Patch by Eggheads team: mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19

and earlier allows remote attackers to cause a denial of service (crash) via a crafted

PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this

issue exists because of an incorrect fix for CVE-2007-2807.

Further information:

 - https://bugzilla.redhat.com/show_bug.cgi?id=502650

 - http://secunia.com/advisories/35104

 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1789

 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2807

--- eggdrop1.6.19/doc/UPDATES1.6			2008-04-19 06:23:06.000000000 +0200

+++ eggdrop1.6.19/doc/UPDATES1.6.ctcpfix		2009-05-15 04:27:58.000000000 +0200

@@ -10,6 +10,11 @@

     ftp://ftp.eggheads.org/pub/eggdrop/UPDATES/

+  1.6.19+ctcpfix (14 May 2009):

+    - Fixed another bug in the CTCP parsing code introduced by the servmsg.c

+      buffer overflow patch in 1.6.19.

+    * Patch by: thommey

+

   1.6.19 (18 April 2008):

     - Update the recommended TCL version to 8.5

--- eggdrop1.6.19/src/mod/server.mod/servmsg.c		2008-02-16 22:41:10.000000000 +0100

+++ eggdrop1.6.19/src/mod/server.mod/servmsg.c.ctcpfix	2009-05-15 04:27:58.000000000 +0200

@@ -488,9 +488,9 @@

       *p = 0;

       strncpyz(ctcpbuf, p1, sizeof(ctcpbuf));

       ctcp = ctcpbuf;

-      /* copy the part after the second : in front of it after

-       * the first :, this is temporary copied to ctcpbuf */

-      strncpy(p1 - 1, p + 1, strlen(ctcpbuf) - 1);

+

+      /* remove the ctcp in msg */

+      memmove(p1 - 1, p + 1, strlen(p + 1) + 1);

       if (!ignoring)

         detect_flood(nick, uhost, from,

--- eggdrop1.6.19/src/patch.h				2008-04-19 06:21:20.000000000 +0200

+++ eggdrop1.6.19/src/patch.h.ctcpfix			2009-05-15 04:27:58.000000000 +0200

@@ -36,7 +36,7 @@

  *

  *

  */

-/* PATCH GOES HERE */

+patch("ctcpfix");

 /*

  *

  *