- ngIRCd GIT Updates - lists.barton.de

Federico G. Schwindt : Cosmetic changes to METADATA
by alex＠arthur.barton.de 25 Aug '13

25 Aug '13

Module: ngircd.git Branch: master Commit: 086cf3a2723e2dcc8e1acf49d166e254fe22e7cf URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=086cf3a2… Author: Federico G. Schwindt <fgsch(a)lodoss.net> Date: Sun Aug 25 05:26:08 2013 +0100 Cosmetic changes to METADATA Update certfp and sort entries. --- doc/Protocol.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Protocol.txt b/doc/Protocol.txt index ae290dd..6b3cfbc 100644 --- a/doc/Protocol.txt +++ b/doc/Protocol.txt @@ -225,11 +225,11 @@ new server link", <serverflag> "M"), even if it doesn't support the given The following <key> names are defined: - "accountname": the account name of a client (can't be empty) - - "host": the hostname of a client (can't be empty) + - "certfp": the certificate fingerprint of a client (can't be empty) - "cloakhost": the cloaked hostname of a client + - "host": the hostname of a client (can't be empty) - "info": info text ("real name") of a client - "user": the user name of a client (can't be empty) - - "certfp": the cert fingerprint of a client III. Numerics used by IRC+ Protocol

1 0

Federico G. Schwindt : Fix spelling
by alex＠arthur.barton.de 25 Aug '13

25 Aug '13

Module: ngircd.git Branch: master Commit: a9ffbdea3f3e245326eaa4242f97803b6edad522 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=a9ffbdea… Author: Federico G. Schwindt <fgsch(a)lodoss.net> Date: Thu Aug 22 10:58:36 2013 +0100 Fix spelling --- src/ngircd/irc-metadata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngircd/irc-metadata.c b/src/ngircd/irc-metadata.c index 14ffe35..9a1398a 100644 --- a/src/ngircd/irc-metadata.c +++ b/src/ngircd/irc-metadata.c @@ -69,7 +69,7 @@ IRC_METADATA(CLIENT *Client, REQUEST *Req) Client_ID(prefix), Client_ID(target), Req->argv[1], Req->argv[2]); - /* Mark client: it has receiveda a METADATA command */ + /* Mark client: it has received a METADATA command */ if (!Client_HasFlag(target, 'M')) { snprintf(new_flags, sizeof new_flags, "%sM", Client_Flags(target));

1 0

Alexander Barton : ngIRCd Release 20.3
by alex＠arthur.barton.de 23 Aug '13

23 Aug '13

Module: ngircd.git Branch: master Commit: 6dc5471a758b75e58f3855f086f1e5ba1676d931 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=6dc5471a… Author: Alexander Barton <alex(a)barton.de> Date: Fri Aug 23 21:54:40 2013 +0200 ngIRCd Release 20.3 (cherry picked from commit bb6e2779636aa6d74bbff474880829f0183a3c94) Conflicts: ChangeLog NEWS --- ChangeLog | 7 +++++++ NEWS | 8 ++++++++ contrib/Debian/changelog | 6 ++++++ contrib/ngircd.spec | 2 +- 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9fe53c7..1186276 100644 --- a/ChangeLog +++ b/ChangeLog @@ -102,6 +102,13 @@ ngIRCd 21 and then is used to output individual help texts to specific topics. Please see the file ./doc/Commands.txt for details. +ngIRCd 20.3 (2013-08-23) + + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + ngIRCd 20.2 (2013-02-15) - Security: Fix a denial of service bug in the function handling KICK diff --git a/NEWS b/NEWS index 0b86a43..a8dc433 100644 --- a/NEWS +++ b/NEWS @@ -65,6 +65,14 @@ ngIRCd 21 and then is used to output individual help texts to specific topics. Please see the file ./doc/Commands.txt for details. +ngIRCd 20.3 (2013-08-23) + + - This release is a bugfix release only, without new features. + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + ngIRCd 20.2 (2013-02-15) - This release is a bugfix release only, without new features. diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog index 2e39af0..396d1d0 100644 --- a/contrib/Debian/changelog +++ b/contrib/Debian/changelog @@ -1,3 +1,9 @@ +ngircd (20.3-0ab1) unstable; urgency=high + + * New "upstream" release, fixing a security related bug: ngIRCd 20.3. + + -- Alexander Barton <alex(a)barton.de> Fri, 23 Aug 2013 21:53:21 +0200 + ngircd (20.2-0ab1) unstable; urgency=high * New "upstream" release, fixing a security related bug: ngIRCd 20.2. diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec index e2448a4..0469313 100644 --- a/contrib/ngircd.spec +++ b/contrib/ngircd.spec @@ -1,5 +1,5 @@ %define name ngircd -%define version 20.2 +%define version 20.3 %define release 1 %define prefix %{_prefix}

1 0

Tag rel-20.3: Alexander Barton : ngIRCd Release 20.3
by alex＠arthur.barton.de 23 Aug '13

23 Aug '13

Module: ngircd.git Branch: refs/tags/rel-20.3 Tag: 9105b221b164dfff7557eb98253a017418ef8e7e URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=tag;h=9105b221b16… Tagger: Alexander Barton <alex(a)barton.de> Date: Fri Aug 23 21:54:59 2013 +0200 ngIRCd Release 20.3

1 0

Alexander Barton : Correctly handle return code of Handle_Write()
by alex＠arthur.barton.de 23 Aug '13

23 Aug '13

Module: ngircd.git Branch: branch-20.x Commit: d24df64397015732bc6cc1c36a4710fc4db271f1 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=d24df643… Author: Alexander Barton <alex(a)barton.de> Date: Wed Aug 21 01:28:49 2013 +0200 Correctly handle return code of Handle_Write() There have been code paths that ignored the return code of Handle_Write() when sending "notice auth" messages to new clients connecting to the server. But because Handle_Write() would have closed the client connection again if an error occurred, this would have resulted in new errors and assert()'s later on that could have crashed the server (denial of service). Only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default. CVE-2013-5580. (cherry picked from commit 309122017ebc6fff039a7cab1b82f632853d82d5) --- src/ngircd/conn.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 80b085a..e3921f9 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -1547,7 +1547,11 @@ Conn_StartLogin(CONN_ID Idx) #endif (void)Conn_WriteStr(Idx, "NOTICE AUTH :*** Looking up your hostname"); - (void)Handle_Write(Idx); + /* Send buffered data to the client, but break on errors + * because Handle_Write() would have closed the connection + * again in this case! */ + if (!Handle_Write(Idx)) + return; } Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr, @@ -2339,8 +2343,13 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events ) } #endif - if (Conf_NoticeAuth) - (void)Handle_Write(i); + if (Conf_NoticeAuth) { + /* Send buffered data to the client, but break on + * errors because Handle_Write() would have closed + * the connection again in this case! */ + if (!Handle_Write(i)) + return; + } Class_HandleServerBans(c); }

1 0

Alexander Barton : ngIRCd Release 20.3
by alex＠arthur.barton.de 23 Aug '13

23 Aug '13

Module: ngircd.git Branch: branch-20.x Commit: bb6e2779636aa6d74bbff474880829f0183a3c94 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=bb6e2779… Author: Alexander Barton <alex(a)barton.de> Date: Fri Aug 23 21:54:40 2013 +0200 ngIRCd Release 20.3 --- ChangeLog | 10 +++++++++- NEWS | 11 ++++++++++- contrib/Debian/changelog | 6 ++++++ contrib/ngircd.spec | 2 +- 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 08d337f..5920316 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,10 +9,18 @@ -- ChangeLog -- +ngIRCd 20.3 (2013-08-23) + + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + ngIRCd 20.2 (2013-02-15) - Security: Fix a denial of service bug in the function handling KICK - commands that could be used by arbitrary users to to crash the daemon. + commands that could be used by arbitrary users to to crash the daemon + (CVE-2013-1747). - WHO command: Use the currently "displayed hostname" (which can be cloaked!) for hostname matching, not the real one. In other words: don't display all the cloaked users on a specific real hostname! diff --git a/NEWS b/NEWS index 38f6029..d092510 100644 --- a/NEWS +++ b/NEWS @@ -9,11 +9,20 @@ -- NEWS -- +ngIRCd 20.3 (2013-08-23) + + - This release is a bugfix release only, without new features. + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + ngIRCd 20.2 (2013-02-15) - This release is a bugfix release only, without new features. - Security: Fix a denial of service bug in the function handling KICK - commands that could be used by arbitrary users to to crash the daemon. + commands that could be used by arbitrary users to to crash the daemon + (CVE-2013-1747). ngIRCd 20.1 (2013-01-02) diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog index 2e39af0..396d1d0 100644 --- a/contrib/Debian/changelog +++ b/contrib/Debian/changelog @@ -1,3 +1,9 @@ +ngircd (20.3-0ab1) unstable; urgency=high + + * New "upstream" release, fixing a security related bug: ngIRCd 20.3. + + -- Alexander Barton <alex(a)barton.de> Fri, 23 Aug 2013 21:53:21 +0200 + ngircd (20.2-0ab1) unstable; urgency=high * New "upstream" release, fixing a security related bug: ngIRCd 20.2. diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec index e2448a4..0469313 100644 --- a/contrib/ngircd.spec +++ b/contrib/ngircd.spec @@ -1,5 +1,5 @@ %define name ngircd -%define version 20.2 +%define version 20.3 %define release 1 %define prefix %{_prefix}

1 0

Alexander Barton : Correctly handle return code of Handle_Write()
by alex＠arthur.barton.de 23 Aug '13

23 Aug '13

Module: ngircd.git Branch: master Commit: 309122017ebc6fff039a7cab1b82f632853d82d5 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=30912201… Author: Alexander Barton <alex(a)barton.de> Date: Wed Aug 21 01:28:49 2013 +0200 Correctly handle return code of Handle_Write() There have been code paths that ignored the return code of Handle_Write() when sending "notice auth" messages to new clients connecting to the server. But because Handle_Write() would have closed the client connection again if an error occurred, this would have resulted in new errors and assert()'s later on that could have crashed the server (denial of service). Only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default. CVE-2013-5580. --- src/ngircd/conn.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 30dfd09..8d72c1c 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -1668,7 +1668,11 @@ Conn_StartLogin(CONN_ID Idx) #endif (void)Conn_WriteStr(Idx, "NOTICE AUTH :*** Looking up your hostname"); - (void)Handle_Write(Idx); + /* Send buffered data to the client, but break on errors + * because Handle_Write() would have closed the connection + * again in this case! */ + if (!Handle_Write(Idx)) + return; } Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr, @@ -2458,8 +2462,13 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events ) } #endif - if (Conf_NoticeAuth) - (void)Handle_Write(i); + if (Conf_NoticeAuth) { + /* Send buffered data to the client, but break on + * errors because Handle_Write() would have closed + * the connection again in this case! */ + if (!Handle_Write(i)) + return; + } Class_HandleServerBans(c); }

1 0

Alexander Barton : Enhance log messages on "recursive" connection errors
by alex＠arthur.barton.de 21 Aug '13

21 Aug '13

Module: ngircd.git Branch: master Commit: 8f530eb3154c7d62201c28a53fac5594a956b447 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=8f530eb3… Author: Alexander Barton <alex(a)barton.de> Date: Wed Aug 21 01:15:19 2013 +0200 Enhance log messages on "recursive" connection errors --- src/ngircd/conn.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 53497e3..30dfd09 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -1181,8 +1181,8 @@ Conn_Close( CONN_ID Idx, const char *LogMsg, const char *FwdMsg, bool InformClie /* Is this link already shutting down? */ if( Conn_OPTION_ISSET( &My_Connections[Idx], CONN_ISCLOSING )) { /* Conn_Close() has been called recursively for this link; - * probabe reason: Handle_Write() failed -- see below. */ - LogDebug("Recursive request to close connection: %d", Idx ); + * probable reason: Handle_Write() failed -- see below. */ + LogDebug("Recursive request to close connection %d!", Idx ); return; } @@ -1450,8 +1450,13 @@ Handle_Write( CONN_ID Idx ) if (errno == EAGAIN || errno == EINTR) return true; - Log(LOG_ERR, "Write error on connection %d (socket %d): %s!", - Idx, My_Connections[Idx].sock, strerror(errno)); + if (!Conn_OPTION_ISSET(&My_Connections[Idx], CONN_ISCLOSING)) + Log(LOG_ERR, + "Write error on connection %d (socket %d): %s!", + Idx, My_Connections[Idx].sock, strerror(errno)); + else + LogDebug("Recursive write error on connection %d (socket %d): %s!", + Idx, My_Connections[Idx].sock, strerror(errno)); Conn_Close(Idx, "Write error", NULL, false); return false; } @@ -2459,7 +2464,8 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events ) Class_HandleServerBans(c); } #ifdef DEBUG - else Log( LOG_DEBUG, "Resolver: discarding result for already registered connection %d.", i ); + else + LogDebug("Resolver: discarding result for already registered connection %d.", i); #endif } /* cb_Read_Resolver_Result */

1 0

Alexander Barton : Add some assert() calls to ng_ipaddr library
by alex＠arthur.barton.de 21 Aug '13

21 Aug '13

Module: ngircd.git Branch: master Commit: d56341c77b19b3e1d4cf13c2f95ec1612e8d52c9 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=d56341c7… Author: Alexander Barton <alex(a)barton.de> Date: Wed Aug 21 00:22:55 2013 +0200 Add some assert() calls to ng_ipaddr library --- src/ipaddr/ng_ipaddr.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/ipaddr/ng_ipaddr.h b/src/ipaddr/ng_ipaddr.h index 1f209ef..8f73760 100644 --- a/src/ipaddr/ng_ipaddr.h +++ b/src/ipaddr/ng_ipaddr.h @@ -47,6 +47,7 @@ typedef struct NG_IP_ADDR_DONTUSE ng_ipaddr_t; static inline int ng_ipaddr_af(const ng_ipaddr_t *a) { + assert(a != NULL); #ifdef WANT_IPV6 return a->sa.sa_family; #else @@ -59,6 +60,7 @@ ng_ipaddr_af(const ng_ipaddr_t *a) static inline socklen_t ng_ipaddr_salen(const ng_ipaddr_t *a) { + assert(a != NULL); #ifdef WANT_IPV6 assert(a->sa.sa_family == AF_INET || a->sa.sa_family == AF_INET6); if (a->sa.sa_family == AF_INET6) @@ -75,11 +77,14 @@ ng_ipaddr_getport(const ng_ipaddr_t *a) #ifdef WANT_IPV6 int af = a->sa.sa_family; + assert(a != NULL); assert(af == AF_INET || af == AF_INET6); if (af == AF_INET6) return ntohs(a->sin6.sin6_port); #endif /* WANT_IPV6 */ + + assert(a != NULL); assert(a->sin4.sin_family == AF_INET); return ntohs(a->sin4.sin_port); } @@ -109,12 +114,15 @@ GLOBAL bool ng_ipaddr_tostr_r PARAMS((const ng_ipaddr_t *addr, char *dest)); static inline const char* ng_ipaddr_tostr(const ng_ipaddr_t *addr) { + assert(addr != NULL); return inet_ntoa(addr->sin4.sin_addr); } static inline bool ng_ipaddr_tostr_r(const ng_ipaddr_t *addr, char *d) { + assert(addr != NULL); + assert(d != NULL); strlcpy(d, inet_ntoa(addr->sin4.sin_addr), NG_INET_ADDRSTRLEN); return true; }

1 0

Alexander Barton : Update ChangeLog file
by alex＠arthur.barton.de 20 Aug '13

20 Aug '13

Module: ngircd.git Branch: master Commit: 212d99146d4a3681976450b5ff0dfa57e1d2e44f URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=212d9914… Author: Alexander Barton <alex(a)barton.de> Date: Tue Aug 20 13:08:43 2013 +0200 Update ChangeLog file --- ChangeLog | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index af4bc08..9fe53c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ ngIRCd 21 + - Enforce "penalty times" on error conditions more consistently and in + more places. Now most error codes sent back from the IRC server to the + client should result in a 2 second "penalty". - Implement a new configuration option "AllowedChannelTypes" that lists all allowed channel types (channel prefixes) for newly created channels on the local server. By default, all supported channel types are allowed. @@ -85,8 +88,8 @@ ngIRCd 21 of an IRC service id displayed in the output. - Exit message: use singular & plural :-) - autogen.sh: Check for autoconf/automake wrapper scripts - - Add missing punctuation marks in log messages and adjust some - severity levels. + - Add missing punctuation marks in log messages, adjust some severity + levels, and make SSL-related messages more readable. - AUTHORS file: Update list of contributors. - Update systemd(8) example configuration files in ./contrib/ directory: the "ngircd.service" file now uses the "forking" service type which

1 0