Bug#836706: certificate spoofing via crafted SASL messages

2016-09-06 Thread Guillaume Delacour 

Please see attached the debdiff.
Also, please note that i can't upload myself to security-master as i'm
not a DD nor DM.

Le 06/09/2016 à 00:02, Guillaume Delacour a écrit :
> 
> 
> Le 05/09/2016 à 22:41, James Lu a écrit :
>> Hi,
> 
> Hi,
> 
>>
>> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
>> this commit
>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a
> 
> Yes, i've talked to upstream a few hours ago to include this particular
> fix to 2.0.17; upload of 2.0.23 will follow to unstable.
> 
>>
>> Best,
>> James
>>
> 

-- 
Guillaume Delacour


diff -Nru inspircd-2.0.17/debian/changelog inspircd-2.0.17/debian/changelog
--- inspircd-2.0.17/debian/changelog2016-03-22 19:31:22.0 +0100
+++ inspircd-2.0.17/debian/changelog2016-09-06 21:29:13.0 +0200
@@ -1,3 +1,10 @@
+inspircd (2.0.17-1+deb8u2) jessie-security; urgency=high
+
+  * m_sasl: don't allow AUTHENTICATE with mechanisms with a space
+(CVE-2016-7142)
+
+ -- Guillaume Delacour   Tue, 06 Sep 2016 01:58:19 +0200
+
 inspircd (2.0.17-1+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Wheezy LTS Team. 
diff -Nru inspircd-2.0.17/debian/patches/CVE-2016-7142.patch 
inspircd-2.0.17/debian/patches/CVE-2016-7142.patch
--- inspircd-2.0.17/debian/patches/CVE-2016-7142.patch  1970-01-01 
01:00:00.0 +0100
+++ inspircd-2.0.17/debian/patches/CVE-2016-7142.patch  2016-09-06 
21:29:13.0 +0200
@@ -0,0 +1,31 @@
+From 74fafb7f11b06747f69f182ad5e3769b665eea7a Mon Sep 17 00:00:00 2001
+From: Adam 
+Date: Fri, 2 Sep 2016 22:57:03 -0400
+Subject: [PATCH] m_sasl: don't allow AUTHENTICATE with mechanisms with a space
+
+---
+ src/modules/m_sasl.cpp | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
+index 9cb5592..16a1535 100644
+--- a/src/modules/m_sasl.cpp
 b/src/modules/m_sasl.cpp
+@@ -189,6 +189,7 @@ class CommandAuthenticate : public Command
+   : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap)
+   {
+   works_before_reg = true;
++  allow_empty_last_param = false;
+   }
+ 
+   CmdResult Handle (const std::vector& parameters, User 
*user)
+@@ -199,6 +200,9 @@ class CommandAuthenticate : public Command
+   if (!cap.ext.get(user))
+   return CMD_FAILURE;
+ 
++  if (parameters[0].find(' ') != std::string::npos || 
parameters[0][0] == ':')
++  return CMD_FAILURE;
++
+   SaslAuthenticator *sasl = authExt.get(user);
+   if (!sasl)
+   authExt.set(user, new SaslAuthenticator(user, 
parameters[0]));
diff -Nru inspircd-2.0.17/debian/patches/series 
inspircd-2.0.17/debian/patches/series
--- inspircd-2.0.17/debian/patches/series   2016-03-22 19:29:23.0 
+0100
+++ inspircd-2.0.17/debian/patches/series   2016-09-06 22:55:05.0 
+0200
@@ -2,3 +2,4 @@
 01_dpkg-buildflags_support.diff
 03_gnutls_crypt_api_instead_gcrypt.diff
 CVE-2015-8702.patch
+CVE-2016-7142.patch


signature.asc
Description: OpenPGP digital signature

Bug#836706: certificate spoofing via crafted SASL messages

2016-09-05 Thread Guillaume Delacour 


Le 05/09/2016 à 22:41, James Lu a écrit :
> Hi,

Hi,

> 
> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
> this commit
> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a

Yes, i've talked to upstream a few hours ago to include this particular
fix to 2.0.17; upload of 2.0.23 will follow to unstable.

> 
> Best,
> James
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#836706: certificate spoofing via crafted SASL messages

2016-09-05 Thread James Lu 
Hi,

Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
this commit
https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a

Best,
James



signature.asc
Description: OpenPGP digital signature

Bug#836706: certificate spoofing via crafted SASL messages

2016-09-04 Thread Antoine Beaupré 
Source: inspircd
Version: 2.0.5-1+deb7u2
Severity: critical
Tags: security

inspircd published 2.0.23 that fixes an issue with SASL
authentication. The details are here:

http://www.inspircd.org/2016/09/03/v2023-released.html

All versions are affected.

Upstream hasn't requested a CVE yet. I will contact oss-security to
make sure that happens.

It seems to also affect Charybdis, which fixed the issue in the
upcoming 3.5.3 release:

https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824

I will take care of the 3.5.3 upload or backporting those patches to
3.5.2 and 3.4 (if relevant) as soon as I can.

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable'), (1, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)