IRC-Junkie.org – IRC News

The UnrealIRCd project released a bugfix release of version 3.2.8 and the current release is now 3.2.8.1.

The bugfix became necessary as a crash has been found in the option allow::options::noident.

In a short interview developer nate explains how the crash is being triggered and how to avoid it:

There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault.  The main ways of resolving it are updating to 3.2.8.1 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).

It is vulnerable in past versions as well before 3.2.8 as well.

Being asked how far back exactly nate says the exploit exists “at least back towards 3.2.3 (before that we wouldn’t support anyways due to exploits way back then)”.

Thanks for the tip goes to Reed Loden and to nate for taking the time to answer my questions!

Related posts:

1. UnrealIRCd team releases patch against Firefox XPS Attack In a posting on the UnrealIRCd project website, coder Syzop...
2. Stskeeps quits developing for UnrealIRCd In an announcement on the IRCd’s website, Stskeeps posts his...
3. UnrealIRCd 3.2.8-rc1 is ready for testing And another one in the IRCd updates list – this...
4. Vulnerability in Eggdrop / Windrop 1.6.19 A vulnerability in the Eggdrop and Windrop bot has been...
5. phpDenora fixes XSS vulnerability After getting notified about a Cross-site scripting vulnerability in phpDenora...

Tags: Hack, IRC, Software, Unreal IRCd

This entry was posted on Sunday, April 26th, 2009 at 3:54 pm and is filed under Hack, IRCd, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.