Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-21 ] UnrealIRCd: Multiple vulnerabilities
Date: Mon, 14 Jun 2010 20:15:39
Message-Id: 20100614212025.03685209@mail.a3li.li
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-21
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: UnrealIRCd: Multiple vulnerabilities
9 Date: June 14, 2010
10 Bugs: #260806, #323691
11 ID: 201006-21
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities in UnrealIRCd might allow remote attackers to
19 compromise the "unrealircd" account, or cause a Denial of Service.
20
21 Background
22 ==========
23
24 UnrealIRCd is an Internet Relay Chat (IRC) daemon.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-irc/unrealircd < 3.2.8.1-r1 >= 3.2.8.1-r1
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been reported in UnrealIRCd:
38
39 * The vendor reported a buffer overflow in the user authorization
40 code.
41
42 * The vendor reported that the distributed source code of UnrealIRCd
43 was compromised and altered to include a system() call that could be
44 called with arbitrary user input.
45
46 Impact
47 ======
48
49 A remote attacker could exploit these vulnerabilities to cause the
50 execution of arbitrary commands with the privileges of the user running
51 UnrealIRCd, or a Denial of Service condition. NOTE: By default
52 UnrealIRCd on Gentoo is run with the privileges of the "unrealircd"
53 user.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All UnrealIRCd users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.8.1-r1"
67
68 References
69 ==========
70
71 [ 1 ] UnrealIRCd Security Advisory 20090413
72 http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt
73 [ 2 ] UnrealIRCd Security Advisory 20100612
74 http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
75
76 Availability
77 ============
78
79 This GLSA and any updates to it are available for viewing at
80 the Gentoo Security Website:
81
82 http://security.gentoo.org/glsa/glsa-201006-21.xml
83
84 Concerns?
85 =========
86
87 Security is a primary focus of Gentoo Linux and ensuring the
88 confidentiality and security of our users machines is of utmost
89 importance to us. Any security concerns should be addressed to
90 security@g.o or alternatively, you may file a bug at
91 https://bugs.gentoo.org.
92
93 License
94 =======
95
96 Copyright 2010 Gentoo Foundation, Inc; referenced text
97 belongs to its owner(s).
98
99 The contents of this document are licensed under the
100 Creative Commons - Attribution / Share Alike license.
101
102 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature