905652 – (CVE-2013-0238) CVE-2013-0238 ircd-hybrid: DoS due to not validating input when parsing masks

Bug 905652 (CVE-2013-0238) - CVE-2013-0238 ircd-hybrid: DoS due to not validating input when parsing masks

Summary: CVE-2013-0238 ircd-hybrid: DoS due to not validating input when parsing masks

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2013-0238
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	905653
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-29 21:15 UTC by Vincent Danen
Modified:	2019-09-29 12:59 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-02 23:47:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2013-01-29 21:15:31 UTC

It was reported [1] that ircd-hybrid suffers from a denial of service condition due to improper validation of input when parsing masks.  Because try_parse_v4_netmask() (in src/hostmask.c) uses strtoul to parse masks, and does not properly validate input, it can segfault on certain input.  This could allow a remote attacker to crash the ircd server.

This has been fixed upstream in version 8.0.6 [2].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699267
[2] http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786

Comment 1 Vincent Danen 2013-01-29 21:16:19 UTC

Created ircd-hybrid tracking bugs for this issue

Affects: epel-all [bug 905653]

Comment 3 Vincent Danen 2018-02-02 23:47:57 UTC

According to http://dl.fedoraproject.org/pub/epel/6/SRPMS/Packages/i/ this package is not shipped in EPEL6.  Given it was filed against EPEL5 at that time, closing this.

Note You need to log in before you can comment on or make changes to this bug.