Security fix (until maintainer commits proper update):
A buffer overflow vulnerability exists in ircd that allows a remote attacker to crash the ircd server, thus causing a denial of service condition.
This commit is contained in:
parent
f60aece3cd
commit
cda0e2df62
@ -1,13 +1,13 @@
|
|||||||
# $OpenBSD: Makefile,v 1.23 2003/05/12 18:02:44 sturm Exp $
|
# $OpenBSD: Makefile,v 1.24 2003/11/11 15:17:34 margarida Exp $
|
||||||
# $FreeBSD: Makefile,v 1.19 1998/12/09 20:15:29 billf Exp $
|
# $FreeBSD: Makefile,v 1.19 1998/12/09 20:15:29 billf Exp $
|
||||||
|
|
||||||
COMMENT= "internet relay chat (irc) server"
|
COMMENT= "internet relay chat (irc) server"
|
||||||
|
|
||||||
DISTNAME= irc2.10.3p1
|
DISTNAME= irc2.10.3p1
|
||||||
PKGNAME= irc-2.10.3p1
|
PKGNAME= irc-2.10.3p1p1
|
||||||
CATEGORIES= net
|
CATEGORIES= net
|
||||||
|
|
||||||
MASTER_SITES= ftp://ftp.irc.org/irc/server/ \
|
MASTER_SITES= ftp://ftp.irc.org/irc/server/Old/ \
|
||||||
ftp://ftp.ntua.gr/pub/net/irc/server/
|
ftp://ftp.ntua.gr/pub/net/irc/server/
|
||||||
EXTRACT_SUFX= .tgz
|
EXTRACT_SUFX= .tgz
|
||||||
|
|
||||||
|
53
net/irc/patches/patch-ircd_channel_c
Normal file
53
net/irc/patches/patch-ircd_channel_c
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
$OpenBSD: patch-ircd_channel_c,v 1.1 2003/11/11 15:17:34 margarida Exp $
|
||||||
|
--- ircd/channel.c.orig 2000-06-06 23:34:27.000000000 +0100
|
||||||
|
+++ ircd/channel.c 2003-11-09 00:03:46.000000000 +0000
|
||||||
|
@@ -1966,7 +1966,7 @@ char *parv[];
|
||||||
|
Reg Link *lp;
|
||||||
|
Reg aChannel *chptr;
|
||||||
|
Reg char *name, *key = NULL;
|
||||||
|
- int i, flags = 0;
|
||||||
|
+ int i, tmplen, flags = 0;
|
||||||
|
char *p = NULL, *p2 = NULL, *s, chop[5];
|
||||||
|
|
||||||
|
if (parc < 2 || *parv[1] == '\0')
|
||||||
|
@@ -2115,10 +2115,20 @@ char *parv[];
|
||||||
|
parv[0]), name);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ tmplen = strlen(name);
|
||||||
|
+ if (i + tmplen + 2 /* comma and \0 */
|
||||||
|
+ >= sizeof(jbuf) )
|
||||||
|
+ {
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
if (*jbuf)
|
||||||
|
- (void)strcat(jbuf, ",");
|
||||||
|
- (void)strncat(jbuf, name, sizeof(jbuf) - i - 1);
|
||||||
|
- i += strlen(name)+1;
|
||||||
|
+ {
|
||||||
|
+ jbuf[i++] = ',';
|
||||||
|
+ }
|
||||||
|
+ (void)strcpy(jbuf + i, name);
|
||||||
|
+ i += tmplen;
|
||||||
|
}
|
||||||
|
|
||||||
|
p = NULL;
|
||||||
|
@@ -2270,6 +2280,16 @@ char *parv[];
|
||||||
|
parv[0], name, chop);
|
||||||
|
else if (*chptr->chname != '&')
|
||||||
|
{
|
||||||
|
+ /* ":" (1) "nick" (NICKLEN) " JOIN :" (7), comma (1)
|
||||||
|
+ ** possible chop (4), ending \r\n\0 (3) = 16
|
||||||
|
+ ** must fit in the cbuf as well! --B. */
|
||||||
|
+ if (strlen(cbuf) + strlen(name) + NICKLEN + 16
|
||||||
|
+ >= sizeof(cbuf))
|
||||||
|
+ {
|
||||||
|
+ sendto_serv_butone(cptr, ":%s JOIN :%s",
|
||||||
|
+ parv[0], cbuf);
|
||||||
|
+ cbuf[0] = '\0';
|
||||||
|
+ }
|
||||||
|
if (*cbuf)
|
||||||
|
strcat(cbuf, ",");
|
||||||
|
strcat(cbuf, name);
|
Loading…
Reference in New Issue
Block a user