Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562896 (CVE-2015-5290) - net-irc/charybdis: memory leak (CVE-2015-5290)
Summary: net-irc/charybdis: memory leak (CVE-2015-5290)
Status: RESOLVED FIXED
Alias: CVE-2015-5290
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Deadline: 2017-07-05
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-12 08:12 UTC by Agostino Sarubbo
Modified: 2017-08-06 17:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
quickly thrown together. src_prepare sed pieces removed. So double check conf file setup. (charybdis-3.5.2.ebuild,2.02 KB, text/plain)
2016-07-05 10:16 UTC, Aaron Bauman (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-12 08:12:17 UTC
From ${URL} :

Elemental-IRCd Security Release: 2015-10-07
===========================================

CVE-2015-5290

Elemental-IRCd reference code: e50b0d59-f3c5-4472-a3cd-e2e07731417c

Permanent link: http://elemental-ircd.com/security/e50b0d59-f3c5-4472-a3cd-e2e07731417c

Distribution of this document is unlimited and encouraged as long as it
remains unchanged.

## Summary

Elemental-IRCd is an Internet Relay Chat (IRC / RFC 1459) daemon intended
for stable, secure deployments for both private and public-facing users. It
provides quick messaging across servers, even when deployed on a global
scale. One of the recent goals of the project has been to limit memory
leaks and test functionality to ensure quality for all users.

While looking for resource leaks and other things to test inside
Elemental-IRCd git master, we stumbled on an unfortunate programming error
in how the MONITOR command was handled that can lead to a system
out-of-memory event if an attacker hammers at the MONITOR command over and
over.

## Affected Daemons

In our testing, the following IRC daemons were affected:

ircd-ratbox 3.0.8, SVN trunk and older
charybdis 3.5-dev and older
ircd-seven 1.1.3 and older
Elemental-IRCd 6.6.2 and older
Other derivatives of these daemons will be affected as well unless for some
reason they came across and fixed that issue before this release.

## Vulnerability Information

Public release date: 2015-10-07
CVE: CVE-2015-5290
CVSS v3:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C/CR:H/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MC:L/MI:N/MA:H
CVSS score: 8.8 / 8.6 / 9.5
Attack complexity: Trivial (less than 30 lines of code)

## Notes

If applying these patches is somehow impossible, the attack can be
completely mitigated by unloading the m_monitor.so module using the
following command provided you have permission to load and unload modules:

    /MODUNLOAD m_monitor.so

The required privilege to do this is defined as the admin flag inside the
flags section of the relevant operator{} block in the configuration
(OLD:O:Line).

This patch can be applied at runtime and will automatically garbage-collect
any memory that has been leaked in the past.

A full set of technical details will be released as soon as it is confirmed
that major IRC networks affected by this have been patched.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-02-26 13:12:02 UTC
3.5.0 is available upstream:

https://github.com/charybdis-ircd/charybdis/releases

Additionally, a patch is available for 3.4.2:

http://elemental-ircd.com/security/e50b0d59-f3c5-4472-a3cd-e2e07731417c/
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-05 09:54:56 UTC
ping for ebuild.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-05 10:16:11 UTC
Created attachment 439776 [details]
quickly thrown together.  src_prepare sed pieces removed.  So double check conf file setup.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-11-28 08:10:43 UTC
no rdeps.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-05 16:20:25 UTC
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017)
# (on behalf of Treecleaner project)
# Unmaintained in Gentoo. Security vulnerability.
# Removal in 30 days. Bug #562896.
net-irc/charybdis
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-07-05 10:50:03 UTC
commit b6e6234008767ec82ed0fb1642b3f933d94e5f8f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Wed Jul 5 12:32:14 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Wed Jul 5 12:35:23 2017

    net-irc/charybdis: Remove last-rited pkg, #562896
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-03 16:56:27 UTC
Nothing more for us to do here, unCC-ing to avoid cluttering search results.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2017-08-06 17:31:20 UTC
GLSA Vote: No