'Re: [oss-security] ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-01-29 21:08:21
Message-ID: 51083A45.208 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/29/2013 08:37 AM, Henri Salo wrote:
> Mr. Bob Nomnomnom from Torland reported a denial of service
> security vulnerability in ircd-hybrid. Function
> hostmask.c:try_parse_v4_netmask() is using strtoul to parse masks.
> Documentation says strtoul can parse "-number" as well. Validation
> of input does not catch evil bits. I can give proof of concept if
> needed.
> 
> Fixed in commit:
> http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786
>
> 
Fixed in: ircd-hybrid 8.0.6
> 
> I have requested CVE identifier for this vulnerability in another
> email to Kurt. Other ircds are using the same code. Consider this
> email as official advisory. I tried to embargo this issue, but the
> commit is out already.

A yeah sorry dealing with ruby the last little while. I was going to
reply to you to post this publicly on oss-sec =)

Please use CVE-2013-0238 for this issue.

> Program received signal SIGSEGV, Segmentation fault. 
> 0x000000000041c799 in try_parse_v4_netmask (text=<value optimized
> out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:229 229
> addb[bits / 8] &= ~((1 << (8 - bits % 8)) - 1);
> 
> -- Henri Salo
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRCDpFAAoJEBYNRVNeJnmTVRwP/1y8nF5g/xAKXyA+XcfJUuDB
f9ojCk5SV1YtHZlKoLL7ByxMzyIb172B06138pjN+haQw0mtmMj3nauJ0JjSfb74
hNibV2u3iRxhFsB2bLaz0ksPSoo8ZZ811fHwDlt3iZFqOw5/pagYKLlo+Q4a3yUW
c64V6wfbW6OTc6SrdYey76/PH8blk6riNtA8yiKUoCIcMTeQ+2LioVsXX9qzRVgG
gRZeoxPwf0EeaPSG/2Yv/4FveHQqBreq8b2qINkjguDrou5BO5yubMM2xrrbbb2Y
+FQYHLdIOepLI0LLrf5xC//4elER1Ju1OntZoii3ppX3wsIAiHQDLqvZg7tfAYKN
hfKwmhr9lAsQJLstC2NuW30av4SDM23xn9nHop3mdTxdrRo4IKR0IXcibrIsaeox
i9wzlj+AcG07XS7FmFe4v2xCw4CMUF4OMF6EC1sayYg3xTr7pyJEWltvYwH5PmZU
H69MKyhdD7KfcqmU0l6F+UO7PsJHinjwFcuSTSCCkUuoFjpN4QN1zkNeUmUKMCAO
vz9cuqCMT1HbPxT8/+FlO8VX4tdRcJP/EskQVfG4YL9i28BjjUZMg2/dvVcPMPtT
k+eTlZs958Q95f1nhloMaR6N/zZ8wTwxhYPACqE7+g7ENe8k4m4MurxcSF2AudXV
Hj342LKJmiThU/B8kvNX
=mtdB
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic