SECURITY ADVISORY ================== A serious Denial-of-Service issue has been discovered in UnrealIRCd. ==[ AFFECTED VERSIONS ]== Affected: - Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2 Unaffected: - versions older than beta18 (OLD, UNSUPPORTED) - 3.1* (VERY OLD, UNSUPPORTED) - If you have NO servers and NO services linked and you are using a vulnerable version then this problem does not occur (this is however an uncommon configuration) Fixed in/by: - Hot-patched 3.2* servers (see FIX) - The newly released 3.2.2b (for fresh installs) - CVS from January 15 03:00 GMT and later ==[ PROBLEM ]== There's a severe crashbug present in UnrealIRCd that can quite easily be triggered by users. No code execution or anything like that is possible (it's a NULL pointer dereference), but it does cause a crash, which is of course serious enough. Server admins should apply the fix (which does not require a server restart) as soon as possible before an exploit will become widespread (within 24h is recommended). During the time of writing (Jan15 19:00 GMT) there are no signs of "bad users" causing crashes, but we expect that this will happen after public announcement of this bug. ==[ WORKAROUND ]== There's no safe workaround, but see next for an easy fix. ==[ FIX ]== Thanks to modulized commands we have created a "hot patch" utility that will fix the issue WITHOUT requiring a server restart, all you will have to do is install it and rehash. This patch can be used on Unreal3.2-RC2, 3.2, 3.2.1 and 3.2.2. Older version (eg: beta's) are not supported, in that case we suggest you to upgrade to 3.2 (and apply this patch) or 3.2.2b. *NIX: Download and run the hotpatch utility, available URLs: http://www.vulnscan.org/tmp/unrealpatch322 http://www.unrealircd.com/unrealpatch322 http://unreal.atlanti-ka.org/unrealpatch322 EXAMPLE: cd ~/Unreal3.2 && wget http://www.unrealircd.com/unrealpatch322 && \ chmod +x unrealpatch322 && ./unrealpatch322 (or 'fetch' instead of 'wget', or any other download utility) Alternatively if that did not work, try this .tar.gz: http://www.vulnscan.org/tmp/qpatch.tar.gz OR http://www.unrealircd.com/qpatch.tar.gz OR http://unreal.atlanti-ka.org/qpatch.tar.gz Extract it, cd to the directory and run ./doinstall Windows: Download and run the win32 hotpatch utility, available URLs: http://www.vulnscan.org/tmp/322_hotpatch.exe http://unreal.atlanti-ka.org/322_hotpatch.exe http://unrealircd.funny-chat.net/322_hotpatch.exe (this hotpatch is for 3.2.2 only, if using an older version then upgrade to 3.2.2 first). Additionally, we have replaced the 3.2.2 downloads on our site with "3.2.2b" which is 3.2.2 + this patch (useful in case the hot patch utility did somehow not work, or for any new installs): See http://www.unrealircd.com/?page=downloads This issue has also been fixed in CVS, both in 'stable' and 'unreal3_2_2fixes' since January 15 2005 03:00 GMT. MD5 checksums: 2157afe65f97358645aac0b3f957bd57 unrealpatch322 8b842d83d037eca9cedcf49a6306b129 qpatch.tar.gz d6a90889ce937d77e6e63787d7b31b51 Unreal3.2.2b.tar.gz 90ec48229484b16b94381471c39c07aa Unreal3.2.2b.exe de445797833c281f87cdec193f098b0a Unreal3.2.2b-SSL.exe SHA1 checksums: 31790d50dfa207a223c76f6c1119a8d48294c796 unrealpatch322 20879d90e328671f1853e78d6e4a6fb2557bf686 qpatch.tar.gz c3f8258202c32ca09085975b6a042e6296c2d4b7 Unreal3.2.2b-SSL.exe 55019a076def37509fdb7e5382a62662f18dda30 Unreal3.2.2b.exe 749dfb38f514d1341b6ad8199ce0176f7709faf1 Unreal3.2.2b.tar.gz ==[ TIMELINE ]== Times are GMT+1 13-01-2005 Bug reported, traced and *NIX hotpatch ready 14-01-2005 Bug fixed in CVS, Win hotpatch ready, private announcement to some networks 15-01-2005 CERT-IRC announcement 15-01-2005 Downloads replaced, public announcement ==[ SOURCE ]== A copy (and any updates) of this advisory is posted on: http://www.unrealircd.com/unreal3_2_2b_advisory.txt
net-irc please bump to 3.2.2b or apply patch.
net-irc/unrealircd-3.2.2b in CVS and stable on x86.
Thanks lisa and sven. This one is ready for GLSA. As this is DoS only I tend to vote for no GLSA but I'm not sure how wide spread the usage of this package is.
According to gentoo-stats.org it's installed on 6 of 1040 systems. But that are mostly desktop/private-lan machines. On servers the count might be higher. But I guess IRC networks don't use our package but compile their own version. I say no GLSA.
I vote no GLSA
Thx everyone for the swift resolution. Closing this without GLSA.