Bug 2048669

Summary: unrealircd: Denial of service when a certain command is sent
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-31 18:01:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2048670, 2048671    
Bug Blocks:    

Description Pedro Sampaio 2022-01-31 17:12:25 UTC 
UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a certain command is sent. This results in all users being disconnected from the server. There is no other risk than crashing (no buffer overflow or anything, no risk of remote code execution).

If you have any deny dcc { } blocks in the config file or spamfilters on the 'd' (dcc) target then the server can be crashed. This is true for many servers as there is a deny dcc { } block in the example configuration file (example.conf).

All U5 and U6 versions before January 28, 2022 are affected, so:

    UnrealIRCd 5.0.0 - 5.2.3
    UnrealIRCd 6.0.0 - 6.0.2-rc1

We recommend admins to apply the hot-patch (see next) ASAP which will fix the issue with zero downtime.

References:

https://forums.unrealircd.org/viewtopic.php?t=9168
Comment 1 Pedro Sampaio 2022-01-31 17:12:47 UTC 
Created unrealircd tracking bugs for this issue:

Affects: epel-all [bug 2048671]
Affects: fedora-all [bug 2048670]
Comment 2 Product Security DevOps Team 2022-01-31 18:01:39 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.