|
|
6f856ae |
Patch by Eggheads team: mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19
|
|
|
6f856ae |
and earlier allows remote attackers to cause a denial of service (crash) via a crafted
|
|
|
6f856ae |
PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this
|
|
|
6f856ae |
issue exists because of an incorrect fix for CVE-2007-2807.
|
|
|
6f856ae |
|
|
|
6f856ae |
Further information:
|
|
|
6f856ae |
- https://bugzilla.redhat.com/show_bug.cgi?id=502650
|
|
|
6f856ae |
- http://secunia.com/advisories/35104
|
|
|
6f856ae |
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1789
|
|
|
6f856ae |
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2807
|
|
|
6f856ae |
|
|
|
6f856ae |
--- eggdrop1.6.19/doc/UPDATES1.6 2008-04-19 06:23:06.000000000 +0200
|
|
|
6f856ae |
+++ eggdrop1.6.19/doc/UPDATES1.6.ctcpfix 2009-05-15 04:27:58.000000000 +0200
|
|
|
6f856ae |
@@ -10,6 +10,11 @@
|
|
|
6f856ae |
|
|
|
6f856ae |
ftp://ftp.eggheads.org/pub/eggdrop/UPDATES/
|
|
|
6f856ae |
|
|
|
6f856ae |
+ 1.6.19+ctcpfix (14 May 2009):
|
|
|
6f856ae |
+ - Fixed another bug in the CTCP parsing code introduced by the servmsg.c
|
|
|
6f856ae |
+ buffer overflow patch in 1.6.19.
|
|
|
6f856ae |
+ * Patch by: thommey
|
|
|
6f856ae |
+
|
|
|
6f856ae |
|
|
|
6f856ae |
1.6.19 (18 April 2008):
|
|
|
6f856ae |
- Update the recommended TCL version to 8.5
|
|
|
6f856ae |
--- eggdrop1.6.19/src/mod/server.mod/servmsg.c 2008-02-16 22:41:10.000000000 +0100
|
|
|
6f856ae |
+++ eggdrop1.6.19/src/mod/server.mod/servmsg.c.ctcpfix 2009-05-15 04:27:58.000000000 +0200
|
|
|
6f856ae |
@@ -488,9 +488,9 @@
|
|
|
6f856ae |
*p = 0;
|
|
|
6f856ae |
strncpyz(ctcpbuf, p1, sizeof(ctcpbuf));
|
|
|
6f856ae |
ctcp = ctcpbuf;
|
|
|
6f856ae |
- /* copy the part after the second : in front of it after
|
|
|
6f856ae |
- * the first :, this is temporary copied to ctcpbuf */
|
|
|
6f856ae |
- strncpy(p1 - 1, p + 1, strlen(ctcpbuf) - 1);
|
|
|
6f856ae |
+
|
|
|
6f856ae |
+ /* remove the ctcp in msg */
|
|
|
6f856ae |
+ memmove(p1 - 1, p + 1, strlen(p + 1) + 1);
|
|
|
6f856ae |
|
|
|
6f856ae |
if (!ignoring)
|
|
|
6f856ae |
detect_flood(nick, uhost, from,
|
|
|
6f856ae |
--- eggdrop1.6.19/src/patch.h 2008-04-19 06:21:20.000000000 +0200
|
|
|
6f856ae |
+++ eggdrop1.6.19/src/patch.h.ctcpfix 2009-05-15 04:27:58.000000000 +0200
|
|
|
6f856ae |
@@ -36,7 +36,7 @@
|
|
|
6f856ae |
*
|
|
|
6f856ae |
*
|
|
|
6f856ae |
*/
|
|
|
6f856ae |
-/* PATCH GOES HERE */
|
|
|
6f856ae |
+patch("ctcpfix");
|
|
|
6f856ae |
/*
|
|
|
6f856ae |
*
|
|
|
6f856ae |
*
|