Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 94794

Summary: net-im/silc-server: 1.0 version bump + stability patch
Product: Gentoo Security Reporter: Frank Benkstein <benkstein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: swegener
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
a3925dd7f53f2665de9c4919c35b89c613dfc1f9 silc-server-1.0-r1.ebuild.tar.bz2 none

Description Frank Benkstein 2005-06-02 00:38:41 UTC 
Hi,

silc-server 1.0 is out. This version's and all versions' below banlist handling
is broken. Because of this it is possible to crash (segfault) the server by 
creating special banlist entries. Attached ebuild contains a patch (thanks to
Sven Klemm) that fixes the crash. Overall banlist handling is still broken,
e.g. it is possible to create unremovable entries by having them contain regexp
special characters (),[],+ etc.

Best regards
Frank Benkstein.

Note: This bug does not seem to affect *BSD due to some differences in the libc.
Comment 1 Frank Benkstein 2005-06-02 00:41:00 UTC 
Created attachment 60446 [details]
a3925dd7f53f2665de9c4919c35b89c613dfc1f9  silc-server-1.0-r1.ebuild.tar.bz2
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-02 01:30:05 UTC 
Cc-ing swegener (last bumper) for input.

Frank: is this vulnerability public ?
If yes, can we un-restrict this bug ?
If no, is there a planned release ? when should we patch it (once the patch is
out, the issue is kinda public) ?

Note: this is a ~only package so no GLSA will be generated.
Comment 3 Frank Benkstein 2005-06-02 05:12:55 UTC 
> Frank: is this vulnerability public ?

AFAIK no. We (the CCC Dresden) run our own little SILCnet (3 Servers, 1 Router)
and discovered this bug when playing around a little.

> If yes, can we un-restrict this bug ?

Your choice. I just thought: better this way than the other way round. At least
one server in the official SILCnet seems affected, too.

> If no, is there a planned release ? when should we patch it (once the patch is
> out, the issue is kinda public) ?

I'm no SILC dev and did not even contact the SILC devs about this. One of our
members just made a patch and I applied it noticing that it seems to fix the
crashing.

I don't feel competent enough to report it to the SILC folks because I don't
fully understand how/why this bug occurs. If you don't want to report this
upstream I can ask the original author (Sven Klemm) to do it, if he hasn't done
this yet.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-02 05:57:06 UTC 
I'll handle upstream warning.
Thx for reporting this, we'll keep it restricted until upstream is ready.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:25:03 UTC 
No answer from security@silcnet.org. I'll keep this restricted for a few more
days and then we'll open the bug.

swegener: what's your position on this ? Patch ?
Comment 6 Sven Wegener gentoo-dev 2005-06-08 06:32:55 UTC 
Yeah, I would go ahead and patch it. The patch is simple and does "The Right
Thing" (tm)
Comment 7 Frank Benkstein 2005-06-08 13:16:15 UTC 
Hi,

it seems that there was a little communication problem. When I filed the bug the
issue was already known to the silc devs, sorry. Regardless, the patch is valid
and fixes the issue. I think you are safe to unrestrict this bug.

https://lists.silcnet.org/pipermail/silc-devel/2005-May/thread.html#1657

Best regards
Frank Benkstein.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 13:26:55 UTC 
Public now. Sven: you can go ahead and patch.
Comment 9 Sven Wegener gentoo-dev 2005-06-08 14:17:42 UTC 
In CVS.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-06-09 09:37:59 UTC 
Thanks Sven. Package all ~, no glsa.