Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 199897 (CVE-2007-6122)

Summary: net-irc/ircservices < 5.0.63 default_encrypt Remote DoS (CVE-2007-6122)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-irc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27761/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Lars Hartmann 2007-11-21 14:22:08 UTC 
A vulnerability has been reported in IRC Services, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the improper handling of overly long passwords within the "default_encrypt()" function in encrypt.c and can be exploited to crash an affected server.

The vulnerability is reported in versions prior to 5.0.63 and 5.1.9.

Solution:
Update to version 5.0.63 or 5.1.9.
http://www.ircservices.za.net/download.html

Provided and/or discovered by:
The vendor credits loverboy.

Reproducible: Always
Comment 1 Lars Hartmann 2007-11-26 21:41:31 UTC 
maintainers - please advice
Comment 2 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-27 15:43:54 UTC 
*** Bug 200467 has been marked as a duplicate of this bug. ***
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-28 02:08:01 UTC 
Missed that one.
Comment 4 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-29 20:06:23 UTC 
Ok, bumped to 5.0.63 till i have some more time to bump to 5.1.9
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 21:22:19 UTC 
Arches, please test and mark stable net-irc/ircservices-5.0.63.
Target keywords : "ppc x86"
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-30 13:03:34 UTC 
x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-30 22:45:38 UTC 
ppc stable
Comment 8 Lars Hartmann 2007-12-01 13:50:11 UTC 
this bug is ready for glsa decision
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-02 12:42:41 UTC 
Voting YES.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-10 21:48:29 UTC 
yes too, request filed.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-13 22:08:44 UTC 
GLSA 200712-12
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:50:56 UTC 
Does not affect current (2008.0) release. Removing release.