Subject: pkg/6374: Our sirc IRC client includes a script to launch a DOS attack. This is _not_ proper.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jwise@unicast.com>
List: netbsd-bugs
Date: 10/29/1998 15:02:19
>Number: 6374
>Category: pkg
>Synopsis: Our sirc IRC client includes a script to launch a DOS attack. This is _not_ proper.
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Oct 29 12:20:00 1998
>Last-Modified:
>Originator: Jim Wise
>Organization:
Jim Wise
jwise@unicast.com
>Release: pkgsrc downloaded 1998-10-29
>Environment:
System: NetBSD nevrast.unicast.com 1.3.2 NetBSD 1.3.2 (NEVRAST) #1: Fri Jul 10 09:43:10 PDT 1998 jwise@nevrast.unicast.com:/usr/src/sys/arch/i386/compile/NEVRAST i386
>Description:
I do not use IRC, and wouldn't have noticed this except that I blew out my distfiles
and did a re- `make fetch'. To my surprise, and consternation, I noticed that our
sirc package downloads an add-on by the name of `winnuke.pl', which turns out to be
exactly what it sounds like -- a script-kiddy DoS attacker.
Am I actually to understand that we are distributing DoS software in NetBSD's package
system? Not software like sniffit which might be misused, but actual DoS software?
Sorry if I sound annoyed, but this is kind of big...
>How-To-Repeat:
cd /usr/pkgsrc ; make sync ; cd ../../distfiles/sirc ; more winnuke.pl
>Fix:
Remove the `winnuke.pl' from script from pkgsrc/net/sirc/Makefile, and the
`lib/sirc/scripts/winnuke.pl' line from pkgsrc/net/sirc/pkg/PLIST. Please...
>Audit-Trail:
>Unformatted: