we became aware of a crash issue in UnrealIRCd that can be triggered by users.
This time however, we are trying a new aproach by offering a "hot patch" that will fix your ircd without requiring a restart, so the process shouldn't be too painful. It won't be possible for all future security issues, but it works great for this one :).
In any case, we apologise for any inconvenience this will cause.
Code: Select all
SECURITY ADVISORY
==================
A serious Denial-of-Service issue has been discovered in UnrealIRCd.
==[ AFFECTED VERSIONS ]==
Affected:
- Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2
Unaffected:
- versions older than beta18 (OLD, UNSUPPORTED)
- 3.1* (VERY OLD, UNSUPPORTED)
- If you have NO servers and NO services linked and you
are using a vulnerable version then this problem does
not occur (this is however an uncommon configuration)
Fixed in/by:
- Hot-patched 3.2* servers (see FIX)
- The newly released 3.2.2b (for fresh installs)
- CVS from January 15 03:00 GMT and later
==[ PROBLEM ]==
There's a severe crashbug present in UnrealIRCd that can quite
easily be triggered by users. No code execution or anything
like that is possible (it's a NULL pointer dereference),
but it does cause a crash, which is of course serious enough.
Server admins should apply the fix (which does not require a
server restart) as soon as possible before an exploit will
become widespread (within 24h is recommended).
During the time of writing (Jan15 19:00 GMT) there are no signs
of "bad users" causing crashes, but we expect that this will
happen after public announcement of this bug.
==[ WORKAROUND ]==
There's no safe workaround, but see next for an easy fix.
==[ FIX ]==
Thanks to modulized commands we have created a "hot patch" utility
that will fix the issue WITHOUT requiring a server restart, all
you will have to do is install it and rehash.
This patch can be used on Unreal3.2-RC2, 3.2, 3.2.1 and 3.2.2.
Older version (eg: beta's) are not supported, in that case we
suggest you to upgrade to 3.2 (and apply this patch) or 3.2.2b.
*NIX:
Download and run the hotpatch utility, available URLs:
http://www.vulnscan.org/tmp/unrealpatch322
http://www.unrealircd.com/unrealpatch322
http://unreal.atlanti-ka.org/unrealpatch322
EXAMPLE:
cd ~/Unreal3.2 && wget http://www.unrealircd.com/unrealpatch322 && \
chmod +x unrealpatch322 && ./unrealpatch322
(or 'fetch' instead of 'wget', or any other download utility)
Alternatively if that did not work, try this .tar.gz:
http://www.vulnscan.org/tmp/qpatch.tar.gz OR
http://www.unrealircd.com/qpatch.tar.gz OR
http://unreal.atlanti-ka.org/qpatch.tar.gz
Extract it, cd to the directory and run ./doinstall
Windows:
Download and run the win32 hotpatch utility, available URLs:
http://www.vulnscan.org/tmp/322_hotpatch.exe
http://unreal.atlanti-ka.org/322_hotpatch.exe
http://unrealircd.funny-chat.net/322_hotpatch.exe
(this hotpatch is for 3.2.2 only, if using an older version then
upgrade to 3.2.2 first).
Additionally, we have replaced the 3.2.2 downloads on our site with
"3.2.2b" which is 3.2.2 + this patch (useful in case the hot patch
utility did somehow not work, or for any new installs):
See http://www.unrealircd.com/?page=downloads
This issue has also been fixed in CVS, both in 'stable' and
'unreal3_2_2fixes' since January 15 2005 03:00 GMT.
MD5 checksums:
2157afe65f97358645aac0b3f957bd57 unrealpatch322
8b842d83d037eca9cedcf49a6306b129 qpatch.tar.gz
d6a90889ce937d77e6e63787d7b31b51 Unreal3.2.2b.tar.gz
90ec48229484b16b94381471c39c07aa Unreal3.2.2b.exe
de445797833c281f87cdec193f098b0a Unreal3.2.2b-SSL.exe
SHA1 checksums:
31790d50dfa207a223c76f6c1119a8d48294c796 unrealpatch322
20879d90e328671f1853e78d6e4a6fb2557bf686 qpatch.tar.gz
c3f8258202c32ca09085975b6a042e6296c2d4b7 Unreal3.2.2b-SSL.exe
55019a076def37509fdb7e5382a62662f18dda30 Unreal3.2.2b.exe
749dfb38f514d1341b6ad8199ce0176f7709faf1 Unreal3.2.2b.tar.gz
==[ TIMELINE ]==
Times are GMT+1
13-01-2005 Bug reported, traced and *NIX hotpatch ready
14-01-2005 Bug fixed in CVS, Win hotpatch ready,
private announcement to some networks
15-01-2005 CERT-IRC announcement
15-01-2005 Downloads replaced, public announcement
==[ SOURCE ]==
A copy (and any updates) of this advisory is posted on:
http://www.unrealircd.com/unreal3_2_2b_advisory.txt