Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 142185

Summary: net-irc/inspircd: InspIRCd 1.0.5 denial of service, InspIRCd 1.0.6 release
Product: Gentoo Security Reporter: Craig Edwards <brain>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: brain, hansmi, nenolod
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.inspircd.org
Whiteboard: [noglsa]
Package list:
Runtime testing required: ---

Description Craig Edwards 2006-07-30 07:40:08 UTC 
The version of InspIRCd currently in portage ~x86 and ~amd64 (as of Sun 30th July 2006) has a vulnerability whereby if the m_timedbans.so module is loaded, a remote user can cause the irc server to consume large amounts of CPU time by exploiting a flaw in this module.

To resolve this issue, users should unload m_timedbans.so or upgrade. The purpose of this bug report is twofold, firstly to inform the gentoo developers of this vulnerability, and secondly to inform the developers of a new version available which fixes this problem, available at:

http://prdownloads.sourceforge.net/inspircd/InspIRCd-1.0.6.tar.bz2?download

(sourceforge.net)

Thanks for your time.
Comment 1 William Pitcock 2006-07-30 07:57:34 UTC 
As proxy-maintainer of the package, I see no problem with bumping the version.

1.0.6 runs fine with my test config, anyhow.
Comment 2 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2006-07-30 10:08:38 UTC 
Bumped in CVS. Please CC me the next time.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-07-30 10:20:45 UTC 
(In reply to comment #2)
> Bumped in CVS. Please CC me the next time.

Err, 

1/ It's security's job to CC maintainers
2/ You are not mentioned anywhere in metadata.xml, hard to CC then...
3/ Also, it's security job to resolve security bugs, AFAIK.

@Craig: Please, don't security-restrict bugs assigned to bug wranglers, they go to nowhere land if you do it. Leave those checkboxes alone. Thanks.
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2006-07-30 10:43:58 UTC 
(In reply to comment #3)
> 2/ You are not mentioned anywhere in metadata.xml, hard to CC then...

<description>Indirectly maintaining through hansmi@gentoo.org</description>

I would say that's mentioned enough.

> 3/ Also, it's security job to resolve security bugs, AFAIK.

Okay, I didn't notice it was assigned to security, because I was pointed to this bug by William Pitcock on IRC.

Craig is the upstream dev of inspircd, and I'm in contact with both him and William. Just as an info.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-09 11:50:42 UTC 
Thanks, closing without GLSA since this was never stable.