Hello ngIRCd'ers!
Sebastian Köhler discovered a severe bug in ngIRCd 20 and 20.1 which can be exploited by arbitrary users to crash the daemon and to lead to denial of service. So here is the next "bug fix only" release for the ngIRCd 20 series: release 20.2.
Please note that all releases before 20 are NOT affected by the bug mentioned above. But in the end, all installations should upgrade, ngIRCd 20.2 is the most complete release we have so far, and there should be no reasons to stay with old versions -- besides distributions not having newer releases ...
Besides the fix for the DoS mentioned above, ngIRCd 20.2 contains other fixes. The complete ChangeLog lists the following changes:
• Security: Fix a denial of service bug in the function handling KICK commands that could be used by arbitrary users to to crash the daemon. • WHO command: Use the currently "displayed hostname" (which can be cloaked!) for hostname matching, not the real one. In other words: don't display all the cloaked users on a specific real hostname! • configure: The header file "netinet/in_systm.h" already is optional in ngIRCd, so don't require it in the configure script. Now ngIRCd can be built on Minix 3 again :-) • Return better "Connection not registered as server link" errors: Now ngIRCd returns a more specific error message for numeric ERR_NOTREGISTERED(451) when a regular user tries to use a command that isn't allowed for users but for servers. • Don't report ERR_NEEDMOREPARAMS(461) when a MDOE command with more modes than nicknames is handled, as well as for channel limit and key changes without specifying the limit or key parameters. This is how a lot (all?) other IRC servers behave, including ircd2.11, InspIRCd, and ircd-seven. And because of clients (tested with Textual and mIRC) sending bogus MODE commands like "MODE -ooo nick", end-users got the expected result as well as correct but misleading error messages ... • Correctly detect when SSL subsystem must be initialized and take outgoing connections (server links!) into account, too. • autogen.sh: Enforce serial test harness on GNU automake >=1.13. The new parallel test harness which is enabled by default starting with automake 1.13 isn't compatible with our test suite. And don't use "egrep -o", insetead use "sed", because it isn't portable and not available on OpenBSD, for example.
More information can be found on the homepage http://ngircd.barton.de/ and its mirror http://ngircd.berlios.de/.
The primary download locations are:
• ftp://ftp.berlios.de/pub/ngircd/ • http://ngircd.barton.de/pub/ngircd/
Regards Alex
On Fri, Feb 15, 2013 at 01:23:10PM +0100, Alexander Barton wrote:
Sebastian Köhler discovered a severe bug in ngIRCd 20 and 20.1 which can be exploited by arbitrary users to crash the daemon and to lead to denial of service. So here is the next "bug fix only" release for the ngIRCd 20 series: release 20.2.
For your information: this bug is now identified by CVE-2013-1747.
Regards Alex
Alexander Barton wrote...
release 20.2.
The Debian package failed to build on hurd-i386, see https://buildd.debian.org/status/fetch.php?pkg=ngircd&arch=hurd-i386&...
(...) stressing server with 5 clients (be patient!): checking stress script ... ok. started client 1/5. started client 2/5. started client 3/5. started client 4/5. started client 5/5. waiting for clients to complete: ... ok. PASS: stress-server.sh stopping server 1 ... ok. PASS: stop-server1 make[4]: *** [check-TESTS] Error 1 make[3]: *** [check-am] Error 2 make[2]: *** [check-recursive] Error 1 make[1]: *** [check-recursive] Error 1 dh_auto_test: make -j1 check returned exit code 2 make: *** [build-arch] Error 29 dpkg-buildpackage: error: debian/rules build-arch gave error exit status 2 =========================================== 2 of 16 tests failed Please report to ngircd-ml@ngircd.barton.de =========================================== (...)
while 20.1 did fine: https://buildd.debian.org/status/fetch.php?pkg=ngircd&arch=hurd-i386&...
(...) stressing server with 5 clients (be patient!): checking stress script ... ok. started client 1/5. started client 2/5. started client 3/5. started client 4/5. started client 5/5. waiting for clients to complete: ... ok. PASS: stress-server.sh stopping server 1 ... ok. PASS: stop-server1 =================== All 16 tests passed =================== (...)
Now I'm inclined to blame that change:
• autogen.sh: Enforce serial test harness on GNU automake >=1.13. The new parallel test harness which is enabled by default starting with automake 1.13 isn't compatible with our test suite. And don't use "egrep -o", insetead use "sed", because it isn't portable and not available on OpenBSD, for example.
But I'm not at all sure about it (and my hurd-i386 KVM guest fails to boot). Any suggestion about that before I start to dig further?
Christoph
-
Alexander Barton -
Christoph Biedl