Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204834 - net-irc/ngircd < 0.10.4 IRC PART Remote DoS (CVE-2008-0285)
Summary: net-irc/ngircd < 0.10.4 IRC PART Remote DoS (CVE-2008-0285)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://ngircd.barton.de/index.html.en
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-07 22:39 UTC by Marek Czernohous
Modified: 2008-01-27 16:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Czernohous 2008-01-07 22:39:04 UTC
"ngIRCd-versions previous to 0.10.4 comprise an error which can be used (also by remote) to crash the daemon. All installations should be updated to version 0.10.4 or subsequent versions."
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2008-01-08 16:53:39 UTC
0.10.4 in CVS
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 23:36:41 UTC
Arches, please test and mark stable net-irc/ngircd-0.10.4.
Target keywords : "ppc x86"

amd64, want this stable too? Been there for some time.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 23:44:42 UTC
From ChangeLog:

ngIRCd 0.10.4 (2008-01-07)
  - SECURITY: IRC_PART could reference invalid memory, causing
    ngircd to crash [from HEAD].
Comment 4 Markus Meier gentoo-dev 2008-01-09 14:35:13 UTC
x86 stable
Comment 5 Peter Weller (RETIRED) gentoo-dev 2008-01-11 17:57:09 UTC
We'll mark it stable after it's been a month or so. Currently no real reason to mark it stable. @armin76, would you be so kind as to stab me when in a month so that I can mark it stable? :)
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-11 19:42:51 UTC
ppc stable
Comment 7 Dawid Węgliński (RETIRED) gentoo-dev 2008-01-12 07:11:25 UTC
(In reply to comment #5)
> @armin76, would you be so kind as to stab me when in a month so
> that I can mark it stable? :)
> 
He's always kind enough to stab you ;) *hides*
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 15:20:19 UTC
GLSA vote. YES for me.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-15 20:42:49 UTC
YES from me as well.
Comment 10 Marek Czernohous 2008-01-15 21:08:27 UTC
Mh, the next major-release is published, but i don't want to file a zero-day-bump-request :-)

http://ngircd.barton.de/index.html.en

Changelog

ngIRCd 0.11.0 (2008-01-15)

  ngIRCd 0.11.0-pre2 (2008-01-07)
  - SECURITY: IRC_PART could reference invalid memory, causing
    ngircd to crash [from HEAD].
  
  ngIRCd 0.11.0-pre1 (2008-01-02)
  - Use dotted-decimal IP address if hostname is >= 64.
  - Add support for /STAT u (server uptime) command.
  - New [Server] configuration Option "Bind" allows to specify
    the source ip adress to use when connecting to remote server.
  - New configuration option "MaxNickLength" to specify the allowed maximum
    length of user nick names. Note: must be unique in an IRC network!
  - Enhanced the IRC+ protocol to support an enhanced "server handshake" and
    enable server to recognice numeric 005 (ISUPPORT) and 376 (ENDOFMOTD).
    See doc/Protocol.txt for details.
  - Re-added doc/SSL.txt to distribution -- got lost somewhere!?
  - Fixes the wrong logging output when nested servers are introduced
    to the network as well as the wrong output of the LINKS command.
  - Update Mac OS X Xcode project file for Xcode 3.
  - Adjust test suite to be usable on HP/UX 11.11 :-)
  - Fix code to compile using K&R C compiler and ansi2kr again.
  - New config option NoDNS: Disables DNS lookups when clients connect.
  - Fixed propagation of channel mode 'P' on server links.
  - Numeric 317: implemented "signon time" (displayed in WHOIS result).
  - Fixed code that prevented GCC 2.95 to compile ngIRCd.
  - Adjust path names in manual pages according to "./configure" settings.
  - Added new server configuration option "Passive" for "Server" blocks to
    disable automatic outgoing connections (similar to -p option to ngircd,
    but only for the specified server). (Tassilo Schweyer)
  - Don't connect to a server if a connection to another server within the
    same group is already in progress.
  - Added support for the WALLOPS command. Usage is restricted to IRC
    operators.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 21:34:32 UTC
(In reply to comment #10)
> Mh, the next major-release is published, but i don't want to file a
> zero-day-bump-request :-)

That is definitely stuff for a new bug, but give maintainers some days please.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 22:54:39 UTC
CVE-2008-0285 was assigned.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-01-27 16:48:16 UTC
GLSA 200801-13, all done.