Request CVE for LinuxNode - DoS vulnerability

["Iain R. Learmonth" <irl () fsfe org>]

Hi,

I'm a member of the Debian Hamradio Maintainer's team and a
denial-of-service bug has been reported on our package ax25-node. (Debian
bug: https://bugs.debian.org/777013) I would like to request a CVE for this
vulnerability.

The software in this package is identified as LinuxNode in the README
contained in the source package. The author is identified as Tomi Manninen
OH2BNS, <tomi.manninen () hut fi> although attempts have been made to contact
the author and have been unsuccessful, as mentioned in the Debian bug
report.

https://sources.debian.net/src/node/0.3.2-7.4/README/

From the bug report:

"The SIGQUIT routine fails to close the app leaving the IP sockets open and
in some cases DDOS the remote site if a user "ctrl-]+q" out of a telnet
session.  Also the app fails to close and more can be spawned by a crafty
malicious user thus bringing the system to a point of no memory available."

Brian N1URO on the bug report maintains a replacement node package and I am
confident that his report is accurate. He found this vulnerability in 2005,
but due to an unresponsive upstream this got lost. This is the first request
for a CVE for this vulnerability.

This appears to be an issue affecting multiple versions, although I can only
say that it is present in 0.3.2.

I am happy to provide more information if needed and I can be contacted at:

  irl () fsfe org

Thanks,
Iain.

-- 
e: irl () fsfe org            w: iain.learmonth.me
x: irl () jabber fsfe org     t: EPVPN 2105
c: 2M0STB                  g: IO87we
p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49

Attachment: _bin
Description: