CVE-2009-4016

Name	CVE-2009-4016
Description	Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd-ratbox before 2.2.9, and (3) oftc-hybrid before 1.6.8, when flatten_links is disabled, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a LINKS command.
Source	CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
References	DSA-1980-1
NVD severity	medium (attack range: remote)
Debian Bugs	567191, 567192, 567193
Debian/oldstable	not vulnerable.
Debian/stable	not vulnerable.
Debian/testing	not vulnerable.
Debian/unstable	not vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ircd-hybrid (PTS)	squeeze (security), squeeze	1:7.2.2.dfsg.2-6.2+squeeze1	fixed
	wheezy	1:7.2.2.dfsg.2-10	fixed
	jessie, sid	1:8.2.0+dfsg.1-2	fixed
ircd-ratbox (PTS)	squeeze (security), squeeze	3.0.6.dfsg-2+squeeze1	fixed
	wheezy	3.0.7.dfsg-3	fixed
	jessie, sid	3.0.8.dfsg-3	fixed

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ircd-hybrid	source	(unstable)	1:7.2.2.dfsg.2-6.1	medium		567192
ircd-hybrid	source	etch	1:7.2.2.dfsg.2-3+etch1	medium	DSA-1980-1
ircd-hybrid	source	lenny	1:7.2.2.dfsg.2-4+lenny1	medium	DSA-1980-1
ircd-ratbox	source	(unstable)	3.0.6.dfsg-1	medium		567191
ircd-ratbox	source	lenny	2.2.8.dfsg-2+lenny1	medium	DSA-1980-1
oftc-hybrid	source	(unstable)	1.6.3.dfsg-1.1	medium		567193