Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 215704 (CVE-2008-1925) - net-irc/inspircd <1.1.19 namesx and uhnames DoS (CVE-2008-1925)
Summary: net-irc/inspircd <1.1.19 namesx and uhnames DoS (CVE-2008-1925)
Status: RESOLVED FIXED
Alias: CVE-2008-1925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.inspircd.org/forum/showthr...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 218880
Blocks:
  Show dependency tree
 
Reported: 2008-04-01 14:00 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-23 14:03 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
1.1.18 ebuild by satmd (inspircd-1.1.18.ebuild,3.31 KB, text/plain)
2008-04-01 18:51 UTC, Craig Edwards
no flags Details
updated on 2008-04-15 (inspircd-1.1.18.ebuild,3.32 KB, text/plain)
2008-04-15 14:06 UTC, satmd
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 14:00:42 UTC
Upstream site:
This is a HIGHLY RECOMMENDED release. You SHOULD upgrade to it ASAP as it contains security fixes.
...
If you use a version prior to 1.1.18 and you do NOT use m_namesx, you should update to 1.1.18 on the fly, then load m_namesx to avoid using code vulnerable to a crash.

If you use either uhnames or namesx, you should reload both of those modules after upgrading.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 14:04:56 UTC
I wrote an email to Craig Edwards to see whether he has a new proxy maintainer or no interest anymore.
Comment 2 Craig Edwards 2008-04-01 18:19:53 UTC
I don't know who to ask about proxy maintaining of this - to be honest, maintaining packages is not my area of expertise.

I can get a 1.1.18 ebuild done for this and will submit it as a patch to this bug for whoever has access to apply.
Comment 3 Craig Edwards 2008-04-01 18:51:28 UTC
Created attachment 147990 [details]
1.1.18 ebuild by satmd

should work fine for 1.1.18 release, fixes crashbug in NAMES when certain configurations are enabled.
Comment 4 Craig Edwards 2008-04-06 23:04:48 UTC
anything happening with this?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-04-07 00:36:14 UTC
Sorry Craig, the fact that this does not have a dedicated maintainer is keeping things at a slow pace. I'll look into committing this tomorrow, hopefully.
Comment 6 Craig Edwards 2008-04-07 21:10:18 UTC
Thanks Robert :-)
Much appreciated
Comment 7 satmd 2008-04-15 14:05:51 UTC
The ebuilds are from my local repo at http://lain.at/dev/portage_overlay/net-irc/inspircd/ - where I have submitted an updated ebuild just yesterday (adding ldap to IUSE). 
Comment 8 satmd 2008-04-15 14:06:35 UTC
Created attachment 149809 [details]
updated on 2008-04-15
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 18:51:35 UTC
I'll be bumping this to 1.1.19 after discussion in bug 218880 is done.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 19:06:11 UTC
1.1.19 is in the tree. Craig, satmd, it would be great if I could get some feedback from you guys whether the ebuild is working ok. Then I'll add arches for a fast stabling.
Comment 11 Craig Edwards 2008-04-23 20:49:42 UTC
works fine for me :-)
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 21:04:17 UTC
Craig, thanks for testing.

Arches, please test and mark stable:
=net-irc/inspircd-1.1.19
Target keywords : "ppc release x86"
Comment 13 Markus Meier gentoo-dev 2008-04-26 11:06:25 UTC
  26 Apr 2008; Markus Meier <maekke@gentoo.org> inspircd-1.1.19.ebuild:
  fix cp for openssl in src_unpack, fix ipv6 detection, x86 stable (security
  bug #215704)
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-28 17:45:44 UTC
ppc stable
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-04-29 05:41:10 UTC
Fixed in release snapshot.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-06 14:20:31 UTC
time for GLSA vote here. DoS on an IRC server... *sigh*. I vote yes.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-05-06 14:50:40 UTC
YES, filed.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-05-09 14:34:11 UTC
GLSA 200805-08