>Number: 117746
>Category: ports
>Synopsis: CVE-2007-5226 dircproxy segfault on blank /me
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 01 16:40:00 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Michael Moll
>Release: 6.2-RELEASE
>Organization:
The kvedulv.de internet-project
>Environment:
FreeBSD darkthrone.kvedulv.de 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue Jan 23 20:18:03 CET 2007 mmoll at darkthrone.kvedulv.de:/usr/obj/usr/src/sys/DARKTHRONE sparc64
>Description:
I use dircproxy1.20-beta2. When it receives a blank "/me" it crashes, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5226
https://bugzilla.redhat.com/show_bug.cgi?id=319301
http://dircproxy.securiweb.net/ticket/89
>How-To-Repeat:
Send a blank "/me" to a channel and watch the EOFs of people with unpatched clients
>Fix:
I attached the fix for 1.2.0 taken from Rehat's Bugzilla.
A fix for 1.0.5 is available here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=nmu.patch;att=1;bug=445883
Patch attached with submission follows:
--- src/irc_server.c.orig 2006-10-07 23:07:08.000000000 +0200
+++ src/irc_server.c 2007-11-01 17:22:13.000000000 +0100
@@ -1155,7 +1155,7 @@
if (!strcmp(cmsg.cmd, "ACTION")) {
irclog_log(p, IRC_LOG_ACTION, logdest, msg.src.orig,
- "%s", cmsg.paramstarts[0]);
+ "%s", (cmsg.paramstarts != NULL) ? cmsg.paramstarts[0]: "none");
} else if (!strcmp(cmsg.cmd, "DCC")
&& p->conn_class->dcc_proxy_incoming) {
>Release-Note:
>Audit-Trail:
>Unformatted: