Patch by Eggheads team: mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19
and earlier allows remote attackers to cause a denial of service (crash) via a crafted
PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this
issue exists because of an incorrect fix for CVE-2007-2807.
Further information:
- https://bugzilla.redhat.com/show_bug.cgi?id=502650
- http://secunia.com/advisories/35104
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1789
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2807
--- eggdrop1.6.19/doc/UPDATES1.6 2008-04-19 06:23:06.000000000 +0200
+++ eggdrop1.6.19/doc/UPDATES1.6.ctcpfix 2009-05-15 04:27:58.000000000 +0200
@@ -10,6 +10,11 @@
ftp://ftp.eggheads.org/pub/eggdrop/UPDATES/
+ 1.6.19+ctcpfix (14 May 2009):
+ - Fixed another bug in the CTCP parsing code introduced by the servmsg.c
+ buffer overflow patch in 1.6.19.
+ * Patch by: thommey
+
1.6.19 (18 April 2008):
- Update the recommended TCL version to 8.5
--- eggdrop1.6.19/src/mod/server.mod/servmsg.c 2008-02-16 22:41:10.000000000 +0100
+++ eggdrop1.6.19/src/mod/server.mod/servmsg.c.ctcpfix 2009-05-15 04:27:58.000000000 +0200
@@ -488,9 +488,9 @@
*p = 0;
strncpyz(ctcpbuf, p1, sizeof(ctcpbuf));
ctcp = ctcpbuf;
- /* copy the part after the second : in front of it after
- * the first :, this is temporary copied to ctcpbuf */
- strncpy(p1 - 1, p + 1, strlen(ctcpbuf) - 1);
+
+ /* remove the ctcp in msg */
+ memmove(p1 - 1, p + 1, strlen(p + 1) + 1);
if (!ignoring)
detect_flood(nick, uhost, from,
--- eggdrop1.6.19/src/patch.h 2008-04-19 06:21:20.000000000 +0200
+++ eggdrop1.6.19/src/patch.h.ctcpfix 2009-05-15 04:27:58.000000000 +0200
@@ -36,7 +36,7 @@
*
*
*/
-/* PATCH GOES HERE */
+patch("ctcpfix");
/*
*
*