ngIRCd Users Januar 2005

ngircd@lists.barton.de

4 Teilnehmer
8 Diskussionen

ngIRCd 0.8.2
by Alexander Barton 03 Feb '05

03 Feb '05

Hi All! ngIRCd 0.8.2, the "hey there are contributors" release has just hit the ground :-) Many thanks go to Florian Westphal for his work! Everybody running an older version of ngIRCd should upgrade to this version because some remotely exploitable security related bugs (that could cause the daemon to crash) have been fixed! Note: if you are using the CVS HEAD branch then you should run an CVS update and use the current code base. Changes since version 0.8.1 are: - Added doc/SSL.txt to distribution. - Fixed a buffer overflow that could cause the daemon to crash. Bug found by Florian Westphal, <westphal(a)foo.fh-furtwangen.de>. - Fixed a possible buffer underrun when reading the MOTD file. Thanks to Florian Westphal, <westphal(a)foo.fh-furtwangen.de>. - Fixed detection of IRC lines which are too long to send. Detected by Florian Westphal, <westphal(a)foo.fh-furtwangen.de>. - Fixed return values of our own implementation of strlcpy(). The code has been taken from rsync and they fixed it, but we didn't until today :-/ It has only been used when the system didn't implement strlcpy by itself, not on "modern" systems. Florian Westphal, <westphal(a)foo.fh-furtwangen.de>. You can download ngIRCd 0.8.2 (~271 KB) from: - <http://download.berlios.de/ngircd/ngircd-0.8.2.tar.gz> - <ftp://ftp.berlios.de/pub/ngircd/ngircd-0.8.2.tar.gz> - <ftp://Arthur.Ath.CX/pub/Users/alex/ngircd/ngircd-0.8.2.tar.gz> And the patch from 0.8.1 to 0.8.2 (~3 KB) as well as GnuPG signatures can be found here: - <ftp://ftp.berlios.de/pub/ngircd/> - <ftp://Arthur.Ath.CX/pub/Users/alex/ngircd/> This release has been tagged as "rel-0-8-2" in the CVS. Regards Alex -- Alexander Barton, Freiburg, Germany http://www.barton.de/, alex(a)barton.de

2 7

Fwd: [ GLSA 200501-40 ] ngIRCd: Buffer overflow
by Alexander Barton 29 Jan '05

29 Jan '05

For your information. But now the bug is published, so all servers should really be updated as fast as possible. Regards Alex > Von: Thierry Carrez <koon(a)gentoo.org> > Datum: 28. Januar 2005 23:07:30 Uhr MEZ > An: gentoo-announce(a)lists.gentoo.org > Cc: bugtraq(a)securityfocus.com, full-disclosure(a)lists.netsys.com, > security-alerts(a)linuxsecurity.com > Betreff: [ GLSA 200501-40 ] ngIRCd: Buffer overflow > User-Agent: Mozilla Thunderbird 1.0 (X11/20041208) > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Gentoo Linux Security Advisory GLSA 200501-40 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Severity: High > Title: ngIRCd: Buffer overflow > Date: January 28, 2005 > Bugs: #79705 > ID: 200501-40 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > ngIRCd is vulnerable to a buffer overflow that can be used to crash the > daemon and possibly execute arbitrary code. > > Background > ========== > > ngIRCd is a free open source daemon for Internet Relay Chat (IRC). > > Affected packages > ================= > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 net-irc/ngircd < 0.8.2 >= 0.8.2 > > Description > =========== > > Florian Westphal discovered a buffer overflow caused by an integer > underflow in the Lists_MakeMask() function of lists.c. > > Impact > ====== > > A remote attacker can exploit this buffer overflow to crash the ngIRCd > daemon and possibly execute arbitrary code with the rights of the > ngIRCd daemon process. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All ngIRCd users should upgrade to the latest version: > > # emerge --sync > # emerge --ask --oneshot --verbose ">=net-irc/ngIRCd-0.8.2" > > References > ========== > > [ 1 ] ngIRCd Release Annoucement > > http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html > > Availability > ============ > > This GLSA and any updates to it are available for viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200501-40.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users machines is of utmost > importance to us. Any security concerns should be addressed to > security(a)gentoo.org or alternatively, you may file a bug at > http://bugs.gentoo.org. > > License > ======= > > Copyright 2005 Gentoo Foundation, Inc; referenced text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike license. > > http://creativecommons.org/licenses/by-sa/2.0 -- Alexander Barton, Freiburg, Germany http://www.barton.de/, alex(a)barton.de

1 0

Custom Features?
by Josh Coombs 22 Jan '05

22 Jan '05

Got a couple oddball feature requests I'd like to bounce off you... 1 - External Auth Mechanism Currently, ngircd supports a single global server password option. I'd like to be able to do specific user/pass pairs on connect. Either setting them up in the conf, an external flat file, or the option to call an external script, pass it the user/pass pair, and allow the connect if it returns without error (allowing radius/ldap/etc based auth without having to support it directly in ngricd) would be slick. 2 - Toggle to restrict use of /nick and channel creation to those with +o. By itself this doesn't do much, but in combination with the above, this allows much more control of the ircd's use, making it appropriate to use in an internal LAN/buisiness environment. One last question, have the services provisions been fleshed out enough to warrant trying third party service apps, or are they still too rough? Joshua Coombs

2 2

[Patch] +s (secret) channel mode
by Florian Westphal 22 Jan '05

22 Jan '05

Hi, this simple patch adds support for secret '+s' channels to ngircd. A "secret" channel does not show up in /LIST output (unless user is on that channel) Florian

2 1

strlcpy() is broken
by Florian Westphal 18 Jan '05

18 Jan '05

Hi, the strlcpy() included with ngircd is broken. It will always return values smaller than the specified buffer length. This is very bad because you can no longer tell if truncation occured by looking at the return value (hence, the truncation checks in ngircd won't work if the included strlcpy is used). Trivial patch is attached. Florian

2 1

[Patch] Write Daemon Pid to file
by Florian Westphal 17 Jan '05

17 Jan '05

Attached is a small patch to NGIRCd CVS that writes the daemons pid to a file (Default: /var/run/ngircd/ngircd.pid). The pidfile can be changed via the -P <pidfile> or --pidfile <pidfile> options. The getpid.sh script included with ngircd does not work on FreeBSD 5.3-Stable (ps needs -ax switches). Also, the sample configuration file says 'one port, separated with ";"' ( the given example uses the correct "," seperator). Thanks, Florian

2 5

Problem connecting ngircd to irc-2.10.3p5 due to passwd length limits
by Florian Westphal 17 Jan '05

17 Jan '05

Hello, I am currently configuring a connection between ngircd 0.8.1 and a machine running irc 2.10.3p5. This failed at first because ngircd restricts passwords to 8 characters in length. I took a quick glance at RFC 1459, but i couldnt find any specification of a maximum password length, so I bumped CLIENT_PASS_LEN to 17 in src/ngircd/defines.h . Is there a particular reason why it is restricted to 8? (Or why it was chosen in the first place?) Thanks, Florian

2 3

Memleak in New_Connection()
by Florian Westphal 17 Jan '05

17 Jan '05

Hi, there seems to be a memory leak in New_Connection() (src/ngircd/conn.c), line 1044: 1018 ptr = (POINTER *)realloc( My_Connections, sizeof( CONNECTION ) * new_size ); 1019 if( ! ptr ) 1020 { 1021 /* realloc() ist fehlgeschlagen. Nun malloc() probieren: */ 1022 ptr = (POINTER *)malloc( sizeof( CONNECTION ) * new_size ); 1023 if( ! ptr ) 1024 { 1025 /* Offenbar steht kein weiterer Sepeicher zur Verfuegung :-( */ 1026 Log( LOG_EMERG, "Can't allocate memory! [New_Connection]" ); 1027 Simple_Message( new_sock, "ERROR: Internal error" ); 1028 close( new_sock ); 1029 return; 1030 } 1031 1032 /* Struktur umkopieren ... */ 1033 memcpy( ptr, My_Connections, sizeof( CONNECTION ) * Pool_Size ); [..] Debug ommitted... 1038 } 1043 /* Adjust pointer to new block */ 1044 My_Connections = (CONNECTION *)ptr; "My_Connections" gets overwritten, without calling free(). For the sake of simplicity I'd rather remove the malloc() call altogether. The attached patch does just that. Florian

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

ngIRCd Users Januar 2005