Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832272 - <net-irc/unrealircd-{5.2.4, 6.0.2}: denial of service
Summary: <net-irc/unrealircd-{5.2.4, 6.0.2}: denial of service
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 833578
Blocks:
  Show dependency tree
 
Reported: 2022-01-29 06:35 UTC by Sam James
Modified: 2022-02-20 05:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-29 06:35:37 UTC
See https://forums.unrealircd.org/viewtopic.php?t=9168:

"""
UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a certain command is sent. This results in all users being disconnected from the server. There is no other risk than crashing (no buffer overflow or anything, no risk of remote code execution).

If you have any deny dcc { } blocks in the config file or spamfilters on the 'd' (dcc) target then the server can be crashed. This is true for many servers as there is a deny dcc { } block in the example configuration file (example.conf).

All U5 and U6 versions before January 28, 2022 are affected, so:

    UnrealIRCd 5.0.0 - 5.2.3
    UnrealIRCd 6.0.0 - 6.0.2-rc1

We recommend admins to apply the hot-patch (see next) ASAP which will fix the issue with zero downtime.
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-01-29 07:02:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7a608d77cd26f4bee0362c7af21df67c4fe3a88

commit c7a608d77cd26f4bee0362c7af21df67c4fe3a88
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-29 07:02:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-29 07:02:46 +0000

    net-irc/unrealircd: add 5.2.4, 6.0.2
    
    Bug: https://bugs.gentoo.org/832272
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/unrealircd/Manifest                  |   2 +
 net-irc/unrealircd/files/unrealircd.tmpfiles |   2 +
 net-irc/unrealircd/unrealircd-5.2.4.ebuild   | 175 +++++++++++++++++++++++++
 net-irc/unrealircd/unrealircd-6.0.2.ebuild   | 184 +++++++++++++++++++++++++++
 4 files changed, 363 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-19 15:04:59 UTC
Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2022-02-20 05:51:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b3d06105f95dd42164f722ef64907af8fdc2d34

commit 7b3d06105f95dd42164f722ef64907af8fdc2d34
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-20 05:45:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-20 05:45:55 +0000

    net-irc/unrealircd: drop 5.2.2
    
    Bug: https://bugs.gentoo.org/832272
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/unrealircd/Manifest                |   1 -
 net-irc/unrealircd/unrealircd-5.2.2.ebuild | 177 -----------------------------
 2 files changed, 178 deletions(-)