ngircd: Server-Server protocol implementation leads to out-of-bounds access (CVE-2020-14148)

The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-14148
• https://security-tracker.debian.org/tracker/CVE-2020-14148

Patch:

https://github.com/ngircd/ngircd/commit/02cf31c0e267a4c9a7656d43ad3ad4eeb37fc9c5

Affected branches:

• master
• 3.12-stable
• 3.11-stable
• 3.10-stable
• 3.9-stable