Report forwarded to debian-bugs-dist@lists.debian.org, Mario Iseli <mario@debian.org>: Bug#451875; Package ngircd.
(full text, mbox, link).
Acknowledgement sent to Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>:
New Bug report received and forwarded. Copy sent to Mario Iseli <mario@debian.org>.
(full text, mbox, link).
Package: ngircd
Version: 0.10.0-2
Severity: important
Tags: security
Hi,
according to the ngircd homepage there's an issue in ngircd before
0.10.3:
| ngIRCd-versions previous to 0.10.3 comprise an error which can be used
| (also by remote) to crash the daemon. All installations should be
| updated to version 0.10.3 or subsequent versions.
Can you please check whether the etch version of ngircd is affected
(I'd be really surprised if not) and prepare an according update? The
diff between 0.10.2 and 0.10.3 is quite short and seems to apply.
Christoph
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.8
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages ngircd depends on:
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libssp0 4.1.1-21 GCC stack smashing protection libr
ngircd recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Iseli <mario@debian.org>: Bug#451875; Package ngircd.
(full text, mbox, link).
Acknowledgement sent to Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Mario Iseli <mario@debian.org>.
(full text, mbox, link).
tags patch
quit
Christoph Biedl wrote...
(...)
I did some tests:
> Can you please check whether the etch version of ngircd is affected
> (I'd be really surprised if not)
It is.
> The
> diff between 0.10.2 and 0.10.3 is quite short and seems to apply.
See the patch attached for a fix. Works for me.
Christoph
Tags added: patch
Request was from Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Tue, 20 Nov 2007 09:39:01 GMT) (full text, mbox, link).
Tags added:
Request was from Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Wed, 21 Nov 2007 09:42:03 GMT) (full text, mbox, link).
Changed Bug title to `CVE-2007-6034, CVE-2007-6062: Remote vulnerability in ngircd before 0.10.3' from `Remote vulnerability in ngircd before 0.10.3'.
Request was from Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Wed, 21 Nov 2007 10:03:02 GMT) (full text, mbox, link).
Reply sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Iseli <mario@debian.org>: Bug#451875; Package ngircd.
(full text, mbox, link).
Acknowledgement sent to Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Mario Iseli <mario@debian.org>.
(full text, mbox, link).
reopen 451875
quit
Steffen Joeris wrote:
> Patch is included in current sid version, thus closing this bug.
Read the bug report from the very beginning. The problem is the stable
release of ngircd. Thus reopening.
Not amused.
Bug reopened, originator not changed.
Request was from Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Sat, 05 Jan 2008 13:03:08 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.10.3-1.
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org.
(Sat, 05 Jan 2008 13:09:14 GMT) (full text, mbox, link).
Reply sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Christoph Biedl <debian.packages.hhqj@manchmal.in-ulm.de>:
Bug acknowledged by developer.
(full text, mbox, link).
fixed 451875 0.10.3-1
thanks
On Sat, 5 Jan 2008 01:54:41 pm Christoph Biedl wrote:
> reopen 451875
> quit
The stable security team is aware of that issue, as it is in the security
tracker[0].
By the way, this is marked as a minor issue and there won't be a DSA just for
this issue. It can maybe be fixed with a stable upload in a point release,
which needs to be checked with the release team.
I've marked the bug as fixed with the version specified in the security
tracker and the BTS knows about versioning, so there is no point in having an
open bug for stable.
> Steffen Joeris wrote:
> > Patch is included in current sid version, thus closing this bug.
>
> Read the bug report from the very beginning. The problem is the stable
> release of ngircd. Thus reopening.
>
> Not amused.
Not amused either.
Cheers
Steffen
[0]: http://security-tracker.debian.net/tracker/
Subject: Bug#451875: fixed in ngircd 0.10.0-2etch1
Date: Thu, 17 Jan 2008 19:52:13 +0000
Source: ngircd
Source-Version: 0.10.0-2etch1
We believe that the bug you reported is fixed in the latest version of
ngircd, which is due to be installed in the Debian FTP archive:
ngircd_0.10.0-2etch1.diff.gz
to pool/main/n/ngircd/ngircd_0.10.0-2etch1.diff.gz
ngircd_0.10.0-2etch1.dsc
to pool/main/n/ngircd/ngircd_0.10.0-2etch1.dsc
ngircd_0.10.0-2etch1_ia64.deb
to pool/main/n/ngircd/ngircd_0.10.0-2etch1_ia64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 451875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Barth <aba@not.so.argh.org> (supplier of updated ngircd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 5 Jan 2008 13:18:38 +0000
Source: ngircd
Binary: ngircd
Architecture: source ia64
Version: 0.10.0-2etch1
Distribution: stable
Urgency: medium
Maintainer: Mario Iseli <admin@marioiseli.com>
Changed-By: Andreas Barth <aba@not.so.argh.org>
Description:
ngircd - Next generation IRC Server
Closes: 451875
Changes:
ngircd (0.10.0-2etch1) stable; urgency=medium
.
* Security upload fixing CVE-2007-6062: Remote vulnerability in
ngircd before 0.10.3. Closes: #451875
* Thanks to Sebastian Vesper for finding the issue.
* Thanks to Christoph Biedl for noticing, the patch and reminding.
Files:
5facd147f7f2066620f1525fd468c1e8 594 net optional ngircd_0.10.0-2etch1.dsc
ddbf7cb848354b62d46df5f633b39f17 9043 net optional ngircd_0.10.0-2etch1.diff.gz
80cab697d97ac450a5b7192bb4afa43a 113692 net optional ngircd_0.10.0-2etch1_ia64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFHf4kQmdOZoew2oYURAlNdAJ47cxio0pWV8/nKtDB6vcTlj3b1kgCfYBos
RPj3emXBCBzcuFhc4LT7hWg=
=jfJy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 15 Feb 2008 07:31:58 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.