Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 307437 (CVE-2009-4652)

Summary: <net-irc/ngircd-17.1 linked server MOTD DoS (CVE-2009-4652)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-irc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://ngircd.barton.de/doc/NEWS
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-02 09:29:12 UTC 
CVE-2009-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4652):
  The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in
  src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is
  present and standalone mode is disabled, allow remote attackers to
  cause a denial of service (application crash) by sending the MOTD
  command from another server in the same IRC network, possibly related
  to an array index error.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 10:31:12 UTC 
ngircd has a stable (and likely vulnerable) version on x86 and ppc. Maintainers, are we ok to stabilize an unaffected version? Also, we should remove the vulnerable versions from the tree.

Note: 0.12.1 -> 13 is just a versioning scheme change. I think the 0.x versions are also vulnerable.
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-10 17:24:43 UTC 
@net-irc

ping
Comment 3 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2011-09-10 22:55:11 UTC 
(In reply to comment #1)
> ngircd has a stable (and likely vulnerable) version on x86 and ppc.
> Maintainers, are we ok to stabilize an unaffected version?

Please feel free to stabilize ngircd-17.1.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-09-10 23:42:32 UTC 
(In reply to comment #3)
> 
> Please feel free to stabilize ngircd-17.1.

Great, thanks (and thanks, Agostino).

Arches, please test and mark stable:
=net-irc/ngircd-17.1
Target keywords : "ppc x86"
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-11 00:35:16 UTC 
Archtested on x86: Everything fine
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2011-09-12 18:19:38 UTC 
x86 stable. Thanks JD.
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-22 11:30:32 UTC 
ppc keywords dropped
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-09-22 14:17:05 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 22:33:17 UTC 
GLSA vote: NO.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:38:13 UTC 
Vote: NO. Closing noglsa.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-06 14:18:58 UTC 
Actually closing.