Bug 905652 (CVE-2013-0238) - CVE-2013-0238 ircd-hybrid: DoS due to not validating input when parsing masks
Summary: CVE-2013-0238 ircd-hybrid: DoS due to not validating input when parsing masks
Alias: CVE-2013-0238
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 905653
TreeView+ depends on / blocked
Reported: 2013-01-29 21:15 UTC by Vincent Danen
Modified: 2019-09-29 12:59 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2018-02-02 23:47:57 UTC

Attachments (Terms of Use)

Description Vincent Danen 2013-01-29 21:15:31 UTC
It was reported [1] that ircd-hybrid suffers from a denial of service condition due to improper validation of input when parsing masks.  Because try_parse_v4_netmask() (in src/hostmask.c) uses strtoul to parse masks, and does not properly validate input, it can segfault on certain input.  This could allow a remote attacker to crash the ircd server.

This has been fixed upstream in version 8.0.6 [2].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699267
[2] http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786

Comment 1 Vincent Danen 2013-01-29 21:16:19 UTC
Created ircd-hybrid tracking bugs for this issue

Affects: epel-all [bug 905653]

Comment 3 Vincent Danen 2018-02-02 23:47:57 UTC
According to http://dl.fedoraproject.org/pub/epel/6/SRPMS/Packages/i/ this package is not shipped in EPEL6.  Given it was filed against EPEL5 at that time, closing this.

Note You need to log in before you can comment on or make changes to this bug.