Bug 11082 - ngircd - denial of service within the NoticeAuth option (CVE-2013-5580)
Summary: ngircd - denial of service within the NoticeAuth option (CVE-2013-5580)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/565571/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Keywords: validated_update
Depends on:
Reported: 2013-08-26 12:29 CEST by Oden Eriksson
Modified: 2013-10-02 08:13 CEST (History)
3 users (show)

See Also:
Source RPM: ngircd
Status comment:


Description Oden Eriksson 2013-08-26 12:29:21 CEST
ngIRCd 20.3 (2013-08-23)

  - This release is a bugfix release only, without new features.
  - Security: Fix a denial of service bug (server crash) which could happen
    when the configuration option "NoticeAuth" is enabled (which is NOT the
    default) and ngIRCd failed to send the "notice auth" messages to new
    clients connecting to the server (CVE-2013-5580).


Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-26 12:30:26 CEST
ngircd-20.3-1.mga3 and ngircd-20.3-1.mga4 has been submitted where this is fixed.
Comment 2 Oden Eriksson 2013-08-26 14:10:20 CEST
Comment 4 David Walser 2013-08-26 14:19:21 CEST
Assigning to QA.


Updated ngircd package fixes security vulnerability:

Denial of service bug (server crash) in ngIRCd before 20.3 which could happen
when the configuration option "NoticeAuth" is enabled (which is NOT the
default) and ngIRCd failed to send the "notice auth" messages to new clients
connecting to the server (CVE-2013-5580).


Updated packages in core/updates_testing:

from ngircd-20.3-1.mga3.src.rpm

CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

Comment 5 claire robinson 2013-08-27 16:59:36 CEST
Testing complete mga3 64

After doing some basic config in /etc/ngircd.conf including setting PAM = no,
connected to localhost with an irc client and joined a channel. 

With PAM = yes which appears to be the default if it is commented out then it fails to connect. Starting with 'ngircd -n' shows pam authentication failure when trying to connect.

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 6 claire robinson 2013-08-27 17:16:58 CEST
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 7 claire robinson 2013-08-27 17:21:11 CEST
Validating. Advisory from comment 4 uploaded.

Could sysadmin please push from 3 core/updates_testing to updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-08-30 19:34:14 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-09-04 02:40:15 CEST

URL: (none) => http://lwn.net/Vulnerabilities/565571/

Comment 9 Oden Eriksson 2013-10-02 08:13:16 CEST
For reference. I got a mail with this today, but still (2013-10-02) flagged as RESERVED at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580

Name: CVE-2013-5580
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5580
Assigned: 20130823
Reference: MLIST:[ngircd-ml] 20130823 ngIRCd 20.3
Reference: URL:http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000645.html
Reference: CONFIRM:http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=commit;h=309122017ebc6fff039a7cab1b82f632853d82d5
Reference: CONFIRM:http://freecode.com/projects/ngircd/releases/357245
Reference: FEDORA:FEDORA-2013-15278
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-September/115077.html
Reference: FEDORA:FEDORA-2013-15290
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-September/115047.html
Reference: OSVDB:96590
Reference: URL:http://osvdb.org/96590
Reference: SECUNIA:54567
Reference: URL:http://secunia.com/advisories/54567

The (1) Conn_StartLogin and (2) cb_Read_Resolver_Result functions in
conn.c in ngIRCd 18 through 20.2, when the configuration option
NoticeAuth is enabled, does not properly handle the return code for
the Handle_Write function, which allows remote attackers to cause a
denial of service (assertion failure and server crash) via unspecified
vectors, related to a "notice auth" message not being sent to a new

Note You need to log in before you can comment on or make changes to this bug.