CVE-2009-4016

Name	CVE-2009-4016
Description	Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd-ratbox before 2.2.9, and (3) oftc-hybrid before 1.6.8, when flatten_links is disabled, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a LINKS command.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-1980-1
NVD severity	medium (attack range: remote)
Debian Bugs	567191, 567192, 567193

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ircd-hybrid (PTS)	jessie	1:8.2.0+dfsg.1-2+deb8u1	fixed
	stretch	1:8.2.21+dfsg.1-1	fixed
	buster, sid	1:8.2.24+dfsg.1-1	fixed
ircd-ratbox (PTS)	jessie	3.0.8.dfsg-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ircd-hybrid	source	(unstable)	1:7.2.2.dfsg.2-6.1	medium		567192
ircd-hybrid	source	etch	1:7.2.2.dfsg.2-3+etch1	medium	DSA-1980-1
ircd-hybrid	source	lenny	1:7.2.2.dfsg.2-4+lenny1	medium	DSA-1980-1
ircd-ratbox	source	(unstable)	3.0.6.dfsg-1	medium		567191
ircd-ratbox	source	lenny	2.2.8.dfsg-2+lenny1	medium	DSA-1980-1
oftc-hybrid	source	(unstable)	1.6.3.dfsg-1.1	medium		567193