Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 832272

Summary: <net-irc/unrealircd-{5.2.4, 6.0.2}: denial of service
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: kensington, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 833578    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-29 06:35:37 UTC
See https://forums.unrealircd.org/viewtopic.php?t=9168:

"""
UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a certain command is sent. This results in all users being disconnected from the server. There is no other risk than crashing (no buffer overflow or anything, no risk of remote code execution).

If you have any deny dcc { } blocks in the config file or spamfilters on the 'd' (dcc) target then the server can be crashed. This is true for many servers as there is a deny dcc { } block in the example configuration file (example.conf).

All U5 and U6 versions before January 28, 2022 are affected, so:

    UnrealIRCd 5.0.0 - 5.2.3
    UnrealIRCd 6.0.0 - 6.0.2-rc1

We recommend admins to apply the hot-patch (see next) ASAP which will fix the issue with zero downtime.
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-01-29 07:02:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7a608d77cd26f4bee0362c7af21df67c4fe3a88

commit c7a608d77cd26f4bee0362c7af21df67c4fe3a88
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-29 07:02:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-29 07:02:46 +0000

    net-irc/unrealircd: add 5.2.4, 6.0.2
    
    Bug: https://bugs.gentoo.org/832272
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/unrealircd/Manifest                  |   2 +
 net-irc/unrealircd/files/unrealircd.tmpfiles |   2 +
 net-irc/unrealircd/unrealircd-5.2.4.ebuild   | 175 +++++++++++++++++++++++++
 net-irc/unrealircd/unrealircd-6.0.2.ebuild   | 184 +++++++++++++++++++++++++++
 4 files changed, 363 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-19 15:04:59 UTC
Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2022-02-20 05:51:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b3d06105f95dd42164f722ef64907af8fdc2d34

commit 7b3d06105f95dd42164f722ef64907af8fdc2d34
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-20 05:45:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-20 05:45:55 +0000

    net-irc/unrealircd: drop 5.2.2
    
    Bug: https://bugs.gentoo.org/832272
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/unrealircd/Manifest                |   1 -
 net-irc/unrealircd/unrealircd-5.2.2.ebuild | 177 -----------------------------
 2 files changed, 178 deletions(-)