1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-08 10:43:13 +02:00

irc: replace chars "\01" by spaces in CTCP replies (closes #1819)

This prevents any attack due to an external security issue in the Linux
netfilter implementation (nf_conntrack_irc).

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
This commit is contained in:
Sébastien Helleu
2022-09-10 13:42:35 +02:00
parent 5070a6330c
commit 9cb68b13a9
2 changed files with 69 additions and 47 deletions
+1
View File
@@ -40,6 +40,7 @@ Bug fixes::
* irc: fix extract of isupport value when it is last in list and without value (issue #1807)
* irc: fix target buffer of generic errors when they contain a target nick (issue #1814)
* irc: fix display of message 350 (whois, gateway) (issue #1815)
* irc: replace chars "\01" by spaces in CTCP replies (issue #1819)
* guile: fix function hdata_get_string
* javascript: fix return of long value in functions infolist_time, hdata_long and hdata_time
* php: fix function hdata_compare
+68 -47
View File
@@ -270,15 +270,32 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server,
{
struct t_hashtable *hashtable;
int number;
char hash_key[32];
char hash_key[32], *str_args_color, *dup_ctcp, *dup_args;
const char *str_args;
char *str_args_color, *ctcp_upper;
ctcp_upper = strdup (ctcp);
if (!ctcp_upper)
return;
dup_ctcp = NULL;
dup_args = NULL;
hashtable = NULL;
weechat_string_toupper (ctcp_upper);
/*
* replace any "\01" by a space to prevent any firewall attack via
* nf_conntrack_irc (CVE-2022-2663)
*/
dup_ctcp = weechat_string_replace (ctcp, "\01", " ");
if (!dup_ctcp)
goto end;
weechat_string_toupper (dup_ctcp);
if (arguments)
{
/*
* replace any "\01" by a space to prevent any firewall attack via
* nf_conntrack_irc (CVE-2022-2663)
*/
dup_args = weechat_string_replace (arguments, "\01", " ");
if (!dup_args)
goto end;
}
hashtable = irc_server_sendf (
server,
@@ -286,53 +303,57 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server,
NULL,
"NOTICE %s :\01%s%s%s\01",
nick,
ctcp_upper,
(arguments) ? " " : "",
(arguments) ? arguments : "");
dup_ctcp,
(dup_args) ? " " : "",
(dup_args) ? dup_args : "");
if (!hashtable)
goto end;
if (hashtable)
if (weechat_config_boolean (irc_config_look_display_ctcp_reply))
{
if (weechat_config_boolean (irc_config_look_display_ctcp_reply))
number = 1;
while (1)
{
number = 1;
while (1)
{
snprintf (hash_key, sizeof (hash_key), "args%d", number);
str_args = weechat_hashtable_get (hashtable, hash_key);
if (!str_args)
break;
str_args_color = irc_color_decode (str_args, 1);
if (!str_args_color)
break;
weechat_printf_date_tags (
irc_msgbuffer_get_target_buffer (
server, nick, NULL, "ctcp",
(channel) ? channel->buffer : NULL),
0,
irc_protocol_tags (
command,
tags,
"irc_ctcp,irc_ctcp_reply,self_msg,notify_none,"
"no_highlight",
NULL, NULL),
_("%sCTCP reply to %s%s%s: %s%s%s%s%s"),
weechat_prefix ("network"),
irc_nick_color_for_msg (server, 0, NULL, nick),
nick,
IRC_COLOR_RESET,
IRC_COLOR_CHAT_CHANNEL,
ctcp_upper,
(str_args_color[0]) ? IRC_COLOR_RESET : "",
(str_args_color[0]) ? " " : "",
str_args_color);
free (str_args_color);
number++;
}
snprintf (hash_key, sizeof (hash_key), "args%d", number);
str_args = weechat_hashtable_get (hashtable, hash_key);
if (!str_args)
break;
str_args_color = irc_color_decode (str_args, 1);
if (!str_args_color)
break;
weechat_printf_date_tags (
irc_msgbuffer_get_target_buffer (
server, nick, NULL, "ctcp",
(channel) ? channel->buffer : NULL),
0,
irc_protocol_tags (
command,
tags,
"irc_ctcp,irc_ctcp_reply,self_msg,notify_none,"
"no_highlight",
NULL, NULL),
_("%sCTCP reply to %s%s%s: %s%s%s%s%s"),
weechat_prefix ("network"),
irc_nick_color_for_msg (server, 0, NULL, nick),
nick,
IRC_COLOR_RESET,
IRC_COLOR_CHAT_CHANNEL,
dup_ctcp,
(str_args_color[0]) ? IRC_COLOR_RESET : "",
(str_args_color[0]) ? " " : "",
str_args_color);
free (str_args_color);
number++;
}
weechat_hashtable_free (hashtable);
}
free (ctcp_upper);
end:
if (dup_ctcp)
free (dup_ctcp);
if (dup_args)
free (dup_args);
if (hashtable)
weechat_hashtable_free (hashtable);
}
/*