Security fix (until maintainer commits proper update):

A buffer overflow vulnerability exists in ircd that allows a remote attacker to crash the ircd server, thus causing a denial of service condition.
2003-11-11 15:17:34 +00:00 · 2003-11-11 15:17:34 +00:00 · cda0e2df62
commit cda0e2df62
parent f60aece3cd
2 changed files with 56 additions and 3 deletions
--- a/net/irc/Makefile
+++ b/net/irc/Makefile
@ -1,13 +1,13 @@
-# $OpenBSD: Makefile,v 1.23 2003/05/12 18:02:44 sturm Exp $
+# $OpenBSD: Makefile,v 1.24 2003/11/11 15:17:34 margarida Exp $
 # $FreeBSD: Makefile,v 1.19 1998/12/09 20:15:29 billf Exp $

 COMMENT=	"internet relay chat (irc) server"

 DISTNAME=       irc2.10.3p1
-PKGNAME=        irc-2.10.3p1
+PKGNAME=        irc-2.10.3p1p1
 CATEGORIES=	net

-MASTER_SITES=   ftp://ftp.irc.org/irc/server/ \
+MASTER_SITES=   ftp://ftp.irc.org/irc/server/Old/ \
                ftp://ftp.ntua.gr/pub/net/irc/server/
 EXTRACT_SUFX=	.tgz

--- a/net/irc/patches/patch-ircd_channel_c
+++ b/net/irc/patches/patch-ircd_channel_c
@ -0,0 +1,53 @@
+$OpenBSD: patch-ircd_channel_c,v 1.1 2003/11/11 15:17:34 margarida Exp $
+--- ircd/channel.c.orig	2000-06-06 23:34:27.000000000 +0100
+++ ircd/channel.c	2003-11-09 00:03:46.000000000 +0000
+@@ -1966,7 +1966,7 @@ char	*parv[];
+ 	Reg	Link	*lp;
+ 	Reg	aChannel *chptr;
+ 	Reg	char	*name, *key = NULL;
+-	int	i, flags = 0;
+	int	i, tmplen, flags = 0;
+ 	char	*p = NULL, *p2 = NULL, *s, chop[5];
+ 
+ 	if (parc < 2 || *parv[1] == '\0')
+@@ -2115,10 +2115,20 @@ char	*parv[];
+ 					   parv[0]), name);
+ 			continue;
+ 		    }
+		tmplen = strlen(name);
+		if (i + tmplen + 2 /* comma and \0 */
+			>= sizeof(jbuf) )
+		{
+
+			break;
+
+		}
+ 		if (*jbuf)
+-			(void)strcat(jbuf, ",");
+-		(void)strncat(jbuf, name, sizeof(jbuf) - i - 1);
+-		i += strlen(name)+1;
+		{
+			jbuf[i++] = ',';
+		}
+		(void)strcpy(jbuf + i, name);
+		i += tmplen;
+ 	    }
+ 
+ 	p = NULL;
+@@ -2270,6 +2280,16 @@ char	*parv[];
+ 					   parv[0], name, chop);
+ 		else if (*chptr->chname != '&')
+ 		    {
+			/* ":" (1) "nick" (NICKLEN) " JOIN :" (7), comma (1)
+			** possible chop (4), ending \r\n\0 (3) = 16
+			** must fit in the cbuf as well! --B. */
+			if (strlen(cbuf) + strlen(name) + NICKLEN + 16
+				 >= sizeof(cbuf))
+			{
+				sendto_serv_butone(cptr, ":%s JOIN :%s",
+					parv[0], cbuf);
+				cbuf[0] = '\0';
+			}
+ 			if (*cbuf)
+ 				strcat(cbuf, ",");
+ 			strcat(cbuf, name);