Bug 24304

Summary: ngircd 25 fixes use-after-free security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: guillomovitch, marja11, nicolas.salguero, oe
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ngircd-24-2.mga7.src.rpm CVE:
Status comment: Fixed upstream in 25

Description David Walser 2019-02-03 00:19:17 CET 
ngIRCd 25 has been released on January 23:
https://github.com/ngircd/ngircd/blob/master/ChangeLog

The RC1 (August 11), fixed a use-after-free issue.

Mageia 6 is probably also affected.
David Walser 2019-02-03 00:19:23 CET

Whiteboard: (none) => MGA6TOO

David Walser 2019-02-03 02:49:04 CET

Status comment: (none) => Fixed upstream in 25

Comment 1 Marja Van Waes 2019-02-03 08:46:16 CET 
Assigning to all packagers collectively, since the registered maintainer for this package seems unavailable.

Also CC'ing the maintainer and a committer.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, marja11, oe

Comment 2 Nicolas Salguero 2019-02-20 10:35:29 CET 
Hi,

For Cauldron, ngircd-25-1.mga7 is building.

For Mageia 6 (ngIRCd version 23), I did not find in the code the issue fixed by https://github.com/ngircd/ngircd/commit/798de94d6556bdf2c6019f368ad7441fe6e2d1be.
The only line containing "Client_Destroy" seems good in the context:
"""
	/* Kill the client NOW:
	 *  - Close the local connection (if there is one),
	 *  - Destroy the CLIENT structure for remote clients.
	 * Note: Conn_Close() removes the CLIENT structure as well. */
	conn = Client_Conn(c);
	if(conn > NONE)
		Conn_Close(conn, NULL, Reason, true);
	else
		Client_Destroy(c, NULL, Reason, false);

"""

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2019-02-20 15:03:03 CET 
Ok, thanks David!

Whiteboard: MGA6TOO => (none)
Resolution: (none) => FIXED
Status: NEW => RESOLVED