Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 79705 - net-irc/ngircd: Multiple vulnerabilities
Summary: net-irc/ngircd: Multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] koon
Depends on:
Reported: 2005-01-27 05:32 UTC by Florian Westphal
Modified: 2005-01-28 14:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Westphal 2005-01-27 05:32:57 UTC
There is a buffer overflow in ngircd, src/ngircd/lists.c; in Lists_MakeMask().
It is caused by an integer underflow in line 317:

317  strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 );

strlen( at ) - 4 can be larger than sizeof( TheMask ).

Reproducible: Always
Steps to Reproduce:
1. netcat / telnet to a ngirc daemon.
2. type
USER a b c d
JOIN \#b
MODE \#b +b
Actual Results:  
Daemon segfaults.

Expected Results:  
Truncate the string.

Fixed in ngircd 0.8.2.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 05:45:02 UTC
Many thanks for letting us know so fast, Florian.
net-irc team please bump to newest package.
Comment 2 Sven Wegener gentoo-dev 2005-01-27 07:23:12 UTC
net-irc/ngircd-0.8.2 in CVS and stable on x86.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 08:07:46 UTC
GLSA drafted.
Florian: couldn't that vulnerability also be used to execute arbitrary code ?
Comment 4 Florian Westphal 2005-01-27 09:16:32 UTC
I was only able to crash the server, but this is most likely because of my clumsy efforts. Given that the input comes from the client (and is under very few restrictions) someone more skilled might be able to exploit this.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-28 14:09:09 UTC
GLSA 200501-40