Debian Bug report logs - #595409
bip can be crashed remotely by unauthenticated users

version graph

Package: bip; Maintainer for bip is Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>; Source for bip is src:bip.

Reported by: Uli Schlachter <psychon@znc.in>

Date: Fri, 3 Sep 2010 18:24:01 UTC

Severity: grave

Tags: security

Found in versions 0.8.5, bip/0.8.5-1, bip/0.8.2-1

Fixed in versions bip/0.8.6-1, bip/0.8.2-1squeeze2

Done: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arnaud Cornet <acornet@debian.org>:
Bug#595409; Package bip. (Fri, 03 Sep 2010 18:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Uli Schlachter <psychon@znc.in>:
New Bug report received and forwarded. Copy sent to Arnaud Cornet <acornet@debian.org>. (Fri, 03 Sep 2010 18:24:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Uli Schlachter <psychon@znc.in>
To: submit@bugs.debian.org
Cc: team@security.debian.org
Subject: bip can be crashed remotely by unauthenticated users
Date: Fri, 03 Sep 2010 20:15:58 +0200
Package: bip
Version: 0.8.2-1
Severity: grave
Tags: security

Unauthenticated users can easily cause a NULL pointer dereference in bip (bip is
listening at localhost:7778):

$ echo USER | telnet localhost 7778

<other window>

==25787== Process terminating with default action of signal 11 (SIGSEGV)
==25787==  Access not within mapped region at address 0x0
==25787==    at 0x11BE5C: bip_on_event (irc.c:2483)
==25787==    by 0x11BF4A: irc_main (irc.c:2554)
==25787==    by 0x113A97: main (bip.c:1316)

The NULL pointer dereference happens in this code:

    if (r == ERR_PROTOCOL) {
        mylog(LOG_ERROR, "[%s] Error in protocol, closing...",
                LINK(lc)->name);
        goto prot_err_lines;
    }

AFAIK this has been reported upstream. However, I haven't talked directly with
any bip developer about this so far.

Cheers,
Uli

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bip depends on:
ii  adduser                       3.112      add and remove users and groups
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libssl0.9.8                   0.9.8o-2   SSL shared libraries
ii  lsb-base                      3.2-23.1   Linux Standard Base 3.2 init scrip

bip recommends no packages.

bip suggests no packages.

-- Configuration Files:
/etc/bip.conf [Errno 13] Keine Berechtigung: u'/etc/bip.conf'

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Cornet <acornet@debian.org>:
Bug#595409; Package bip. (Tue, 07 Sep 2010 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Uli Schlachter <psychon@znc.in>:
Extra info received and forwarded to list. Copy sent to Arnaud Cornet <acornet@debian.org>. (Tue, 07 Sep 2010 19:27:03 GMT) Full text and rfc822 format available.

Message #10 received at 595409@bugs.debian.org (full text, mbox):

From: Uli Schlachter <psychon@znc.in>
To: 595409@bugs.debian.org
Subject: Re: Bug#595409: Acknowledgement (bip can be crashed remotely by unauthenticated users)
Date: Tue, 07 Sep 2010 21:17:43 +0200
Hi,

I just found out that someone at redhat cares. This was assigned CVE-2010-3071.

http://seclists.org/oss-sec/2010/q3/276
http://seclists.org/oss-sec/2010/q3/289

Cheers,
Uli

-- 
- Buck, when, exactly, did you lose your mind?
- Three months ago. I woke up one morning married to a pineapple.
  An ugly pineapple... But I loved her




Bug Marked as found in versions 0.8.5. Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Fri, 10 Sep 2010 09:18:05 GMT) Full text and rfc822 format available.

Bug Marked as found in versions bip/0.8.5-1. Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Fri, 10 Sep 2010 09:21:04 GMT) Full text and rfc822 format available.

Reply sent to Arnaud Cornet <acornet@debian.org>:
You have taken responsibility. (Sun, 12 Sep 2010 17:18:12 GMT) Full text and rfc822 format available.

Notification sent to Uli Schlachter <psychon@znc.in>:
Bug acknowledged by developer. (Sun, 12 Sep 2010 17:18:12 GMT) Full text and rfc822 format available.

Message #19 received at 595409-close@bugs.debian.org (full text, mbox):

From: Arnaud Cornet <acornet@debian.org>
To: 595409-close@bugs.debian.org
Subject: Bug#595409: fixed in bip 0.8.6-1
Date: Sun, 12 Sep 2010 17:17:06 +0000
Source: bip
Source-Version: 0.8.6-1

We believe that the bug you reported is fixed in the latest version of
bip, which is due to be installed in the Debian FTP archive:

bip_0.8.6-1.debian.tar.gz
  to main/b/bip/bip_0.8.6-1.debian.tar.gz
bip_0.8.6-1.dsc
  to main/b/bip/bip_0.8.6-1.dsc
bip_0.8.6-1_amd64.deb
  to main/b/bip/bip_0.8.6-1_amd64.deb
bip_0.8.6.orig.tar.gz
  to main/b/bip/bip_0.8.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 595409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arnaud Cornet <acornet@debian.org> (supplier of updated bip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Sep 2010 17:58:22 +0100
Source: bip
Binary: bip
Architecture: source amd64
Version: 0.8.6-1
Distribution: unstable
Urgency: low
Maintainer: Arnaud Cornet <acornet@debian.org>
Changed-By: Arnaud Cornet <acornet@debian.org>
Description: 
 bip        - multiuser irc proxy with conversation replay and more
Closes: 595409
Changes: 
 bip (0.8.6-1) unstable; urgency=low
 .
   * New upstream release (Closes: #595409).
Checksums-Sha1: 
 fb9545daefd994c8298c361af0b333db44c52c8b 997 bip_0.8.6-1.dsc
 6568154bc1b616f69705e63ade3b77bf5d4de988 220246 bip_0.8.6.orig.tar.gz
 a3c2872bba6ec5725c35b3444bc855f32e64d374 8201 bip_0.8.6-1.debian.tar.gz
 1c7acdad10761b0262a507c1103cd160c16a8839 151108 bip_0.8.6-1_amd64.deb
Checksums-Sha256: 
 5586686109d9914d799bde15c85b88093b3394ce42fa2c10d7542175c22ac449 997 bip_0.8.6-1.dsc
 a488060858a9f257d3a07e632162a8f7df79a002915cdb629082d191917762fe 220246 bip_0.8.6.orig.tar.gz
 0c774fad9bcbf2f22f0c74fdfd9f64202cc952f0b089ece2459609086976b85e 8201 bip_0.8.6-1.debian.tar.gz
 75f36e36e805b383e7a8eccd694bd5446d60a47e81d55113588a0044ae748c4a 151108 bip_0.8.6-1_amd64.deb
Files: 
 c37585a21802e0282af704418fd0c6bd 997 net optional bip_0.8.6-1.dsc
 a6026d6da8587220332b2f96a7385fc9 220246 net optional bip_0.8.6.orig.tar.gz
 baf03e72e19cad34ec462618282ae0cd 8201 net optional bip_0.8.6-1.debian.tar.gz
 f49912b8aa0bb4316a642a63a33c8cce 151108 net optional bip_0.8.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyNBy8ACgkQsk+dgCIlhI5eAQCeMAECtoYTM6kQ1oAnyyfEkChB
XE0AoI1UxJ2oazBLNYGdqxe3ROthS0dc
=a9M/
-----END PGP SIGNATURE-----





Reply sent to Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>:
You have taken responsibility. (Wed, 22 Sep 2010 08:36:04 GMT) Full text and rfc822 format available.

Notification sent to Uli Schlachter <psychon@znc.in>:
Bug acknowledged by developer. (Wed, 22 Sep 2010 08:36:04 GMT) Full text and rfc822 format available.

Message #24 received at 595409-close@bugs.debian.org (full text, mbox):

From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
To: 595409-close@bugs.debian.org
Subject: Bug#595409: fixed in bip 0.8.2-1squeeze2
Date: Wed, 22 Sep 2010 08:32:50 +0000
Source: bip
Source-Version: 0.8.2-1squeeze2

We believe that the bug you reported is fixed in the latest version of
bip, which is due to be installed in the Debian FTP archive:

bip_0.8.2-1squeeze2.diff.gz
  to main/b/bip/bip_0.8.2-1squeeze2.diff.gz
bip_0.8.2-1squeeze2.dsc
  to main/b/bip/bip_0.8.2-1squeeze2.dsc
bip_0.8.2-1squeeze2_amd64.deb
  to main/b/bip/bip_0.8.2-1squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 595409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> (supplier of updated bip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 13 Sep 2010 01:06:26 +0200
Source: bip
Binary: bip
Architecture: source amd64
Version: 0.8.2-1squeeze2
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Changed-By: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Description: 
 bip        - multiuser irc proxy with conversation replay and more
Closes: 595409
Changes: 
 bip (0.8.2-1squeeze2) testing-proposed-updates; urgency=low
 .
   * New maintainer (with Nohar's blessing).
   * Fix CVE-2010-3071: null pointer deference (remote DoS). (Closes: #595409)
Checksums-Sha1: 
 ef9be86ea8b79db80b6fb97da9266b2084469ff9 1074 bip_0.8.2-1squeeze2.dsc
 2b8f01e59e1ab32dd7c5a65611bd43c5db469b2f 8183 bip_0.8.2-1squeeze2.diff.gz
 e90e0f1640b2b0a0736a10f1e0380f313dd16266 146066 bip_0.8.2-1squeeze2_amd64.deb
Checksums-Sha256: 
 edce5f4dac20bbcbe9915eaf28e3b88ba2b400816c8c6409deb15c05e5c2df48 1074 bip_0.8.2-1squeeze2.dsc
 5ef84f99ab24f0f68fc21011118b68f480183bffe95d03208f0e3f094716031a 8183 bip_0.8.2-1squeeze2.diff.gz
 8b8128cd3f36c130ad41f81cb0102fbf07a90097f8e2d8b55679d93ea8292679 146066 bip_0.8.2-1squeeze2_amd64.deb
Files: 
 940e9245094b8c4f360829373a4967aa 1074 net optional bip_0.8.2-1squeeze2.dsc
 77c2348613f8b93d4a5101364fa24b41 8183 net optional bip_0.8.2-1squeeze2.diff.gz
 c19cd033c8434a4d741cdd2f03fb164e 146066 net optional bip_0.8.2-1squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyZumMACgkQsk+dgCIlhI6Y2QCeJRyGcLLweOLlIzjhppx8BWAq
AJYAmwaParo9GlkhFBVumVg0k8yoDm2I
=g0CZ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 21 Oct 2010 07:30:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:54:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.