Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 307437 (CVE-2009-4652) - <net-irc/ngircd-17.1 linked server MOTD DoS (CVE-2009-4652)
Summary: <net-irc/ngircd-17.1 linked server MOTD DoS (CVE-2009-4652)
Status: RESOLVED FIXED
Alias: CVE-2009-4652
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://ngircd.barton.de/doc/NEWS
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-02 09:29 UTC by Alex Legler (RETIRED)
Modified: 2013-10-06 14:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-02 09:29:12 UTC 
CVE-2009-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4652):
  The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in
  src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is
  present and standalone mode is disabled, allow remote attackers to
  cause a denial of service (application crash) by sending the MOTD
  command from another server in the same IRC network, possibly related
  to an array index error.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 10:31:12 UTC 
ngircd has a stable (and likely vulnerable) version on x86 and ppc. Maintainers, are we ok to stabilize an unaffected version? Also, we should remove the vulnerable versions from the tree.

Note: 0.12.1 -> 13 is just a versioning scheme change. I think the 0.x versions are also vulnerable.
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-10 17:24:43 UTC 
@net-irc

ping
Comment 3 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2011-09-10 22:55:11 UTC 
(In reply to comment #1)
> ngircd has a stable (and likely vulnerable) version on x86 and ppc.
> Maintainers, are we ok to stabilize an unaffected version?

Please feel free to stabilize ngircd-17.1.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-09-10 23:42:32 UTC 
(In reply to comment #3)
> 
> Please feel free to stabilize ngircd-17.1.

Great, thanks (and thanks, Agostino).

Arches, please test and mark stable:
=net-irc/ngircd-17.1
Target keywords : "ppc x86"
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-11 00:35:16 UTC 
Archtested on x86: Everything fine
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2011-09-12 18:19:38 UTC 
x86 stable. Thanks JD.
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-22 11:30:32 UTC 
ppc keywords dropped
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-09-22 14:17:05 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 22:33:17 UTC 
GLSA vote: NO.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:38:13 UTC 
Vote: NO. Closing noglsa.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-06 14:18:58 UTC 
Actually closing.