From ${URL} : Description Two vulnerabilities have been reported in ngIRCd, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the "Conn_StartLogin()" and "cb_Read_Resolver_Result()" functions (ngircd/conn.c) not properly checking the return value of the "Handle_Write()" function and can be exploited to cause crashes. Successful exploitation of the vulnerabilities requires "NoticeAuth" configuration to be enabled (disabled by default). The vulnerabilities are reported in versions prior to 20.3. Solution: Update to version 20.3. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000645.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Maintainer timeout. Arches, please test and stabilize: =net-irc/ngircd-20.3 Target arch: x86
CVE-2013-5580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5580): The (1) Conn_StartLogin and (2) cb_Read_Resolver_Result functions in conn.c in ngIRCd 18 through 20.2, when the configuration option NoticeAuth is enabled, does not properly handle the return code for the Handle_Write function, which allows remote attackers to cause a denial of service (assertion failure and server crash) via unspecified vectors, related to a "notice auth" message not being sent to a new client.
x86 stable
GLSA vote: no.
GLSA vote: no, closing noglsa.