KSirc: Denial of Service vulnerability — GLSA 200701-26

KSirc is vulnerable to a Denial of Service attack.

Affected Packages

kde-base/ksirc on all architectures
Affected versions < 3.5.5-r1
Unaffected versions >= 3.5.5-r1

Background

KSirc is the default KDE IRC client.

Description

KSirc fails to check the size of an incoming PRIVMSG string sent from an IRC server during the connection process.

Impact

A malicious IRC server could send a long PRIVMSG string to the KSirc client causing an assertion failure and the dereferencing of a null pointer, resulting in a crash.

Workaround

There is no known workaround at this time.

Resolution

All KSirc users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=kde-base/ksirc-3.5.5-r1"

References

Release Date
January 29, 2007

Latest Revision
January 30, 2007: 01

Severity
normal

Exploitable
remote

Bugzilla entries