Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593292 (CVE-2016-7143) - net-irc/charybdis: certificate spoofing through crafted SASL message
Summary: net-irc/charybdis: certificate spoofing through crafted SASL message
Status: RESOLVED FIXED
Alias: CVE-2016-7143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Deadline: 2017-07-05
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [ebuild cve]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2016-09-09 13:44 UTC by Agostino Sarubbo
Modified: 2018-02-23 16:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-09 13:44:10 UTC
From ${URL} :

>> This vulnerability allows any attacker to spoof certificate
>> fingerprints via crafted SASL messages to the IRCd. This allows any
>> user to login as any other user that they know the certificate
>> fingerprint of, and that user has services configured to accept SASL
>> EXTERNAL login requests for.
>> This bug appears more widespread than just InspIRCd, and seems to
>> affect most or all other implementations of SASL EXTERNAL, including
>> Charybdis and UnrealIRCd.
> It seems to also affect Charybdis, which fixed the issue in the
> upcoming 3.5.3 release:
>
> https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:02:58 UTC
v3.5.3 is the first released version containing the fix.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-05 16:20:23 UTC
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017)
# (on behalf of Treecleaner project)
# Unmaintained in Gentoo. Security vulnerability.
# Removal in 30 days. Bug #562896.
net-irc/charybdis
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-07-05 10:50:01 UTC
commit b6e6234008767ec82ed0fb1642b3f933d94e5f8f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Wed Jul 5 12:32:14 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Wed Jul 5 12:35:23 2017

    net-irc/charybdis: Remove last-rited pkg, #562896
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-23 16:19:18 UTC
All done: Package was removed, repository is clean. No need for a removal GLSA.