Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 Jun 2010 19:10:14 +0200
From: Alex Legler <a3li@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: UnrealIRCd 3.2.8.1 source code
 contained a backdoor allowing for remote command execution

On Sat, 12 Jun 2010 19:10:48 +0200, Alex Legler <a3li@...too.org> wrote:

> [blah]

While we're at it...

http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt

"A buffer in the code which handles user authorization is copied without
sufficient length checks, causing a buffer overflow.
This bug happens BEFORE the user is online. In other words: even if you
have a password protected server, or only allow certain ip/hosts in,
and you use allow::options::noident, then this bug can still be
triggered."

The issue affects versions <3.2.8.1

I think this issue doesn't have a CVE yet either. (CVE-2009-*)

Thanks,
Alex

-- 
Alex Legler | Gentoo Security / Ruby
a3li@...too.org | a3li@...ber.ccc.de

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.