Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593292 (CVE-2016-7143) - net-irc/charybdis: certificate spoofing through crafted SASL message
Summary: net-irc/charybdis: certificate spoofing through crafted SASL message
Alias: CVE-2016-7143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Deadline: 2017-07-05
Assignee: Gentoo Security
Whiteboard: B3 [ebuild cve]
Keywords: PMASKED
Depends on:
Reported: 2016-09-09 13:44 UTC by Agostino Sarubbo
Modified: 2018-02-23 16:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-09 13:44:10 UTC
From ${URL} :

>> This vulnerability allows any attacker to spoof certificate
>> fingerprints via crafted SASL messages to the IRCd. This allows any
>> user to login as any other user that they know the certificate
>> fingerprint of, and that user has services configured to accept SASL
>> EXTERNAL login requests for.
>> This bug appears more widespread than just InspIRCd, and seems to
>> affect most or all other implementations of SASL EXTERNAL, including
>> Charybdis and UnrealIRCd.
> It seems to also affect Charybdis, which fixed the issue in the
> upcoming 3.5.3 release:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:02:58 UTC
v3.5.3 is the first released version containing the fix.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-05 16:20:23 UTC
# Michał Górny <> (05 Jun 2017)
# (on behalf of Treecleaner project)
# Unmaintained in Gentoo. Security vulnerability.
# Removal in 30 days. Bug #562896.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-07-05 10:50:01 UTC
commit b6e6234008767ec82ed0fb1642b3f933d94e5f8f
Author:     Michał Górny <>
AuthorDate: Wed Jul 5 12:32:14 2017
Commit:     Michał Górny <>
CommitDate: Wed Jul 5 12:35:23 2017

    net-irc/charybdis: Remove last-rited pkg, #562896
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-23 16:19:18 UTC
All done: Package was removed, repository is clean. No need for a removal GLSA.