[BUG SUB] silc-server 1.0.2 denial of service vulnerability - silc-server
Frank Benkstein
frank at benkstein.net
Tue Mar 6 12:52:51 CET 2007
Software: silc-server
Version: 1.0.2
Operating System: Linux
Installation: source
Severity: critical
Description:
The current version of silc-server makes it possible
to crash a networks SILC router (or standalone server), when a new channel is created. All it takes
is to specify an invalid hmac algorithm name and no cipher algorithm name.
This results in an null pointer dereference in \'SILC_SERVER_CMD_FUNC(join)\' at
line 2444 in apps/silcd/command.c.
How to repeat:
/connect yourserver
/join nonexistent -hmac nonexistent
Remote Environment:
unspecified
Fix:
I posted a fix to the Gentoo Bug tracker:
http://bugs.gentoo.org/attachment.cgi?id=112279&action=view
More information about the silc-devel
mailing list