Bug 79705

Summary:	net-irc/ngircd: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Florian Westphal <westphal>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	net-irc, ruth
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html
Whiteboard:	B1 [glsa] koon
Package list:		Runtime testing required:	---

Description Florian Westphal 2005-01-27 05:32:57 UTC

There is a buffer overflow in ngircd, src/ngircd/lists.c; in Lists_MakeMask().
It is caused by an integer underflow in line 317:

317  strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 );

strlen( at ) - 4 can be larger than sizeof( TheMask ).


Reproducible: Always
Steps to Reproduce:
1. netcat / telnet to a ngirc daemon.
2. type
USER a b c d
NICK b
JOIN \#b
MODE \#b +b aaaa....aa@aaaa...aaa
Actual Results:  
Daemon segfaults.

Expected Results:  
Truncate the string.

Fixed in ngircd 0.8.2.
http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-01-27 05:45:02 UTC

Many thanks for letting us know so fast, Florian.
net-irc team please bump to newest package.

Comment 2 Sven Wegener gentoo-dev

2005-01-27 07:23:12 UTC

net-irc/ngircd-0.8.2 in CVS and stable on x86.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-01-27 08:07:46 UTC

GLSA drafted.
Florian: couldn't that vulnerability also be used to execute arbitrary code ?

Comment 4 Florian Westphal 2005-01-27 09:16:32 UTC

I was only able to crash the server, but this is most likely because of my clumsy efforts. Given that the input comes from the client (and is under very few restrictions) someone more skilled might be able to exploit this.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-01-28 14:09:09 UTC

GLSA 200501-40