Bug 11082 - ngircd - denial of service within the NoticeAuth option (CVE-2013-5580)
: ngircd - denial of service within the NoticeAuth option (CVE-2013-5580)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565571/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-26 12:29 CEST by Oden Eriksson
Modified: 2013-10-02 08:13 CEST (History)
3 users (show)

See Also:
Source RPM: ngircd
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-08-26 12:29:21 CEST
ngIRCd 20.3 (2013-08-23)

  - This release is a bugfix release only, without new features.
  - Security: Fix a denial of service bug (server crash) which could happen
    when the configuration option "NoticeAuth" is enabled (which is NOT the
    default) and ngIRCd failed to send the "notice auth" messages to new
    clients connecting to the server (CVE-2013-5580).


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-26 12:30:26 CEST
ngircd-20.3-1.mga3 and ngircd-20.3-1.mga4 has been submitted where this is fixed.
Comment 2 Oden Eriksson 2013-08-26 14:10:20 CEST
https://bugzilla.redhat.com/show_bug.cgi?id=1000690
Comment 4 David Walser 2013-08-26 14:19:21 CEST
Assigning to QA.

Advisory:
========================

Updated ngircd package fixes security vulnerability:

Denial of service bug (server crash) in ngIRCd before 20.3 which could happen
when the configuration option "NoticeAuth" is enabled (which is NOT the
default) and ngIRCd failed to send the "notice auth" messages to new clients
connecting to the server (CVE-2013-5580).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580
http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000645.html
http://ngircd.barton.de/news.php.en
========================

Updated packages in core/updates_testing:
========================
ngircd-20.3-1.mga3

from ngircd-20.3-1.mga3.src.rpm
Comment 5 claire robinson 2013-08-27 16:59:36 CEST
Testing complete mga3 64

After doing some basic config in /etc/ngircd.conf including setting PAM = no,
connected to localhost with an irc client and joined a channel. 

With PAM = yes which appears to be the default if it is commented out then it fails to connect. Starting with 'ngircd -n' shows pam authentication failure when trying to connect.
Comment 6 claire robinson 2013-08-27 17:16:58 CEST
Testing complete mga3 32
Comment 7 claire robinson 2013-08-27 17:21:11 CEST
Validating. Advisory from comment 4 uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2013-08-30 19:34:14 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0265.html
Comment 9 Oden Eriksson 2013-10-02 08:13:16 CEST
For reference. I got a mail with this today, but still (2013-10-02) flagged as RESERVED at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580

======================================================
Name: CVE-2013-5580
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130823
Category: 
Reference: MLIST:[ngircd-ml] 20130823 ngIRCd 20.3
Reference: URL:http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000645.html
Reference: CONFIRM:http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=commit;h=309122017ebc6fff039a7cab1b82f632853d82d5
Reference: CONFIRM:http://freecode.com/projects/ngircd/releases/357245
Reference: FEDORA:FEDORA-2013-15278
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-September/115077.html
Reference: FEDORA:FEDORA-2013-15290
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-September/115047.html
Reference: OSVDB:96590
Reference: URL:http://osvdb.org/96590
Reference: SECUNIA:54567
Reference: URL:http://secunia.com/advisories/54567

The (1) Conn_StartLogin and (2) cb_Read_Resolver_Result functions in
conn.c in ngIRCd 18 through 20.2, when the configuration option
NoticeAuth is enabled, does not properly handle the return code for
the Handle_Write function, which allows remote attackers to cause a
denial of service (assertion failure and server crash) via unspecified
vectors, related to a "notice auth" message not being sent to a new
client.

Note You need to log in before you can comment on or make changes to this bug.