Summary: | net-irc/ngircd: use-after-free vulnerability in server-to-server protocol (CVE-2020-14148) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | minor | CC: | sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://nvd.nist.gov/vuln/detail/CVE-2020-14148 | ||
Whiteboard: | C3 [upstream cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2020-06-15 20:42:51 UTC
Bleh. Upstream's view is understandable. We cannot do much for now. From upstream (https://github.com/ngircd/ngircd/pull/276#issuecomment-636494495): "For ngIRCd 26 … nothing, I guess: as this seems to only affect the server-server protocol (which is „trusted by design“, we don’t have to handle invalid input here, this is bad practice, but as already pointed out, „by design“ – so removing this bug from the milestone)." Upstream doesn't think this is a real security bug, and I too am skeptical that a malicious esrver in the network is a real security issue since other servers in the network are implicitly trusted. Upstream also doesn't think there's a proper way to fix this, so there's really not much we can do here. I'm going to close this as invalid for now and reopen if there's ever any movement upstream. Upstream has officially WONTFIX'd. |