oss-sec mailing list archives

Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution

From: Josh Bressers <bressers () redhat com>
Date: Mon, 14 Jun 2010 15:44:49 -0400 (EDT)

Steve,

Can you give this one a 2009 ID.

Thanks.

-- 
    JB


----- "Alex Legler" <a3li () gentoo org> wrote:

On Sat, 12 Jun 2010 19:10:48 +0200, Alex Legler <a3li () gentoo org>
wrote:

[blah]


While we're at it...

http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt

"A buffer in the code which handles user authorization is copied
without
sufficient length checks, causing a buffer overflow.
This bug happens BEFORE the user is online. In other words: even if
you
have a password protected server, or only allow certain ip/hosts in,
and you use allow::options::noident, then this bug can still be
triggered."

The issue affects versions <3.2.8.1

I think this issue doesn't have a CVE yet either. (CVE-2009-*)

Thanks,
Alex

-- 
Alex Legler | Gentoo Security / Ruby
a3li () gentoo org | a3li () jabber ccc de

Current thread:

CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Alex Legler (Jun 12)
- Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Alex Legler (Jun 14)
  - Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Josh Bressers (Jun 14)
    - Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Steven M. Christey (Jun 14)
- Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Josh Bressers (Jun 14)
- Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Eugene Teo (Jun 14)