[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <YFpulxkoFSCwxeto@zen.localdomain>
Date: Tue, 23 Mar 2021 23:41:27 +0100
From: ortmann@...teo.de
To: oss-security@...ts.openwall.com
Subject: Remote DoS Vulnerability in bitchx, ircii < 20210314 and scrollz
Hi,
i discovered a remote DoS vulnerability (crash) that effects bitchx, ircii and
scrollz.
Its unknown if this could also be used for arbitrary code execution.
Affected Versions:
This bug is very old and affects any version, except
ircii-20210314, which got a fix.
CVE Name:
none yet
Problem Description:
ircii has a bug in parsing CTCP UTC messages. bitchx and scrollz are forks of
ircii and inherited that feature and bug.
Impact:
A malicious irc user could nuke any other irc user that uses bitchx, ircii or
scrollz out of irc (crash their irc client) by connecting to the same irc
network and sending a malicious CTCP UTC message.
Solution:
For ircii: Update to ircii-20210314
For bitchx and scrollz: none yet
History:
20210302 Vulnerability and PoC reported to:
bitchx - security@...chx.org
ircii - mrg@...rna.com.au
scrollz - flier@...ollz.info
20210314 ircii released a fixed version
light and love,
Michael Ortmann
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
