Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593290 (CVE-2016-7142) - <net-irc/inspircd-2.0.23: certificate spoofing through crafted SASL message
Summary: <net-irc/inspircd-2.0.23: certificate spoofing through crafted SASL message
Status: RESOLVED FIXED
Alias: CVE-2016-7142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-09 13:36 UTC by Agostino Sarubbo
Modified: 2017-03-07 21:30 UTC (History)
1 user (show)

See Also:
Package list:
=net-irc/inspircd-2.0.23
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
inspircd 2.0.23 (0001-net-irc-inspircd-2.0.23-Version-bump-593290.patch,15.98 KB, patch)
2017-02-19 20:03 UTC, A. Wilcox (awilfox)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-09 13:36:59 UTC
From ${URL} :

>> This vulnerability allows any attacker to spoof certificate
>> fingerprints via crafted SASL messages to the IRCd. This allows any
>> user to login as any other user that they know the certificate
>> fingerprint of, and that user has services configured to accept SASL
>> EXTERNAL login requests for.

>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-18 17:54:06 UTC
@ maintainer(s): v2.0.23 which contains the fix is available since 2016-09-03.
Comment 2 A. Wilcox (awilfox) 2017-02-19 20:03:35 UTC
Created attachment 464364 [details, diff]
inspircd 2.0.23

Bugzie appears to have eaten the emails about this.  I never saw this in "bugs assigned to me", because of course, it's assigned to a security@ alias instead of a person that can fix it.

Attached is a bump, fully tested (build, run, and client connect) on x86_64 and PPC64.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-02-21 19:18:28 UTC
PR: https://github.com/gentoo/gentoo/pull/4035
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-02-25 23:57:43 UTC
Now in repository. Let's wait until 2017-02-27 before we start stabilization.
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-03 09:02:53 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-04 13:46:47 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-07 21:30:17 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No