Bug 76297

Summary: Update port: irc/unreal (Security Fix)
Product: Ports & Packages Reporter: Gerrit Beine <tux>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Gerrit Beine 2005-01-15 22:10:19 UTC 
Please use this instead of
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/76274

Update to version 3.2.2, including Security Fix:

SECURITY ADVISORY
==================

A serious Denial-of-Service issue has been discovered in UnrealIRCd.

==[ AFFECTED VERSIONS ]==
Affected:
- - Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2

Unaffected:
- - versions older than beta18 (OLD, UNSUPPORTED)
- - 3.1* (VERY OLD, UNSUPPORTED)
- - If you have NO servers and NO services linked and you
  are using a vulnerable version then this problem does
  not occur (this is however an uncommon configuration)

Fixed in/by:
- - Hot-patched 3.2* servers (see FIX)
- - The newly released 3.2.2b (for fresh installs)
- - CVS from January 15 03:00 GMT and later

==[ PROBLEM ]==
There's a severe crashbug present in UnrealIRCd that can quite
easily be triggered by users. No code execution or anything
like that is possible (it's a NULL pointer dereference),
but it does cause a crash, which is of course serious enough.

Server admins should apply the fix (which does not require a
server restart) as soon as possible before an exploit will
become widespread (within 24h is recommended).

During the time of writing (Jan15 19:00 GMT) there are no signs
of "bad users" causing crashes, but we expect that this will
happen after public announcement of this bug.

==[ WORKAROUND ]==
There's no safe workaround, but see next for an easy fix.

==[ FIX ]==
Thanks to modulized commands we have created a "hot patch" utility
that will fix the issue WITHOUT requiring a server restart, all
you will have to do is install it and rehash.
This patch can be used on Unreal3.2-RC2, 3.2, 3.2.1 and 3.2.2.
Older version (eg: beta's) are not supported, in that case we
suggest you to upgrade to 3.2 (and apply this patch) or 3.2.2b.
Comment 1 twiddler 2005-01-17 13:14:26 UTC 
Trying this, it appears that the list of master sites has changed, and 
3.2.2 has been withdrawn from the mirrors to be replaced with 3.2.2b.

Here's an updated version of the patch that uses 3.2.2b, and 
changes the list of download sites to match the project's 
download page (<http://www.unrealircd.com/?page=downloads>).  It 
also omits files/patch-m_kick.c, as this patch appears to 
have been included in 3.2.2b.

cheers
-- Scott

----------------

diff -Nur unreal.orig/Makefile unreal.updated/Makefile
--- unreal.orig/Makefile	Wed Jul 21 20:01:55 2004
+++ unreal.updated/Makefile	Mon Jan 17 04:57:41 2005
@@ -1,34 +1,39 @@
 # Ports collection makefile for:	Unreal-IRCd
 # Date created:				15 April 2004
 # Whom:					Gerrit Beine (<tux@pinguru.net>)
-# ToDo:	Make the configuration more flexible using -DOPTION for the
-#	configuration values, especially support for IPv6.
 #
 # $FreeBSD: ports/irc/unreal/Makefile,v 1.3 2004/07/22 02:01:55 ijliao Exp $
 #
 
 PORTNAME=	Unreal
-PORTVERSION=	3.2.1
+PORTVERSION=	3.2.2b
 CATEGORIES=	irc
-MASTER_SITES=	http://mirror.nimsay-networks.com/unrealircd/ \
-		http://unrealircd.za.net/ \
-		ftp://unrealircd.za.net/pub/UnrealIRCd/
+MASTER_SITES=	http://unreal.atlanti-ka.org/ \
+		http://unreal.stfu-n00b.net/ \
+		http://unrealircd.funny-chat.net/ \
+		http://unrealircd.fyrebird.net/ \
+		http://unrealircd.chaosteam.hu/ \
+		http://64.84.10.70/download/ \
+		http://www.gower.net/unrealircd/ \
+		http://www.ilmarinen.us/unreal/ \
+		http://unrealircd.alert-net.com/ \
+		http://www1.dnwt.net/unreal/ \
+#		http://www.tiefighter.org/~unreal/downloads/ \  # file missing
+#		http://mirror.nimsay-networks.com/unrealircd/ \ # file missing
+#		http://unrealircd.za.net/ \                     # file missing
+#		ftp://unrealircd.za.net/pub/UnrealIRCd/ \    # connect refused
+
 DISTNAME=	${PORTNAME}${PORTVERSION}
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX}
 
 MAINTAINER=	tux@pinguru.net
 COMMENT=	Unreal - the next generation ircd
 
-SQLMOD=		Unreal/SQLMod.tar.gz
-
 WRKSRC=		${WRKDIR}/${PORTNAME}3.2
 
 HAS_CONFIGURE=	yes
 
-CONFIGURE_ARGS=	--enable-nospoof \
-		--enable-hub \
-		--enable-ziplinks \
-		--with-listen=5 \
+CONFIGURE_ARGS=	--with-listen=5 \
 		--with-dpath=${PREFIX}/Unreal \
 		--with-spath=${PREFIX}/Unreal/ircd \
 		--with-nick-history=2000 \
@@ -38,15 +43,28 @@
 		--with-fd-setsize=1024 \
 		--enable-dynamic-linking
 
+OPTIONS=	HUB "Configure as a hub (otherwise configure as a leaf)" on \
+		NOSPOOF "Enable anti-spoof protection" off \
+		ZIPLINKS "Enable ziplinks support" off \
+		SSL "Support SSL connecions" off \
+		IPV6 "Enable ipv6 support" off \
+		PREFIXAQ "Enable prefixes for chanadmin and chanowner" off
+#		REMOTE "Enable remote includes" off \ this does not work at the moment
+
+SQLMOD=		Unreal/SQLMod.tar.gz
+
 .include <bsd.port.pre.mk>
 
-.if exists(${DISTDIR}/${SQLMOD})
-USE_MYSQL=	yes
-WITH_SQLMOD=	yes
-MAKE_ARGS=	all custommodule MODULEFILE=m_sqlmod
-PLIST_FILES+=	Unreal/modules/m_sqlmod.so Unreal/m_sqlmod.conf \
-		Unreal/doc/Changes.sqlmod Unreal/doc/README.sqlmod \
-		Unreal/doc/LICENSE.sqlmod
+.if defined(WITH_HUB)
+CONFIGURE_ARGS+=	--enable-hub
+.endif
+
+.if defined(WITH_NOSPOOF)
+CONFIGURE_ARGS+=	--enable-nospoof
+.endif
+
+.if defined(WITH_ZIPLINKS)
+CONFIGURE_ARGS+=	--enable-ziplinks
 .endif
 
 .if defined(WITH_IPV6)
@@ -58,6 +76,24 @@
 USE_OPENSSL=	yes
 .endif
 
+.if defined(WITH_REMOTE)
+LIB_DEPENDS+=	curl.3:${PORTSDIR}/ftp/curl
+CONFIGURE_ARGS+=	--enable-libcurl=/usr/local
+.endif
+
+.if defined(WITH_PREFIXAQ)
+CONFIGURE_ARGS+=	--enable-prefixaq
+.endif
+
+.if exists(${DISTDIR}/${SQLMOD})
+USE_MYSQL=	yes
+WITH_SQLMOD=	yes
+MAKE_ARGS=	all custommodule MODULEFILE=m_sqlmod
+PLIST_FILES+=	Unreal/modules/m_sqlmod.so Unreal/m_sqlmod.conf \
+		Unreal/doc/Changes.sqlmod Unreal/doc/README.sqlmod \
+		Unreal/doc/LICENSE.sqlmod
+.endif
+
 post-extract:
 .if defined(WITH_SQLMOD)
 	@${TAR} xfz ${DISTDIR}/${SQLMOD} -C ${WRKSRC}
@@ -69,6 +105,9 @@
 .if defined(WITH_SQLMOD)
 	@${PATCH} -d ${WRKSRC} < ${WRKSRC}/SQLMod/patch
 .endif
+
+pre-configure:
+	@${ECHO} ${CONFIGURE_ARGS}
 
 post-install:
 .if defined(WITH_SQLMOD)
diff -Nur unreal.orig/distinfo unreal.updated/distinfo
--- unreal.orig/distinfo	Wed Jul 21 20:01:55 2004
+++ unreal.updated/distinfo	Sun Jan 16 20:00:42 2005
@@ -1,2 +1,2 @@
-MD5 (Unreal3.2.1.tar.gz) = ebe56fd42fc229681f527932eaa173cc
-SIZE (Unreal3.2.1.tar.gz) = 1614434
+MD5 (Unreal3.2.2b.tar.gz) = d6a90889ce937d77e6e63787d7b31b51
+SIZE (Unreal3.2.2b.tar.gz) = 1708120
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2005-01-19 10:51:32 UTC 
State Changed
From-To: open->closed

Committed, thanks!