Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 449544 - <net-irc/charybdis-3.4.2: remote crash flaw (CVE-2012-6084)
Summary: <net-irc/charybdis-3.4.2: remote crash flaw (CVE-2012-6084)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-01 08:14 UTC by Agostino Sarubbo
Modified: 2014-05-18 17:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-01 08:14:15 UTC
From $URL :

Hi All,

Saw this report about Charybdis and ircd-ratbox remote crash flaw at:

http://rabbit.dereferenced.org/~nenolod/ASA-2012-12-31.txt
http://tech.slashdot.org/story/12/12/31/2241229/efnet-paralyzed-by-vulnerability

Researcher advisory suggests both the products are affected.

Sadly i could not get the contact details of either of the products
to copy on this email.

Should we be assigning CVEs to these issues?
Comment 1 Jeff (JD) Horelick (RETIRED) gentoo-dev 2013-01-01 22:54:04 UTC
A CVE has been filed: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6084

This issue also effects =net-irc/shadowircd-6.3.2.1 , a fixed shadowircd is in the tree (6.3.3)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-01-03 11:42:14 UTC
CVE-2012-6084 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6084):
  modules/m_capab.c in (1) ircd-ratbox before 3.0.8 and (2) Charybdis before
  3.4.2 does not properly support capability negotiation during server
  handshakes, which allows remote attackers to cause a denial of service (NULL
  pointer dereference and daemon crash) via a malformed request.
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2013-01-03 15:38:44 UTC
Arches can go ahead and stabilise charybdis-3.4.2 ...I was going to file a STABLEREQ for 3.4.1 soon anyway.
Comment 4 Agostino Sarubbo gentoo-dev 2013-01-03 19:58:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-01-03 19:59:19 UTC
x86 stable
Comment 6 Sean Amoss gentoo-dev Security 2013-01-03 20:34:47 UTC
GLSA vote: yes. 

I also vote that we combine this in the same GLSA as ShadowIRCd.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2013-01-03 22:20:07 UTC
GLSA Vote: yes, and agreed. Added to request for 449790.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:49:13 UTC
This issue was resolved and addressed in
 GLSA 201405-21 at http://security.gentoo.org/glsa/glsa-201405-21.xml
by GLSA coordinator Sean Amoss (ackle).