ngIRCd Release 20.3

There have been code paths that ignored the return code of Handle_Write()
when sending "notice auth" messages to new clients connecting to the
server. But because Handle_Write() would have closed the client connection
again if an error occurred, this would have resulted in new errors and
assert()'s later on that could have crashed the server (denial of service).

Only setups having the configuration option "NoticeAuth" enabled are
affected, which is not the default.

CVE-2013-5580.

(cherry picked from commit 309122017e)

ChangeLog

@@ -9,10 +9,18 @@
                                -- ChangeLog --
 
 
+ngIRCd 20.3 (2013-08-23)
+
+  - Security: Fix a denial of service bug (server crash) which could happen
+    when the configuration option "NoticeAuth" is enabled (which is NOT the
+    default) and ngIRCd failed to send the "notice auth" messages to new
+    clients connecting to the server (CVE-2013-5580).
+
 ngIRCd 20.2 (2013-02-15)
 
   - Security: Fix a denial of service bug in the function handling KICK
-    commands that could be used by arbitrary users to to crash the daemon.
+    commands that could be used by arbitrary users to to crash the daemon
+    (CVE-2013-1747).
   - WHO command: Use the currently "displayed hostname" (which can be cloaked!)
     for hostname matching, not the real one. In other words: don't display all
     the cloaked users on a specific real hostname!

NEWS

@@ -9,11 +9,20 @@
                                   -- NEWS --
 
 
+ngIRCd 20.3 (2013-08-23)
+
+  - This release is a bugfix release only, without new features.
+  - Security: Fix a denial of service bug (server crash) which could happen
+    when the configuration option "NoticeAuth" is enabled (which is NOT the
+    default) and ngIRCd failed to send the "notice auth" messages to new
+    clients connecting to the server (CVE-2013-5580).
+
 ngIRCd 20.2 (2013-02-15)
 
   - This release is a bugfix release only, without new features.
   - Security: Fix a denial of service bug in the function handling KICK
-    commands that could be used by arbitrary users to to crash the daemon.
+    commands that could be used by arbitrary users to to crash the daemon
+    (CVE-2013-1747).
 
 ngIRCd 20.1 (2013-01-02)
 

contrib/Debian/changelog

@@ -1,3 +1,9 @@
+ngircd (20.3-0ab1) unstable; urgency=high
+
+  * New "upstream" release, fixing a security related bug: ngIRCd 20.3.
+
+ -- Alexander Barton <alex@barton.de>  Fri, 23 Aug 2013 21:53:21 +0200
+
 ngircd (20.2-0ab1) unstable; urgency=high
 
   * New "upstream" release, fixing a security related bug: ngIRCd 20.2.

contrib/ngircd.spec

@@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 20.2
+%define version 20.3
 %define release 1
 %define prefix  %{_prefix}
 

src/ngircd/conn.c

@@ -1547,7 +1547,11 @@ Conn_StartLogin(CONN_ID Idx)
 #endif
 			(void)Conn_WriteStr(Idx,
 				"NOTICE AUTH :*** Looking up your hostname");
-		(void)Handle_Write(Idx);
+		/* Send buffered data to the client, but break on errors
+		 * because Handle_Write() would have closed the connection
+		 * again in this case! */
+		if (!Handle_Write(Idx))
+			return;
 	}
 
 	Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr,
@@ -2339,8 +2343,13 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events )
 		}
 #endif
 
-		if (Conf_NoticeAuth)
-			(void)Handle_Write(i);
+		if (Conf_NoticeAuth) {
+			/* Send buffered data to the client, but break on
+			 * errors because Handle_Write() would have closed
+			 * the connection again in this case! */
+			if (!Handle_Write(i))
+				return;
+		}
 
 		Class_HandleServerBans(c);
 	}