Re: Charybdis: Improper assumptions in the server handshake code may lead to a remote crash

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/31/2012 02:57 PM, Mustapha Rabiu wrote:
> Hi.
>
>
> Can we get a CVE for the following
>
> --
>
> Access vector: network Access complexity: low Authentication
> requirement: none
>
> Confidentiality impact: none Integrity impact: none Availability
> impact: complete
>
> CVSSv2 temporal score: 6.4
>
> Exploitability: functional exploit exists Remediation level:
> official fix Report confidence: confirmed
>
> Summary:
>
> All versions of Charybdis are vulnerable to a remotely-triggered
> crash bug caused by code originating from ircd-ratbox 2.0.
> (Incidentally, this means all versions since ircd-ratbox 2.0 are
> also vulnerable.)
>
> The bug has to do with server capability negotiation.  A malformed
> request will trigger a crash due to invalid assumptions.
>
> Mitigation:
>
> A patch for all affected versions of ircd-ratbox and charybdis is
> available from the charybdis GIT repository: 
> https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
>
>  To apply the patch, go to your IRCd source tree and run the
> following commands: $ patch -p1 <
> /path/to/downloaded/patchfile.patch $ make $ make install
>
> Then you may hotfix the IRCd by running /MODRESTART as a server
> admin.
>
> Details:
>
> In ratbox-2, the following code was added to m_capab.c: char *t =
> LOCAL_COPY(parv[i]);
>
> The other logic was then modified to make use of that
> stack-allocated buffer rather than the original.  LOCAL_COPY() is a
> macro which expands to alloca() and strlcpy(), and the bug
> effectively is caused by this expansion calling strlen(NULL).
>
>
> --
>
>
> Thanks.
>
>
> Mustapha Rabiu


Ah sorry just noticed this as well, repeating so it's not missed:

Please use CVE-2012-6084 for this issue.

Same as http://seclists.org/oss-sec/2012/q4/545


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ4os7AAoJEBYNRVNeJnmTKPYQAL1E+pwprii4USuJDVV+alk8
pmmPQqmUZXGy/hLG+RFBRvjyLTV8kZi/p5H+x3d2JZXPBDTexnaXckJSkE2ItDnt
iKB9ZCJWJF01DnViTmDycZsy69k7D2FvpfJdll6TySq5L8bnBL1kkc0eCSNql0/5
9kTeG4O8kGCgB/ouBSr22WhGKzfIHQL77pLf+P7PDLLJnfkIpQyA82F1WcpNiJLj
wcS2pUv6ycHxZpjLsucmOA2Pqz1waRTyEg8BTGQBJLQazFrjmy8hSLalNc0NLYGZ
0TwXSUI+rjYzRo/4lcwTIr+OnrhAyvUR5SZ5HX7bEq+R20POE+i1wOBXbyj65Vci
Z7uprd9Ky3UjEfxLzJRveEnRX7jYgPTLtYnNfRIQ/yfxqQxZ0csNTDTRcXHrixDt
6SOFPhFi+qA2+SQY3f/eNQK66x7z/7XD1nRLO7Xqp8MtFxX7ARr3I31G5tgRiqw9
NbNvLRc77jLFfAtz6bAgQa2MJGehGYWjtK4HEwiTVnURDByb0rMakZVsrBp8IpIE
yCNtEN5pCRTvRb4TT2DJyp1Nmfc9VIO5ubBt9Eg4SOEZ6D+XDD1/2BuagOtw6fbs
R/aASmpMmhPwNENLSnNJ6OXqX+YlhAoyDkaSR3vG1xjWW6F2Y+FTrJk0tkYOL2nk
eovf7/4p8AU1TAH+rzOJ
=zCqa
-----END PGP SIGNATURE-----