Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142185 - net-irc/inspircd: InspIRCd 1.0.5 denial of service, InspIRCd 1.0.6 release
Summary: net-irc/inspircd: InspIRCd 1.0.5 denial of service, InspIRCd 1.0.6 release
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.inspircd.org
Whiteboard: [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-30 07:40 UTC by Craig Edwards
Modified: 2006-08-09 11:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Edwards 2006-07-30 07:40:08 UTC
The version of InspIRCd currently in portage ~x86 and ~amd64 (as of Sun 30th July 2006) has a vulnerability whereby if the m_timedbans.so module is loaded, a remote user can cause the irc server to consume large amounts of CPU time by exploiting a flaw in this module.

To resolve this issue, users should unload m_timedbans.so or upgrade. The purpose of this bug report is twofold, firstly to inform the gentoo developers of this vulnerability, and secondly to inform the developers of a new version available which fixes this problem, available at:

http://prdownloads.sourceforge.net/inspircd/InspIRCd-1.0.6.tar.bz2?download

(sourceforge.net)

Thanks for your time.
Comment 1 William Pitcock 2006-07-30 07:57:34 UTC
As proxy-maintainer of the package, I see no problem with bumping the version.

1.0.6 runs fine with my test config, anyhow.
Comment 2 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2006-07-30 10:08:38 UTC
Bumped in CVS. Please CC me the next time.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-07-30 10:20:45 UTC
(In reply to comment #2)
> Bumped in CVS. Please CC me the next time.

Err, 

1/ It's security's job to CC maintainers
2/ You are not mentioned anywhere in metadata.xml, hard to CC then...
3/ Also, it's security job to resolve security bugs, AFAIK.

@Craig: Please, don't security-restrict bugs assigned to bug wranglers, they go to nowhere land if you do it. Leave those checkboxes alone. Thanks.
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2006-07-30 10:43:58 UTC
(In reply to comment #3)
> 2/ You are not mentioned anywhere in metadata.xml, hard to CC then...

<description>Indirectly maintaining through hansmi@gentoo.org</description>

I would say that's mentioned enough.

> 3/ Also, it's security job to resolve security bugs, AFAIK.

Okay, I didn't notice it was assigned to security, because I was pointed to this bug by William Pitcock on IRC.

Craig is the upstream dev of inspircd, and I'm in contact with both him and William. Just as an info.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-09 11:50:42 UTC
Thanks, closing without GLSA since this was never stable.