Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728422 (CVE-2020-14148) - net-irc/ngircd: use-after-free vulnerability in server-to-server protocol (CVE-2020-14148)
Summary: net-irc/ngircd: use-after-free vulnerability in server-to-server protocol (CV...
Status: RESOLVED INVALID
Alias: CVE-2020-14148
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: C3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-15 20:42 UTC by John Helmert III
Modified: 2023-01-03 18:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 20:42:51 UTC
From $URL:

The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function.

Maintainer, please bump.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 00:15:20 UTC
Bleh. Upstream's view is understandable. We cannot do much for now.

From upstream (https://github.com/ngircd/ngircd/pull/276#issuecomment-636494495):
"For ngIRCd 26 … nothing, I guess: as this seems to only affect the server-server protocol (which is „trusted by design“, we don’t have to handle invalid input here, this is bad practice, but as already pointed out, „by design“ – so removing this bug from the milestone)."
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 17:48:14 UTC
Upstream doesn't think this is a real security bug, and I too am skeptical that a malicious esrver in the network is a real security issue since other servers in the network are implicitly trusted. Upstream also doesn't think there's a proper way to fix this, so there's really not much we can do here. I'm going to close this as invalid for now and reopen if there's ever any movement upstream.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-03 18:51:09 UTC
Upstream has officially WONTFIX'd.