Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 492526 (CVE-2013-6413)

Summary: <net-irc/unrealircd-3.2.10.2 : Two Denial of Service Vulnerabilities (CVE-2013-{6413,7384})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: binki, jdhore, net-irc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/55839/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-11-25 19:46:30 UTC 
From ${URL} :

Description

Two vulnerabilities have been reported in UnrealIRCd, which can be exploited by malicious people to 
cause a DoS (Denial of Service).

1) An unspecified NULL pointer dereference error can be exploited to cause a crash.

2) An unspecified use-after-free error can be exploited to cause a crash.

The vulnerabilities are reported in versions 3.2.10 and 3.2.10.1.


Solution:
Update to version 3.2.10.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://forums.unrealircd.com/viewtopic.php?f=2&t=8221


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2013-12-03 05:42:21 UTC 
I’ve bumped to unrealircd-3.2.10.2, though I left older versions in. What next? ;-)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-12-03 06:41:58 UTC 
Thank you Nathan,

Arches, please test and mark stable:

=net-irc/unrealircd-3.2.10.2

Target Keywords : "amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-06 20:40:10 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-12-06 20:42:11 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-12-07 19:11:37 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2013-12-09 04:39:19 UTC 
I’ve dropped =unrealircd-3.2.10.1 which has the security flaw.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-09 04:41:44 UTC 
Thank you. GLSA vote: no.
Comment 8 Sergey Popov (RETIRED) gentoo-dev 2013-12-09 07:22:47 UTC 
GLSA vote: no

Closing noglsa
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-06-08 00:45:26 UTC 
CVE-2013-7384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7384):
  UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a denial
  of service (NULL pointer dereference and crash) via unspecified vectors,
  related to SSL.  NOTE: this issue was SPLIT from CVE-2013-6413 per ADT2 due
  to different vulnerability types.

CVE-2013-6413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6413):
  Use-after-free vulnerability in UnrealIRCd 3.2.10 before 3.2.10.2 allows
  remote attackers to cause a denial of service (crash) via unspecified
  vectors.  NOTE: this identifier was SPLIT per ADT2 due to different
  vulnerability types. CVE-2013-7384 was assigned for the NULL pointer
  dereference.