Debian has issued an advisory on February 7: http://www.debian.org/security/2013/dsa-2618 Patched package uploaded for Mageia 2 and Cauldron. Side note: not sure I really believe the name of the person that reported it. Advisory: ======================== Updated ircd-hybrid packages fix security vulnerability: Bob Nomnomnom reported a Denial of Service vulnerability in IRCD-Hybrid, an Internet Relay Chat server. A remote attacker may use an error in the masks validation and crash the server (CVE-2013-0238). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0238 http://www.debian.org/security/2013/dsa-2618 ======================== Updated packages in core/updates_testing: ======================== ircd-hybrid-7.2.3-10.1.mga2 ircd-hybrid-devel-7.2.3-10.1.mga2 from ircd-hybrid-7.2.3-10.1.mga2.src.rpm
No PoC's that I can find
Testing existing version, there is a problem starting the service. tail /var/log/syslog ircd-hybrid[10865]: Starting IRCd Server:ircd: version hybrid-7.2.3 ircd-hybrid[10865]: ircd: pid 10895 ircd-hybrid[10865]: ircd: running in background mode from /usr ircd-hybrid[10865]: [ OK ] systemd[1]: PID file /var/run/ircd-hybrid/ircd-hybrid.pid not readable (yet?) after start. systemd[1]: Unit ircd-hybrid.service entered failed state. It leaves the lock file in place but doesn't create the pid file systemd is looking for. # ll /var/lock/subsys/ircd-hybrid -rw-r--r-- 1 root root 0 Feb 12 15:09 /var/lock/subsys/ircd-hybrid # ll /var/run/ircd-hybrid/ircd-hybrid.pid ls: cannot access /var/run/ircd-hybrid/ircd-hybrid.pid: No such file or directory Listen is set to port=6667; # netstat -ant | grep 666 # ps aux | grep irc Both show nothing relevant, so it is not starting.
CC: (none) => mageia
The updated package is the same.
Hmm, I thought I fixed the pid file issue a long time ago... (I use this package myself). /me wonders if he needs to slap himself for not fixing it properly upstream :s
Shall we form an orderly queue? ;)
Hmm, can't find any modifications to the package installed here and it works fine for me on mga2. Can you double check that the folder /var/run/ircd-hybrid exists? As this is mga2 this should be a regular filesystem and thus not need any tmpfiles - it's just part of the package.
Some random output on my machine: [colin@summit ~]$ ll /var/run/ircd-hybrid total 4 -rw------- 1 ircd-hybrid ircd-hybrid 5 Dec 17 10:13 ircd-hybrid.pid [colin@summit ~]$ ll -d /var/run/ircd-hybrid drwxr-xr-x 2 ircd-hybrid ircd-hybrid 4096 Dec 17 10:13 /var/run/ircd-hybrid/ [colin@summit ~]$ rpm -q ircd-hybrid ircd-hybrid-7.2.3-10.mga2 [colin@summit ~]$ rpm -ql ircd-hybrid| grep var/run /var/run/ircd-hybrid [colin@summit ~]$ rpm -V ircd-hybrid [colin@summit ~]$
It does exist, yes. I'll try on another machine but I'm fairly sure this is the first time I've installed this package. # ll -d /var/run/ircd-hybrid/ drwxr-xr-x 2 ircd-hybrid ircd-hybrid 4096 Feb 8 18:02 /var/run/ircd-hybrid//
When starting it, can you try with "systemctl --no-block start ircd-hybrid.service" then very soon after try "systemctl status ircd-hybrid.service" I'd expect to see the daemon started and working, but only later being killed by systemd because it's not written it's pid file. When it's in this starting state, check the Status output and double check if any kind of pid file is written (either where it should be written or something similar).
# systemctl --no-block start ircd-hybrid.service # systemctl status ircd-hybrid.service ircd-hybrid.service - LSB: Internet Relay Chat Server Loaded: loaded (/etc/rc.d/init.d/ircd-hybrid) Active: failed (Result: resources) since Tue, 12 Feb 2013 16:19:21 +0000; 10s ago Process: 14402 ExecStart=/etc/rc.d/init.d/ircd-hybrid start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ircd-hybrid.service
the same commands on a fresh computer allow it to start colin
in fact on a computer i installed i586 a week or two ago which hasn't been used much for testing it does start ok anyway
Trying this one again mga2 64 # service ircd-hybrid stop Stopping ircd-hybrid (via systemctl): [ OK ] # systemctl stop ircd-hybrid.service # service ircd-hybrid stop Stopping ircd-hybrid (via systemctl): [ OK ] # service ircd-hybrid stop Stopping ircd-hybrid (via systemctl): [ OK ] # ll /var/run/ircd-hybrid/ total 0 # ll /var/lock/subsys/ircd-hybrid -rw-r--r-- 1 root root 0 Feb 12 15:09 /var/lock/subsys/ircd-hybrid # rm -f /var/lock/subsys/ircd-hybrid # ll /var/lock/subsys/ircd-hybrid ls: cannot access /var/lock/subsys/ircd-hybrid: No such file or directory # ps aux | grep hybrid root 15007 0.0 0.0 9680 880 pts/2 S+ 16:30 0:00 grep --color hybrid # systemctl --no-block start ircd-hybrid.service # systemctl status ircd-hybrid.service ircd-hybrid.service - LSB: Internet Relay Chat Server Loaded: loaded (/etc/rc.d/init.d/ircd-hybrid) Active: failed (Result: resources) since Tue, 12 Feb 2013 16:31:52 +0000; 7s ago Process: 15083 ExecStart=/etc/rc.d/init.d/ircd-hybrid start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ircd-hybrid.service ircd-hybrid[15083]: Starting IRCd Server:ircd: version hybrid-7.2.3 ircd-hybrid[15083]: ircd: pid 15112 ircd-hybrid[15083]: ircd: running in background mode from /usr ircd-hybrid[15083]: [ OK ] # ps aux | grep hybrid root 15173 0.0 0.0 9680 880 pts/2 S+ 16:33 0:00 grep --color hybrid
The failure of "Result: resources" is the interesting bit. Smells like something else is up with that machine to cause the failure. Can you turn systemd into debug mode (either via rebooting and appending systemd.log_level=debug or by doing a kill to PID 1 with an appropriate signal (I forget which but it's in the man page). Then after trying to start the unit, there should be some info about why it failed due to "resources" in the "journalctl -f" output (assuming you have it running in another shell). Of course if you've not rebooted it in a while, then perhaps just try that? Also what kernel is this? Is it the regular desktop one? Might be some missing module somewhere that is needed (tho' rather unlikely) if it's not the desktop one.
I'll try the reboot bit in the morning colin if that's ok. # uname -r 3.4.24-desktop-3.mga2
Testing complete mga2 32 Installed and started the service then connected to localhost with an irc client. [18:56] [Info] Looking for server localhost (port 6667)... [18:56] [Info] Server found, connecting... [18:56] [Info] Connected; logging in... [18:56] [Notice] -some-a.server- *** Looking up your hostname... [18:56] [Notice] -some-a.server- *** Checking Ident [18:56] [Notice] -some-a.server- *** No Ident response [18:56] [Notice] -some-a.server- *** Found your hostname [18:56] [Welcome] Welcome to the ExampleNet Internet Relay Chat Network clairer [18:56] [Welcome] Your host is some-a.server[0.0.0.0/6667], running version hybrid-7.2.3 [18:56] [Welcome] This server was created Apr 29 2012 at 15:25:52 [18:56] [Welcome] Server some-a.server (Version hybrid-7.2.3), User modes: CDGabcdfgiklnorsuwxyz, Channel modes: biklmnopstveI ...etc
Whiteboard: (none) => has_procedure mga2-32-ok
Created attachment 3514 [details] systemd.log_level=debug After clearing /etc/ircd-hybrid, the lock file and /var/run/ircd-hybrid, attaching journalctl -fa. It spans from just after mgaapplet ran and found some updates to where i did systemctl start ircd-hybrid.service so I'm not certain where one ends and the other begins. I think most of it belongs with mgaaplet. Could the Resources reason be to do with the lock file which is left behind when it fails to start? # ll /var/lock/subsys/ircd-hybrid -rw-r--r-- 1 root root 0 Feb 13 08:44 /var/lock/subsys/ircd-hybrid # ps aux | grep hybrid Shows nothing. # systemctl status ircd-hybrid.service ircd-hybrid.service - LSB: Internet Relay Chat Server Loaded: loaded (/etc/rc.d/init.d/ircd-hybrid) Active: failed (Result: resources) since Wed, 13 Feb 2013 08:59:38 +0000; 34s ago Process: 19756 ExecStart=/etc/rc.d/init.d/ircd-hybrid start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ircd-hybrid.service Feb 13 08:59:38 mega ircd-hybrid[19756]: Starting IRCd Server:ircd: version hybrid-7.2.3 Feb 13 08:59:38 mega ircd-hybrid[19756]: ircd: pid 19785 Feb 13 08:59:38 mega ircd-hybrid[19756]: ircd: running in background mode from /usr Feb 13 08:59:38 mega ircd-hybrid[19756]: [ OK ]
Also, could /usr be the issue ircd-hybrid[19756]: ircd: running in background mode from /usr # grep ircd-hybrid /etc/passwd ircd-hybrid:x:458:458:system user for ircd-hybrid:/var/lib/ircd-hybrid:/bin/false
It should have nothing to do with /usr (and it's really just confusing that it prints that in it's log if you ask me - I guess it's probably the developers wanting to make sure their local install test version in /usr/local is definitely the one they are running). The interesting bits from the log are: Feb 13 08:44:59 mega systemd[1]: Received SIGCHLD from PID 8656 (ircd-hybrid). Feb 13 08:44:59 mega systemd[1]: Got SIGCHLD for process 8656 (ircd-hybrid) Feb 13 08:44:59 mega systemd[1]: Child 8656 died (code=exited, status=0/SUCCESS) Feb 13 08:44:59 mega systemd[1]: Child 8656 belongs to ircd-hybrid.service Feb 13 08:44:59 mega systemd[1]: ircd-hybrid.service: control process exited, code=exited status=0 Feb 13 08:44:59 mega systemd[1]: ircd-hybrid.service got final SIGCHLD for state start Feb 13 08:44:59 mega systemd[1]: PID file /var/run/ircd-hybrid/ircd-hybrid.pid not readable (yet?) after start. Feb 13 08:44:59 mega systemd[1]: Setting watch for ircd-hybrid.service's PID file /var/run/ircd-hybrid/ircd-hybrid.pid Feb 13 08:44:59 mega systemd[1]: Stopping watch for ircd-hybrid.service's PID file /var/run/ircd-hybrid/ircd-hybrid.pid Feb 13 08:44:59 mega systemd[1]: ircd-hybrid.service changed start -> failed Feb 13 08:44:59 mega systemd[1]: Job ircd-hybrid.service/start finished, result=failed Feb 13 08:44:59 mega systemd[1]: Unit ircd-hybrid.service entered failed state. Feb 13 08:44:59 mega systemd[1]: Got SIGCHLD for process 8685 (ircd-hybrid) Feb 13 08:44:59 mega systemd[1]: Child 8685 died (code=exited, status=1/FAILURE) Feb 13 08:44:59 mega systemd[1]: Received SIGCHLD from PID 8685 (n/a). Here we see the watch for the pid file starting and stopping almost immediately and then an immediate failed state. This to me suggests that something, somewhere, is eating up all the inotify watches and systemd is starved and cannot watch for the pid file and thus bails and the failure code is "resources". I'll see if I can dig up more info. I'll also test here on x86_64
Scratch my above analysis. I think I know the problem as I also see it as having failed with "resource". In my case however ircd-hybrid is still running. Actually I think this is due to how ircd delegates to it's own user for starting. i.e. the process actually escapes the cgroup and instead has a user session started (thus getting it's own cgroup). Thus systemd sees the process disappear and fails with "resources" (slightly confusing yes). So I can confirm it's working fine for me on x86_64, (with pid and process) but it's certainly sub-optimal as systemd things it's failed! I strongly suspect that this would also be the case on i586. Can you confirm? $ ps ax -O cgroup| grep ircd 6860 name=systemd:/user/ircd-hybrid/c70041 S ? 00:00:00 /usr/sbin/ircd-hybrid Here the cgroup is shown as "systemd:/user/ircd-hybrid/..." which is not a service cgroup, but a user one. This shows that the way the ircd sysvinit script drops user privs is not ideal. Regardless, I doubt very much this is any different to the ircd shipped with mga2 so I would personally suggest we should validate this update. I will ensure the startup system is rewritten for cauldron/mga3 to avoid this confusing behaviour. I suspect the reason for yours exiting to be some kind of configuration error that just causes it to die without writing much to it's log. Perhaps try su'ing to the ircd-hybrid user (you'll have to pass -s) and running the daemon manually to see if you can work out why it exits for your own piece of mind (and mine!) that my explanation is correct!
# su -s /bin/bash ircd-hybrid [ircd-hybrid@mega ~]$ ircd-hybrid -foreground -configfile /etc/ircd-hybrid/ircd.conf ircd: version hybrid-7.2.3 ircd: pid 25019 ircd: running in foreground mode from /usr --(end of buffer or a NUL) --accepting rule at line 77 ("# Hybrid 7 minimal example configuration file") --(end of buffer or a NUL) --accepting rule at line 74 (" #") --accepting rule at line 77 ("#") --(end of buffer or a NUL) --accepting rule at line 74 (" # $Id: simple.conf 33 2005-10-02 20:50:00Z knight $") --accepting rule at line 77 ("# $Id: simple.conf 33 2005-10-02 20:50:00Z knight $") --(end of buffer or a NUL) ..etc --accepting rule at line 77 ("#};") --(end of buffer or a NUL) --accepting rule at line 74 (" ") --(end of buffer or a NUL) --EOF (start condition 0) $ ps aux | grep hybrid root 23700 0.0 0.0 60032 1852 pts/1 S 11:45 0:00 su -s /bin/bash ircd-hybrid 458 25525 0.0 0.0 9680 876 pts/1 S+ 11:57 0:00 grep hybrid I changed the log level to debug in ircd.conf and tried it again but it doesn't show any extra details. It does show this though.. [2013/2/13 12.01] "/etc/ircd-hybrid/ircd.conf", line 149: syntax error: fname_userlog="/var/log/ircd-hybrid/user.log"; [2013/2/13 12.01] binding listener socket [0::/6667]:Address already in use [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/kline.conf': No such file or directory [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/rkline.conf': No such file or directory [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/dline.conf': No such file or directory [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/xline.conf': No such file or directory [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/rxline.conf': No such file or directory [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/nresv.conf': No such file or directory [2013/2/13 12.01] Unable to read configuration file '/etc/ircd-hybrid/cresv.conf': No such file or directory [2013/2/13 12.01] Could not load core modules. Terminating! # netstat -ant | grep 666 Shows nothing though. i586 worked without any modification. The only mention of kline in ircd.conf is the permission in the operator stanza, with unkline. If this were a config problem you'd think it would affect i586 and x86_64 equally.
On i586 # service ircd-hybrid start Starting ircd-hybrid (via systemctl): [ OK ] # ps ax -O cgroup | grep ircd 6818 name=systemd:/user/ircd-hybrid/c1 S ? 00:00:00 /usr/sbin/ircd-hybrid
x86_64 only shows lirc and itself as the service doesn't start.
I reckon it's something to do with IPv6. Perhaps it bails because it cannot bind on the IPv6 address. Already in use could mean that it's somehow conflicting with itself when binding like this. I'm not an IPv6 expert yet, but I did read this yesterday: They share address space; IPv4 is blended into IPv6 at ::ffff:0000:0000/96, and so something listening on [::] also listens on 0.0.0.0 by default. So perhaps this error: [2013/2/13 12.01] binding listener socket [0::/6667]:Address already in use Is somehow because it's conflicting with itself? I'm really not sure, but considering you cannot get the original working there and I have been running it happily for some time, I can only presume it's some kind of setup error on that machine in some capacity. That said, I'm still running on the older (original) kernel for now, so I'll see when I get around to rebooting and installing the 3.4 kernel). Either way, you may want to consider my successful tests sufficient for validation here while you narrow down exactly what's wrong?
I'll create a new bug for it colin, sure. Given it is failing completely on an updated machine I'd rather somebody else checks x86_64 too, if it's ok. I literally only installed and tried to start it on both machines, one starts and I can connect to it but the other doesn't. It could be some obscure network issue so if it works for somebody else x86_64 I'm happy to validate it.
I couldn't get it to start on x86_64 either. From LXTerminal: [root@localhost carolyn]# service ircd-hybrid start Starting ircd-hybrid (via systemctl): Job failed. See system journal and 'systemctl status' for details. [FAILED] [root@localhost carolyn]# systemctl status ircd-hybrid.service ircd-hybrid.service - LSB: Internet Relay Chat Server Loaded: loaded (/etc/rc.d/init.d/ircd-hybrid) Active: failed (Result: resources) since Wed, 13 Feb 2013 16:21:41 +0000; 8min ago Process: 3090 ExecStart=/etc/rc.d/init.d/ircd-hybrid start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ircd-hybrid.service and from /var/log/syslog: Feb 13 16:21:41 localhost systemd[1]: PID file /var/run/ircd-hybrid/ircd-hybrid.pid not readable (yet?) after start. Feb 13 16:21:41 localhost systemd[1]: Unit ircd-hybrid.service entered failed state. Feb 13 16:26:31 localhost sensord: Chip: acpitz-virtual-0 Feb 13 16:26:31 localhost sensord: Adapter: Virtual device Feb 13 16:26:31 localhost sensord: temp1: 39.0 C Feb 13 16:26:31 localhost sensord: Chip: coretemp-isa-0000 Feb 13 16:26:31 localhost sensord: Adapter: ISA adapter Feb 13 16:26:31 localhost sensord: Physical id 0: 39.0 C Feb 13 16:26:31 localhost sensord: Core 0: 39.0 C Feb 13 16:26:31 localhost sensord: Core 1: 39.0 C Feb 13 16:28:38 localhost pcscd[3356]: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd.pid: No such file or directory Carolyn
CC: (none) => isolde
Colin this does seem to be x86_64 rather than just my x86_64, but it isn't a regression with this update. Do you want to look into it now or shall we create a new bug?
I've reproduced it here... I also remember the problem (so my bad for not fixing it sooner!) A quick strace showed that it's looking in /usr/lib/ircd-hybrid/modules for loadable modules. chdir("/usr/lib/ircd-hybrid/modules") = -1 ENOENT (No such file or directory) I guess I just chucked in a symlink in my office machine and forgot about it :s [colin@summit ~]$ ls /usr/lib/ircd-hybrid -l lrwxrwxrwx 1 root root 20 Sep 7 2011 /usr/lib/ircd-hybrid -> ../lib64/ircd-hybrid/ I'll push a proper fix shortly.
OK, I've fixed things up I think. Tested the fixes on cauldron and the mga2 stuff should be much the same (I've specifically tweaked the bits I know are different). Fixes applied: * Module+Messages path under x86_64 is fixed. * Added systemd unit to prevent the startup failure report (even if it runs OK) under systemd. All seems fine here, but I will test on both my 64 bit machines when done. Thanks for being patient and sorry for not fixing the issue I found waaay back when - it was a busy time and I pretty much instantly forgot about it. ircd-hybrid-7.2.3-10.2.mga2 on it's way to a mirror near you soon.
FWIW, tested on two x86_64 machines and both seem fine (with my hacky symlink removed!), but I'll let claire do the official confirmation. Note that when you update an existing machine on i586, if ircd-hybrid process is running, you'll have to kill it manually as systemd has "lost" the process due to it escaping it's cgroup. This isn't something we can easily work around without horrible hacks so I figure it's an edge case. Could be worth documenting in the advisory tho'. "Please note that due to the previously suboptimal nature of the sysvinit script, systemd systems would not correctly detect the daemon process as running and thus could stop the service. As a result, you may have to manually kill the process and start the service after upgrading (i.e. killall ircd-hybrid; systemctl start ircd-hybrid.service)"
"thus could stop the service" shouldn't that be: "thus could fail to stop the service" ?
Oops, yeah I missed out "not": "and thus could NOT stop the service"... Feel free to reword it as you see fit tho' :)
Advisory: ======================== Updated ircd-hybrid packages fix security vulnerability: Bob Nomnomnom reported a Denial of Service vulnerability in IRCD-Hybrid, an Internet Relay Chat server. A remote attacker may use an error in the masks validation and crash the server (CVE-2013-0238). Please note that due to the previously suboptimal nature of the sysvinit script, systemd systems would not correctly detect the daemon process as running and thus could not stop the service. As a result, you may have to manually kill the process and start the service after upgrading (i.e. killall ircd-hybrid; systemctl start ircd-hybrid.service). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0238 http://www.debian.org/security/2013/dsa-2618 ======================== Updated packages in core/updates_testing: ======================== ircd-hybrid-7.2.3-10.2.mga2 ircd-hybrid-devel-7.2.3-10.2.mga2 from ircd-hybrid-7.2.3-10.2.mga2.src.rpm
Thanks Colin. Confirmed it starts now with systemctl, the service command now fails with 'env: /etc/init.d/ircd-hybrid: Permission denied'. Other services usually say 'via systemctl'. eg: # service httpd restart Restarting httpd (via systemctl): [ OK ] This is a slight regression as the init script is no longer executable -rw-r--r-- 1 root root 1614 Feb 13 21:13 ircd-hybrid Is this intended Colin? Confirmed that when started with 'systemctl start ircd-hybrid.service' I can then connect to the server.
(In reply to comment #34) > -rw-r--r-- 1 root root 1614 Feb 13 21:13 ircd-hybrid Sigh. No, not intended.... fixing.
OK, should be fixed in the next build... I missed the defattr() stuff in the spec (it's quite a messy spec IMO)
Could you also please check for any unintentional files which might have crept into /var/lib/ircd-hybrid/ Seemed to be a number of hidden files which had no place there. Sorry :\
No, sorry, ignore that one. That's my eyes playing tricks on me.
Retested mga2 32 & 64 Validating, thanks Colin. Advisory: ======================== Updated ircd-hybrid packages fix security vulnerability: Bob Nomnomnom reported a Denial of Service vulnerability in IRCD-Hybrid, an Internet Relay Chat server. A remote attacker may use an error in the masks validation and crash the server (CVE-2013-0238). Please note that due to the previously suboptimal nature of the sysvinit script, systemd systems would not correctly detect the daemon process as running and thus could not stop the service. As a result, you may have to manually kill the process and start the service after upgrading (i.e. killall ircd-hybrid; systemctl start ircd-hybrid.service). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0238 http://www.debian.org/security/2013/dsa-2618 ======================== Could sysadmin please push ircd-hybrid-7.2.3-10.3.mga2.src.rpm from core/updates_testing to core/updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0055
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED