[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] kgb-bot can be crashed by some network traffic
From:       Pierre Schweitzer <pierre () reactos ! org>
Date:       2015-01-28 20:05:36
Message-ID: 54C94110.2010609 () reactos ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This bug report is pretty unclear. What is the exact request sent to
allow such a crash? Does it bypass the password security?
Furthermore, due to its design, kgb-bot isn't supposed to be wide
open, but only restricted to kgb-client to send their commit messages.

Anyone with more information?

With my best regards,

On 28/01/2015 06:37, Kurt Seifried wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776424
> 
> Source: kgb-bot Version: 1.33-2 Severity: important Tags: security
> 
> 2015.01.19 18:08:39: Listening on http://0.0.0.0:9999?session=KGB 
> 2015.01.19 18:08:43: Connected to freenode (holmes.freenode.net) 
> 2015.01.19 18:08:43: Joining #commits... 2015.01.19 18:08:43:
> Connected to oftc (graviton.oftc.net) 2015.01.19 18:08:43: Joining
> #ikiwiki #vcs-home #git-annex... Did not get DONE/CLOSE event for
> Wheel ID 73 from IP 222.186.34.155 at 
> /usr/share/perl5/POE/Component/Server/SimpleHTTP.pm line 221. I had
> a problem posting to event Got_Request of session SOAPServer for 
> DIR handler '.*'. As reported by Kernel: 'No such file or
> directory', perhaps the session name is spelled incorrectly for
> this handler? at /usr/share/perl5/POE/Session.pm line 483.
> 
> This has happened to me twice now, and it takes the bot down.
> 
> not sure how exploitable this is though.
> 


- -- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUyUEPAAoJEHVFVWw9WFsLP9MQALDNRlflvCrXFcBImcvoQMzf
rCxy0thnXAecRC4nDOvuT6e0t/kGAJR/0kPciCooPuneOiEBF7JYZkev5lZW1Ynh
RQVRIpAC4DeDjrs0tdGvs52wvJvoFp+IOZ0bf6OBUjGP65/K9CXva0l3UYRhr4lR
ayCCjVMu+iMDyJKwibH2zuP11u8TBpMgh1u5d+4PSPwjpB5sM3RrDNNKlaSnnfTM
/d9JNIqz5UH2Vh3AEfOhhai1/bXUD5z2p5/8lEgTnpKeKq79qSqWG8mVnMraErL5
IpD96aPWpM+p6drpVhRua5CL97EHx7azY5tfyHYQKNW/9uToYDSaFV2zcFdIQQaX
H/f8g+e/bSQtfR0zzr21xXIlozmffSYrADnUsR1G/O8vfRQv0dWupnb4FYNaOoII
9KvJRAo2bcY1ipk6vNDjxF1tH0lbWSrIfOwSfFxOfP3VaBoc64coF5ywiIpb8uEw
MaLyYAgJXv9PKxW57yuceEEDDD4GLjxeQw8k3WXJtL0860WcXleCXet60TRrIsy5
tJP8/CIkkqdeznbn+xUQaNUeuMuUxnIJdHcM4YPrTnro8IRm8HcHxkV/urDFsxo7
tLqa32ND6A3dpBmsaCh6007WcZKnG4Prw601zzG9R/1w3H13hTSfOk0m6N3sTkmo
2uAjP5sMf1RcED8WsyJx
=TNwF
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]