybserv/hybserv_1.9.2-4+etch1.diff.gz
hybserv_1.9.2-4+etch1.dsc
  to main/h/hybserv/hybserv_1.9.2-4+etch1.dsc
hybserv_1.9.2-4+etch1_i386.deb
  to main/h/hybserv/hybserv_1.9.2-4+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550389@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated hybserv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 29 Jan 2010 13:44:29 +0000
Source: hybserv
Binary: hybserv
Architecture: source i386
Version: 1.9.2-4+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Aurélien GÉRÔME <ag@roxor.cx>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 hybserv    - IRC services for IRCD-Hybrid
Closes: 550389
Changes: 
 hybserv (1.9.2-4+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix DoS via commands with tabs (Closes: #550389)
     Fixes: CVE-2010-0303
   * Add db_stop to hybserv.postinst to avoid that the postinst script
     hangs due to open debconf file descriptors
     Thanks to Julien Cristau
Files: 
 58fad4dbd63b3a05377688d714ba82b2 606 net extra hybserv_1.9.2-4+etch1.dsc
 9e34b664e63f7f6dce75719e5235a3a7 12958 net extra hybserv_1.9.2-4+etch1.diff.gz
 220d062a2c67911191e9fa2727e1ab6b 212992 net extra hybserv_1.9.2-4+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktjGbgACgkQ62zWxYk/rQcyOgCcD8pMhtCmOneCV/+ZiQeZQYLy
T+EAn027ZbQiAI31C29js/h9Es75ITPp
=7Vq5
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:42:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:08:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.