Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 593290 (CVE-2016-7142)

Summary: <net-irc/inspircd-2.0.23: certificate spoofing through crafted SASL message
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: slawomir.nizio
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/09/05/8
Whiteboard: B3 [noglsa/cve]
Package list:
=net-irc/inspircd-2.0.23
Runtime testing required: ---
Attachments:
Description Flags
inspircd 2.0.23 none

Description Agostino Sarubbo gentoo-dev 2016-09-09 13:36:59 UTC
From ${URL} :

>> This vulnerability allows any attacker to spoof certificate
>> fingerprints via crafted SASL messages to the IRCd. This allows any
>> user to login as any other user that they know the certificate
>> fingerprint of, and that user has services configured to accept SASL
>> EXTERNAL login requests for.

>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-18 17:54:06 UTC
@ maintainer(s): v2.0.23 which contains the fix is available since 2016-09-03.
Comment 2 A. Wilcox (awilfox) 2017-02-19 20:03:35 UTC
Created attachment 464364 [details, diff]
inspircd 2.0.23

Bugzie appears to have eaten the emails about this.  I never saw this in "bugs assigned to me", because of course, it's assigned to a security@ alias instead of a person that can fix it.

Attached is a bump, fully tested (build, run, and client connect) on x86_64 and PPC64.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-02-21 19:18:28 UTC
PR: https://github.com/gentoo/gentoo/pull/4035
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-02-25 23:57:43 UTC
Now in repository. Let's wait until 2017-02-27 before we start stabilization.
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-03 09:02:53 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-04 13:46:47 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-07 21:30:17 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No