Important: fix for crash issue in UnrealIRCd 5 and UnrealIRCd 6

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2135
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:
Contact Syzop

Important: fix for crash issue in UnrealIRCd 5 and UnrealIRCd 6

Post by Syzop »

UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a certain command is sent. This results in all users being disconnected from the server. There is no other risk than crashing (no buffer overflow or anything, no risk of remote code execution).

If you have any deny dcc { } blocks in the config file or spamfilters on the 'd' (dcc) target then the server can be crashed. This is true for many servers as there is a deny dcc { } block in the example configuration file (example.conf).

All U5 and U6 versions before January 28, 2022 are affected, so:
  • UnrealIRCd 5.0.0 - 5.2.3
  • UnrealIRCd 6.0.0 - 6.0.2-rc1
We recommend admins to apply the hot-patch (see next) ASAP which will fix the issue with zero downtime.

Apply hot-patch; no restart needed
*NIX users can fix this issue without needing to restart their IRC server. Windows users will have to upgrade (see next section).

Go to your UnrealIRCd installation directory and then run:

Code: Select all

./unrealircd hot-patch dcc_crash
This should end with the message "Done! All should be good now.". It is a good idea to double-check on IRC that your server is fixed, see the end of this news article.

The command from above is the recommended method. If instead you prefer to fiddle with patch files and know how to apply these, then they can be fetched, we have 4 variants: 6.0.x / 5.2.x / 5.0.5-5.0.9 / 5.0.0-5.0.4. Another alternative is to upgrade to 6.0.2 or 5.2.4 (see next).

Alternative: Upgrading
You can also choose to upgrade your entire UnrealIRCd. For example, because you want the latest UnrealIRCd 6 features, or because you are on Windows and cannot apply the hot-patch. For this we have released two new UnrealIRCd versions:
  • UnrealIRCd 5.2.4: compared to previous release the only thing extra is the patch for the crash and a version bump
  • UnrealIRCd 6.0.2: compared to previous release it contains lots of enhancements, fixes and of course also the patch for the crash and version bump
*NIX users typically upgrade to this version by running:

Code: Select all

./unrealircd upgrade
You can also manually download and install UnrealIRCd from www.unrealircd.org.

Verifying the server is now OK / Checking vulnerable / not vulnerable
As an IRCOp you can check on IRC whether the hot-patch has been applied successfully, or if you have upgraded OK, or if the server is still crashable (still has the bug). This is a good idea to check.

Run the command /MODULE -all and then search for the line about the message module (about 20 lines before the end of the output). There is a difference in the message module version number that can be seen (if you are IRCOp):
  • Vulnerable versions (both UnrealIRCd 5 and UnrealIRCd 6) look like: *** message 5.0 - private message and notice - by UnrealIRCd Team
  • Fixed version UnrealIRCd 5 looks like: *** message 5.2.4 - private message and notice - by UnrealIRCd Team
  • Fixed version UnrealIRCd 6 looks like: *** message 6.0.2 - private message and notice - by UnrealIRCd Team
  • If you don't see a version number then you are not an IRC Operator. You need to OPER up to see version numbers of modules.
You can also check remote servers by running /MODULE -all name.of.server.net
Top
Syzop
UnrealIRCd head coder
Posts: 2135
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:
Contact Syzop

Re: Important: fix for crash issue in UnrealIRCd 5 and UnrealIRCd 6

Post by Syzop »

The patch script works well for 6.0.x and 5.2.x users.
During the first hour there were problems for users running 5.0.x. These have now been resolved.
If you have not run the script yet for 5.0.x you can run "./unrealircd hot-patch dcc_crash" now just fine and you don't have to read below.

For those who were running 5.0.x and tried to patch the first hour and who got a HUNK failed error, here is how to recover:

First go to your SOURCE unrealircd directory:

Code: Select all

# Obviously change the path to your source directory
cd /home/ircd/unrealircd-5.0.x
mv src/modules/message.c.orig src/modules/message.c
mv src/modules/dccdeny.c.orig src/modules/dccdeny.c
After this, go to your INSTALLATION unrealircd directory and re-run the hot-patch script as usual

Code: Select all

cd /home/ircd/unrealircd
./unrealircd hot-patch dcc_crash
Again, this is only for users on 5.0.x who tried to upgrade the first hour and got into trouble. Not for any other users!
Top
Post Reply

Return to “News and Releases”