There is a buffer overflow in ngircd, src/ngircd/lists.c; in Lists_MakeMask(). It is caused by an integer underflow in line 317: 317 strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 ); strlen( at ) - 4 can be larger than sizeof( TheMask ). Reproducible: Always Steps to Reproduce: 1. netcat / telnet to a ngirc daemon. 2. type USER a b c d NICK b JOIN \#b MODE \#b +b aaaa....aa@aaaa...aaa Actual Results: Daemon segfaults. Expected Results: Truncate the string. Fixed in ngircd 0.8.2. http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html
Many thanks for letting us know so fast, Florian. net-irc team please bump to newest package.
net-irc/ngircd-0.8.2 in CVS and stable on x86.
GLSA drafted. Florian: couldn't that vulnerability also be used to execute arbitrary code ?
I was only able to crash the server, but this is most likely because of my clumsy efforts. Given that the input comes from the client (and is under very few restrictions) someone more skilled might be able to exploit this.
GLSA 200501-40
