Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260806 - <net-irc/unrealircd-3.2.8.1: DoS (CVE-2009-4893)
Summary: <net-irc/unrealircd-3.2.8.1: DoS (CVE-2009-4893)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://www.unrealircd.com/txt/unreals...
Whiteboard: C3 [glsa]
Keywords:
: CVE-2009-4893 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-03-02 00:02 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2010-06-26 11:34 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
unrealircd-3.2.8.1.ebuild (unrealircd-3.2.8.1.ebuild,5.34 KB, text/plain)
2009-04-15 10:48 UTC, Steffen 'j0inty' Stollfuß
no flags Details
unrealircd-system-tre.patch (unrealircd-system-tre.patch,2.21 KB, patch)
2009-04-15 10:49 UTC, Steffen 'j0inty' Stollfuß
no flags Details | Diff
unrealircd-system-cares.patch (unrealircd-system-cares.patch,4.74 KB, patch)
2009-04-15 10:49 UTC, Steffen 'j0inty' Stollfuß
no flags Details | Diff
unrealircd-3.2.8.1.ebuild (unrealircd-3.2.8.1.ebuild,5.39 KB, text/plain)
2009-04-15 10:58 UTC, Steffen 'j0inty' Stollfuß
no flags Details
hopefully improved unrealircd-3.2.8.1.ebuild (unrealircd-3.2.8.1.ebuild,4.60 KB, text/plain)
2009-04-15 23:09 UTC, Nathan Phillip Brink (binki) (RETIRED)
no flags Details
suggested metadata.xml describing new useflags (metadata.xml,831 bytes, text/plain)
2009-04-17 01:58 UTC, Nathan Phillip Brink (binki) (RETIRED)
no flags Details
unrealircd-3.2.8.1.ebuild.patch (unrealircd-3.2.8.1.ebuild.patch,770 bytes, patch)
2009-04-17 17:28 UTC, Steffen 'j0inty' Stollfuß
no flags Details | Diff
updated unrealircd-3.2.8.1.ebuild (unrealircd-3.2.8.1.ebuild,4.59 KB, text/plain)
2009-04-17 17:52 UTC, Nathan Phillip Brink (binki) (RETIRED)
no flags Details
unrealircd.rc-correct-pidfile-handling.patch (unrealircd.rc-correct-pidfile-handling.patch,2.43 KB, patch)
2009-11-20 21:38 UTC, Steffen 'j0inty' Stollfuß
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-03-02 00:02:54 UTC
See URL for a detailed ChangeLog.

Reproducible: Always

Steps to Reproduce:
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-03-02 00:03:24 UTC
Reassigning to net-irc herd.
Comment 2 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-03-03 04:16:57 UTC
Notable improvement is upgrading of the packaged c-ares. Even though it's still bad that it compiles c-ares in, it isn't the c-ares-1.4.* addressed in bug 254966 and bug 251464.
So I think this bug deserves security-prompted promotion.
Comment 3 Michael Palimaka (kensington) gentoo-dev 2009-04-14 18:31:58 UTC
Please note that the latest version is now 3.2.8.1 due to a security issue.
Comment 4 Steffen 'j0inty' Stollfuß 2009-04-15 10:48:29 UTC
Created attachment 188420 [details]
unrealircd-3.2.8.1.ebuild

- added both patches that linking the binary against the tre and c-ares system libary
- added more use flags that are available through ./configure
  # topicisnuhost    Display nick!user@host as the topic setter
  # shunnotices      Notify a user when he/she is no longer shunned
  # no-operoverride  Disable OperOverride
  # disableusermod   Disable /set* and /chg*
  # operoverride-verify  Require opers to invite themselves to +s/+p channels
  # nospoof        Enable spoofing protection
- planned the "static" use flag
- minor updates of function using in the ebuild (e.g.: use_enable, use_with)
- cleanup RDEPEND and DEPEND variables
- mark as unstable on all platforms
Comment 5 Steffen 'j0inty' Stollfuß 2009-04-15 10:49:27 UTC
Created attachment 188422 [details, diff]
unrealircd-system-tre.patch
Comment 6 Steffen 'j0inty' Stollfuß 2009-04-15 10:49:51 UTC
Created attachment 188424 [details, diff]
unrealircd-system-cares.patch
Comment 7 Steffen 'j0inty' Stollfuß 2009-04-15 10:58:45 UTC
Created attachment 188426 [details]
unrealircd-3.2.8.1.ebuild

Sry. Forgot to save the file in the editor before uploading them here. So some minor changes was missing (e.g.: mark unstable on all platforms)
Comment 8 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-04-15 13:51:36 UTC
(In reply to comment #3)
> Please note that the latest version is now 3.2.8.1 due to a security issue.
 
Please also note that all versions of UnrealIRCD from ``3.2beta11'' through 3.2.8 are affected. This includes net-irc/unrealircd-3.2.7 in Portage now. When the server runs with the allow::options::noident flag, anyone with an overlong username can SEGFAULT the IRCD by having an overlong IRC username. See http://forums.unrealircd.com/viewtopic.php?t=6204 for the UnrealIRCD project's security announcement.

I think this is a compelling reason to bump unrealircd and ``punt'' the old versions.
Comment 9 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-04-15 23:09:30 UTC
Created attachment 188507 [details]
hopefully improved unrealircd-3.2.8.1.ebuild

(In reply to comment #7)
> Created an attachment (id=188426) [edit]
> unrealircd-3.2.8.1.ebuild
> 
> Sry. Forgot to save the file in the editor before uploading them here. So some
> minor changes was missing (e.g.: mark unstable on all platforms)
> 

When the user builds without USE="curl", --disable-curl is passed to ./configure. UnrealIRCD's buildscripts can't handle that:
``./configure: line 12962: no/bin/curl-config: No such file or directory
./configure: line 12963: no/bin/curl-config: No such file or directory''
This problem effects almost every configurable part of UnrealIRCD. For all other features where there is an --enable-feature, passing configure --disable-feature acts the same as passing --disable-feature. My ebuild doesn't use --disable-* (reverting back to the style of unrealircd-3.2.7). It also fixes some of the other problems I think exist.

sed was removed from RDEPEND because it's not a runtime dependency -- it should only be in DEPEND.

UnrealIRCD runs fine for me with >=net-dns/c-ares-1.5.3. I don't think there are changes in c-ares's API that would require stabilizing c-ares-1.6.0 just for unrealircd. See http://cool.haxx.se/cvs.cgi/curl/ares/RELEASE-NOTES?rev=1.24&only_with_tag=cares-1_6_0&content-type=text/vnd.viewcvs-markup

I upgraded the ebuild to EAPI="2" so that it can depend on useflag for "net-misc/curl[ares,-ipv6]". However, I'm not sure if curl needs the ares useflag set for unrealircd to run - it seems to compile fine on my machine though I don't use the remote includes feature. I also set some defaults in IUSE to match the defaults of UnrealIRCD's ./Config script.
Comment 10 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-04-16 02:20:51 UTC
(In reply to comment #9)
> Created an attachment (id=188507) [edit]

I'm sorry for the mistakes in my previous comment.
> When the user builds without USE="curl", --disable-curl is passed to
I should have said ``with USE="-curl"''

> ./configure. UnrealIRCD's buildscripts can't handle that:
> ``./configure: line 12962: no/bin/curl-config: No such file or directory
> ./configure: line 12963: no/bin/curl-config: No such file or directory''
> This problem effects almost every configurable part of UnrealIRCD. For all
> other features where there is an --enable-feature, passing configure
> --disable-feature acts the same as passing --disable-feature. My ebuild doesn't
I should have said ``--disable-feature acts the same as passing --enable-feature''. Thus, the ebuild should only pass --enable-feature and never --disable-feature
> use --disable-* (reverting back to the style of unrealircd-3.2.7). It also
> fixes some of the other problems I think exist.
> 
> sed was removed from RDEPEND because it's not a runtime dependency -- it should
> only be in DEPEND.
> 
> I upgraded the ebuild to EAPI="2" so that it can depend on useflag for
> "net-misc/curl[ares,-ipv6]". However, I'm not sure if curl needs the ares
> useflag set for unrealircd to run - it seems to compile fine on my machine
> though I don't use the remote includes feature. I also set some defaults in
> IUSE to match the defaults of UnrealIRCD's ./Config script.
> 
I am running an unrealircd linked to a libcurl that doesn't have ares support (AFAIK), so I think the RDEPEND="net-misc/curl[ares,-ipv6]" could just be DEPEND="net-misc/curl"
Comment 11 Vadim A. Misbakh-Soloviov (mva) gentoo-dev 2009-04-16 19:30:35 UTC
please, add RESTRICT="mirror" in ebuild.
Comment 12 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-04-17 01:49:48 UTC
(In reply to comment #11)
> please, add RESTRICT="mirror" in ebuild.
Why is this needed?
Comment 13 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-04-17 01:58:44 UTC
Created attachment 188632 [details]
suggested metadata.xml describing new useflags
Comment 14 Steffen 'j0inty' Stollfuß 2009-04-17 17:28:14 UTC
Created attachment 188703 [details, diff]
unrealircd-3.2.8.1.ebuild.patch

Hi,

this is a patch for attachment http://bugs.gentoo.org/attachment.cgi?id=188507.

This is the unrealircd-3.2.8.1.ebuild file from Nathan Brink. The patch fix the configure arguments for the two use flags.
Comment 15 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2009-04-17 17:52:14 UTC
Created attachment 188705 [details]
updated unrealircd-3.2.8.1.ebuild

Thanks for pointing out my incorrect --enable- flags, j0inty.
This applies j0inty's patch and also removes the dependence on libcurl's cares useflag, as adding cares to libcurl doesn't change curl's API.
Comment 16 Tomáš Chvátal (RETIRED) gentoo-dev 2009-11-14 01:36:15 UTC
3.2.8.1 with required QA touches added to main tree. Removed the old affected version.

Security please procedd.

As sidenote this is pure QA non-maintainer commit, since we try to lower QA breakages in main tree.

Cheers
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-14 10:11:16 UTC
Thanks everyone for your work.

Arches, please test and mark stable:
=net-irc/unrealircd-3.2.8.1
Target keywords : "ppc sparc x86"

Please proceed quickly, the old ebuild with stable keywords has accidentally been removed.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-11-16 14:41:43 UTC
  16 Nov 2009; Robert Buchholz <rbu@gentoo.org> +unrealircd-3.2.7-r2.ebuild:
  Re-add old stable until the new one is stable
Comment 19 Steffen 'j0inty' Stollfuß 2009-11-16 19:57:42 UTC
Hi,

We are using the unrealircd-3.2.8.1 for month now, without any problems yet.
We had it installed on serveral x86 and x86-64 machines here for our irc network with ssl and zip support for the server communication and ssl client support.

If you need more informations about system configuration let it me know.

regards
j0inty
Comment 20 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-18 18:21:01 UTC
x86 stable
Comment 21 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-18 18:34:27 UTC
I should add: Thanks Steffen for the feedback.
Comment 22 Steffen 'j0inty' Stollfuß 2009-11-20 21:38:31 UTC
Created attachment 210745 [details, diff]
unrealircd.rc-correct-pidfile-handling.patch

Hi,

In the past I noticed that the init script doesn't work very well and everytime you try to restart the daemon you have to stop, zap and start them. So today I modified the old initscript to working with the pidfile, setted by the installation process through the ebuild, and handling the start/stop/reload and restart processes correctly.

Please check the patch for errors or QA missings and add the new init.d script to the tree.

regards
j0inty
Comment 23 nixnut (RETIRED) gentoo-dev 2009-11-21 19:34:21 UTC
ppc stable
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2009-12-09 18:54:04 UTC
sparc stable
Comment 25 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-14 17:11:06 UTC
GLSA together with bug 323965.

CVE is requested on oss-sec. GLSA will be sent w/o reference and updated later due to the severity of the #323965 issue.
Comment 26 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-14 17:11:59 UTC
(In reply to comment #25)
> GLSA together with bug 323965.

Correction: bug 323691
Comment 27 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-14 19:22:05 UTC
GLSA 201006-21
Comment 28 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-26 11:34:39 UTC
*** Bug 325547 has been marked as a duplicate of this bug. ***