Your message dated Thu, 5 Jul 2012 14:48:17 +0100
with message-id 
<capq4b8n1g-zbhtk1gmgvv3gvjxpiowpwkpunxczdbqn+s7q...@mail.gmail.com>
and subject line Closing orphan/obsolete bugs (rageircd)
has caused the Debian Bug report #343543,
regarding rageircd: user authentication can be bypassed by not providing a 
password
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
343543: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343543
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rageircd
Version: 2.0.1-4
Severity: grave
Tags: patch, security

If rageircd is configured to require a password to connect to the
server, it will still allow users to connect if they don't provide a
password at all and only bounce them if they provide an incorrect one.
I've attached the patch I'm using which fixes it for me.

-- 
James

--- rageircd-2.0.1.orig/src/s_conf2.c
+++ rageircd-2.0.1/src/s_conf2.c
@@ -1825,8 +1825,8 @@
        if ((allow->class->clients + 1) > allow->class->max_clients) {
                return CLIENTAUTH_CLASSFULL;
        }
-       if ((allow->auth != NULL) && !BadPtr(cptr->localClient->passwd)) {
-               if (!check_auth(allow->auth, cptr->localClient->passwd)) {
+       if ((allow->auth != NULL)) {
+               if (BadPtr(cptr->localClient->passwd) || 
!check_auth(allow->auth, cptr->localClient->passwd)) {
                        return CLIENTAUTH_INVALIDPW;
                }
                memset(cptr->localClient->passwd, '\0', PASSWDLEN + 1);


--- End Message ---
--- Begin Message ---
Hello,

Thanks for your interest in Debian, and sorry that the bugs were not
attended in due time.

rageircd was removed from Debian unstable long ago [1], 5+ years, from
experimental recently [2], and is dead upstream since 2005 [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395345
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679261
[3] http://sourceforge.net/projects/rageircd/files/

The bugs are now orphan (no maintainer assigned), so they are not
going to be noticed by anybody and dealt with.  I am thus closing them
now.

Regards.


--- End Message ---

Reply via email to