UnrealIRCd: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201006-21 / unrealircd |
| Release Date |
June 14, 2010 |
| Latest Revision |
June 14, 2010: 02 |
| Impact |
high |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-irc/unrealircd |
<
3.2.8.1-r1 |
>=
3.2.8.1-r1 |
All supported architectures
|
Related bugreports:
#260806, #323691
Synopsis
Multiple vulnerabilities in UnrealIRCd might allow remote attackers to
compromise the "unrealircd" account, or cause a Denial of Service.
2.
Impact Information
Background
UnrealIRCd is an Internet Relay Chat (IRC) daemon.
Description
Multiple vulnerabilities have been reported in UnrealIRCd:
- The vendor reported a buffer overflow in the user authorization
code (CVE-2009-4893).
- The vendor reported that the distributed source code of UnrealIRCd
was compromised and altered to include a system() call that could be
called with arbitrary user input (CVE-2010-2075).
Impact
A remote attacker could exploit these vulnerabilities to cause the
execution of arbitrary commands with the privileges of the user running
UnrealIRCd, or a Denial of Service condition. NOTE: By default
UnrealIRCd on Gentoo is run with the privileges of the "unrealircd"
user.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All UnrealIRCd users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.8.1-r1"
|
4.
References
|
