Bug 11082

Summary: ngircd - denial of service within the NoticeAuth option (CVE-2013-5580)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/565571/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: ngircd CVE:
Status comment:

Description Oden Eriksson 2013-08-26 12:29:21 CEST 
ngIRCd 20.3 (2013-08-23)

  - This release is a bugfix release only, without new features.
  - Security: Fix a denial of service bug (server crash) which could happen
    when the configuration option "NoticeAuth" is enabled (which is NOT the
    default) and ngIRCd failed to send the "notice auth" messages to new
    clients connecting to the server (CVE-2013-5580).


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-26 12:30:26 CEST 
ngircd-20.3-1.mga3 and ngircd-20.3-1.mga4 has been submitted where this is fixed.
Comment 2 Oden Eriksson 2013-08-26 14:10:20 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=1000690
Comment 4 David Walser 2013-08-26 14:19:21 CEST 
Assigning to QA.

Advisory:
========================

Updated ngircd package fixes security vulnerability:

Denial of service bug (server crash) in ngIRCd before 20.3 which could happen
when the configuration option "NoticeAuth" is enabled (which is NOT the
default) and ngIRCd failed to send the "notice auth" messages to new clients
connecting to the server (CVE-2013-5580).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580
http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000645.html
http://ngircd.barton.de/news.php.en
========================

Updated packages in core/updates_testing:
========================
ngircd-20.3-1.mga3

from ngircd-20.3-1.mga3.src.rpm

CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

Comment 5 claire robinson 2013-08-27 16:59:36 CEST 
Testing complete mga3 64

After doing some basic config in /etc/ngircd.conf including setting PAM = no,
connected to localhost with an irc client and joined a channel. 

With PAM = yes which appears to be the default if it is commented out then it fails to connect. Starting with 'ngircd -n' shows pam authentication failure when trying to connect.

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 6 claire robinson 2013-08-27 17:16:58 CEST 
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 7 claire robinson 2013-08-27 17:21:11 CEST 
Validating. Advisory from comment 4 uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-08-30 19:34:14 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0265.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-09-04 02:40:15 CEST

URL: (none) => http://lwn.net/Vulnerabilities/565571/

Comment 9 Oden Eriksson 2013-10-02 08:13:16 CEST 
For reference. I got a mail with this today, but still (2013-10-02) flagged as RESERVED at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580

======================================================
Name: CVE-2013-5580
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130823
Category: 
Reference: MLIST:[ngircd-ml] 20130823 ngIRCd 20.3
Reference: URL:http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000645.html
Reference: CONFIRM:http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=commit;h=309122017ebc6fff039a7cab1b82f632853d82d5
Reference: CONFIRM:http://freecode.com/projects/ngircd/releases/357245
Reference: FEDORA:FEDORA-2013-15278
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-September/115077.html
Reference: FEDORA:FEDORA-2013-15290
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-September/115047.html
Reference: OSVDB:96590
Reference: URL:http://osvdb.org/96590
Reference: SECUNIA:54567
Reference: URL:http://secunia.com/advisories/54567

The (1) Conn_StartLogin and (2) cb_Read_Resolver_Result functions in
conn.c in ngIRCd 18 through 20.2, when the configuration option
NoticeAuth is enabled, does not properly handle the return code for
the Handle_Write function, which allows remote attackers to cause a
denial of service (assertion failure and server crash) via unspecified
vectors, related to a "notice auth" message not being sent to a new
client.