Gentoo Bug 79705 - net-irc/ngircd: Multiple vulnerabilities

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	79705
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Florian Westphal <westphal@foo.fh-furtwangen.de>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 79705 depends on:			Show dependency tree
Bug 79705 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-01-27 05:32 0000

There is a buffer overflow in ngircd, src/ngircd/lists.c; in Lists_MakeMask().
It is caused by an integer underflow in line 317:

317  strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 );

strlen( at ) - 4 can be larger than sizeof( TheMask ).


Reproducible: Always
Steps to Reproduce:
1. netcat / telnet to a ngirc daemon.
2. type
USER a b c d
NICK b
JOIN \#b
MODE \#b +b aaaa....aa@aaaa...aaa
Actual Results:  
Daemon segfaults.

Expected Results:  
Truncate the string.

Fixed in ngircd 0.8.2.
http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html

------- Comment #1 From Thierry Carrez (RETIRED) 2005-01-27 05:45:02 0000 -------

Many thanks for letting us know so fast, Florian.
net-irc team please bump to newest package.

------- Comment #2 From Sven Wegener 2005-01-27 07:23:12 0000 -------

net-irc/ngircd-0.8.2 in CVS and stable on x86.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-01-27 08:07:46 0000 -------

GLSA drafted.
Florian: couldn't that vulnerability also be used to execute arbitrary code ?

------- Comment #4 From Florian Westphal 2005-01-27 09:16:32 0000 -------

I was only able to crash the server, but this is most likely because of my
clumsy efforts. Given that the input comes from the client (and is under very
few restrictions) someone more skilled might be able to exploit this.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-01-28 14:09:09 0000 -------

GLSA 200501-40

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 79705

net-irc/ngircd: Multiple vulnerabilities

Last modified: 2005-01-28 14:09:09 0000