Security fix for CVE-2009-4016, "IRCD-hybrid 'LINKS' Command

Integer Underflow Vulnerability. tested and ok ajacoutot@
2010-02-01 09:23:33 +00:00 · 2010-02-01 09:23:33 +00:00 · 546caf8233
commit 546caf8233
parent f9c42b713d
5 changed files with 136 additions and 2 deletions
--- a/net/ircd-hybrid/Makefile
+++ b/net/ircd-hybrid/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.8 2010/01/26 13:02:06 landry Exp $
+# $OpenBSD: Makefile,v 1.9 2010/02/01 09:23:33 jasper Exp $

 SHARED_ONLY =	Yes
 COMMENT =	Internet Relay Chat server

 DISTNAME =	ircd-hybrid-7.2.3
-PKGNAME =	${DISTNAME}p6
+PKGNAME =	${DISTNAME}p7
 CATEGORIES =	net

 HOMEPAGE =	http://ircd-hybrid.com/
--- a/net/ircd-hybrid/patches/patch-contrib_spy_links_notice_c
+++ b/net/ircd-hybrid/patches/patch-contrib_spy_links_notice_c
@ -0,0 +1,22 @@
+$OpenBSD: patch-contrib_spy_links_notice_c,v 1.1 2010/02/01 09:23:33 jasper Exp $
+
+Security fix for CVE-2009-4016, "IRCD-hybrid 'LINKS' Command
+Integer Underflow Vulnerability.
+Patch from upstream svn, revision 1044.
+
+--- contrib/spy_links_notice.c.orig	Mon Feb  1 09:17:39 2010
+++ contrib/spy_links_notice.c	Mon Feb  1 09:18:16 2010
+@@ -61,10 +61,9 @@ show_links(va_list args)
+ 
+   if (IsClient(source_p))
+     sendto_realops_flags(UMODE_SPY, L_ALL,
+-                         "LINKS '%s' requested by %s (%s@%s) [%s]",
+-                         parv[1] ? parv[1] : "", source_p->name,
+-			 source_p->username, source_p->host,
+-			 source_p->servptr->name);
+                         "links requested by %s (%s@%s) [%s]",
+                         source_p->name, source_p->username,
+			 source_p->host, source_p->servptr->name);
+ 
+   return pass_callback(prev_hook, source_p, parc, parv);
+ }
--- a/net/ircd-hybrid/patches/patch-include_irc_string_h
+++ b/net/ircd-hybrid/patches/patch-include_irc_string_h
@ -0,0 +1,21 @@
+$OpenBSD: patch-include_irc_string_h,v 1.1 2010/02/01 09:23:33 jasper Exp $
+
+Security fix for CVE-2009-4016, "IRCD-hybrid 'LINKS' Command
+Integer Underflow Vulnerability.
+Patch from upstream svn, revision 1044.
+
+--- include/irc_string.h.orig	Mon Feb  1 09:18:40 2010
+++ include/irc_string.h	Mon Feb  1 09:18:55 2010
+@@ -99,12 +99,6 @@ extern char *basename(char *);
+ #endif
+ 
+ /*
+- * clean_string - cleanup control and high ascii characters
+- * -Dianora
+- */
+-extern char *clean_string(char *, const unsigned char *, size_t);
+-
+-/*
+  * strip_tabs - convert tabs to spaces
+  * - jdc
+  */
--- a/net/ircd-hybrid/patches/patch-modules_m_links_c
+++ b/net/ircd-hybrid/patches/patch-modules_m_links_c
@ -0,0 +1,36 @@
+$OpenBSD: patch-modules_m_links_c,v 1.1 2010/02/01 09:23:33 jasper Exp $
+
+Security fix for CVE-2009-4016, "IRCD-hybrid 'LINKS' Command
+Integer Underflow Vulnerability.
+Patch from upstream svn, revision 1044.
+
+--- modules/m_links.c.orig	Mon Feb  1 09:19:14 2010
+++ modules/m_links.c	Mon Feb  1 09:20:09 2010
+@@ -83,15 +83,11 @@ do_links(struct Client *source_p, int parc, char **par
+ {
+   if (IsOper(source_p) || !ConfigServerHide.flatten_links)
+   {
+-    char *mask = (parc > 2 ? parv[2] : parv[1]);
+    const char *mask = (parc > 2 ? parv[2] : parv[1]);
+     const char *me_name, *nick, *p;
+     struct Client *target_p;
+-    char clean_mask[2 * HOSTLEN + 4];
+     dlink_node *ptr;
+ 
+-    if (!EmptyString(mask))    /* only necessary if there is a mask */
+-      mask = collapse(clean_string(clean_mask, (const unsigned char*) mask, 2 * HOSTLEN));
+-
+     me_name = ID_or_name(&me, source_p->from);
+     nick = ID_or_name(source_p, source_p->from);
+ 
+@@ -162,8 +158,8 @@ m_links(struct Client *client_p, struct Client *source
+                me.name, source_p->name);
+     return;
+   }
+-  else
+-    last_used = CurrentTime;
+
+  last_used = CurrentTime;
+ 
+   if (!ConfigServerHide.flatten_links)
+   {
--- a/net/ircd-hybrid/patches/patch-src_irc_string_c
+++ b/net/ircd-hybrid/patches/patch-src_irc_string_c
@ -0,0 +1,55 @@
+$OpenBSD: patch-src_irc_string_c,v 1.1 2010/02/01 09:23:33 jasper Exp $
+
+Security fix for CVE-2009-4016, "IRCD-hybrid 'LINKS' Command
+Integer Underflow Vulnerability.
+Patch from upstream svn, revision 1044.
+
+--- src/irc_string.c.orig	Mon Feb  1 09:20:21 2010
+++ src/irc_string.c	Mon Feb  1 09:20:39 2010
+@@ -70,46 +70,6 @@ myctime(time_t value)
+ }
+ 
+ /*
+- * clean_string - clean up a string possibly containing garbage
+- *
+- * *sigh* Before the kiddies find this new and exciting way of 
+- * annoying opers, lets clean up what is sent to local opers
+- * -Dianora
+- */
+-char *
+-clean_string(char* dest, const unsigned char* src, size_t len)
+-{
+-  char* d    = dest; 
+-  assert(0 != dest);
+-  assert(0 != src);
+-
+-  if(dest == NULL || src == NULL)
+-    return NULL;
+-    
+-  len -= 3;  /* allow for worst case, '^A\0' */
+-
+-  while (*src && (len > 0))
+-  {
+-    if (*src & 0x80)             /* if high bit is set */
+-    {
+-      *d++ = '.';
+-      --len;
+-    }
+-    else if (!IsPrint(*src))       /* if NOT printable */
+-    {
+-      *d++ = '^';
+-      --len;
+-      *d++ = 0x40 + *src;   /* turn it into a printable */
+-    }
+-    else
+-      *d++ = *src;
+-    ++src, --len;
+-  }
+-  *d = '\0';
+-  return dest;
+-}
+-
+-/*
+  * strip_tabs(dst, src, length)
+  *
+  *   Copies src to dst, while converting all \t (tabs) into spaces.