Hi, I'm preparing an upload related to this bug for squeeze. I know that the 1.1.22 is considered old, but is still in the squeeze archive, and no decision has been made to remove it. Anyway, it's a minor change, and the package is available for test at: deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/ If you're agree, I can push a specific squeeze-lts and tagged version into the inspircd collab-maint repository. Cheers, Santiago
diff -u inspircd-1.1.22+dfsg/debian/changelog inspircd-1.1.22+dfsg/debian/changelog --- inspircd-1.1.22+dfsg/debian/changelog +++ inspircd-1.1.22+dfsg/debian/changelog @@ -1,3 +1,11 @@ +inspircd (1.1.22+dfsg-4+squeeze2~1) santiago-squeeze-lts; urgency=medium + + * Non-maintainer upload by the Squeeze LTS team. + * CVE-2012-1836 was partially fixed. Update 05_CVE-2012-1836.dpatch by + importing 2.0.7 src/dns.cpp changes. + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Fri, 03 Jul 2015 11:29:49 +0200 + inspircd (1.1.22+dfsg-4+squeeze1) stable-security; urgency=low * Non-maintainer upload. diff -u inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch --- inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch +++ inspircd-1.1.22+dfsg/debian/patches/05_CVE-2012-1836.dpatch @@ -1,14 +1,16 @@ #! /bin/sh /usr/share/dpatch/dpatch-run ## 05_CVE-2012-1836.dpatch by Jonathan Wiltshire <jmw@debian.org> +## Updated on 2015-07-03 by Santiago R.R. to complete the fix ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Protect against buffer overflow in src/dns.cpp ## DP: CVE-2012-1836 (#667914) +## DP: CVE-2015-XXXX https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780880 @DPATCH@ -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd-1.1.22+dfsg~/src/dns.cpp inspircd-1.1.22+dfsg/src/dns.cpp ---- inspircd-1.1.22+dfsg~/src/dns.cpp 2012-04-07 23:14:55.000000000 +0100 -+++ inspircd-1.1.22+dfsg/src/dns.cpp 2012-04-07 23:16:01.292193775 +0100 +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' inspircd~/src/dns.cpp inspircd/src/dns.cpp +--- inspircd~/src/dns.cpp 2015-07-03 11:22:29.000000000 +0200 ++++ inspircd/src/dns.cpp 2015-07-03 11:24:22.355860009 +0200 @@ -45,6 +45,8 @@ using irc::sockets::OpenTCPSocket; using irc::sockets::NonBlocking; @@ -54,7 +56,16 @@ ResourceRecord rr; unsigned short ptr; -@@ -875,17 +880,31 @@ +@@ -842,7 +847,7 @@ + else i += header.payload[i] + 1; /* skip length and label */ + } + } +- if (length - i < 10) ++ if (static_cast<int>(length - i) < 10) + return std::make_pair((unsigned char*)NULL,"Incorrectly sized DNS reply"); + + /* XXX: We actually initialise 'rr' here including its ttl field */ +@@ -875,17 +880,37 @@ switch (rr.type) { @@ -64,6 +75,8 @@ case DNS_QUERY_CNAME: - /* CNAME and PTR have the same processing code */ case DNS_QUERY_PTR: ++ { ++ unsigned short lowest_pos = length; o = 0; q = 0; while (q == 0 && i < length && o + 256 < 1023) @@ -77,18 +90,22 @@ + i = ntohs(ptr); + + /* check that highest two bits are set. if not, we've been had */ -+ if (!(i & DN_COMP_BITMASK)) ++ if ((i & DN_COMP_BITMASK) != DN_COMP_BITMASK) + return std::make_pair((unsigned char *) NULL, "DN label decompression header is bogus"); + + /* mask away the two highest bits. */ + i &= ~DN_COMP_BITMASK; + + /* and decrease length by 12 bytes. */ -+ i =- 12; ++ i -= 12; ++ ++ if (i >= lowest_pos) ++ return std::make_pair((unsigned char *) NULL, "Invalid decompression pointer"); ++ lowest_pos = i; } else { -@@ -898,7 +917,11 @@ +@@ -898,25 +923,35 @@ res[o] = 0; if (o != 0) res[o++] = '.'; @@ -101,8 +118,10 @@ o += header.payload[i]; i += header.payload[i] + 1; } -@@ -907,16 +930,21 @@ + } + } res[o] = 0; ++ } break; case DNS_QUERY_AAAA: + if (rr.rdlength != sizeof(struct in6_addr))
Attachment:
signature.asc
Description: Digital signature