Bug#427157: CVE-2007-2807: stack-based buffer overflow

[Nico Golde]

Hi,
I intend to upload an NMU to fix this problem, attached is a 
patch which should fix CVE-2007-2807.

The patch is also archived on:
http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.18-1_1.6.18-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -Nurad eggdrop-1.6.18-1/eggdrop-1.6.18/debian/changelog eggdrop-1.6.18-1.1/eggdrop-1.6.18/debian/changelog
--- eggdrop-1.6.18-1/eggdrop-1.6.18/debian/changelog	2007-08-12 17:04:15.000000000 +0200
+++ eggdrop-1.6.18-1.1/eggdrop-1.6.18/debian/changelog	2007-08-12 16:59:49.000000000 +0200
@@ -1,3 +1,10 @@
+eggdrop (1.6.18-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by secure testing team.
+  * Fix for CVE-2007-2807 (01_CVE-2007-2807_srvmsg.patch) (Closes: #427157).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sun, 12 Aug 2007 16:42:31 +0200
+
 eggdrop (1.6.18-1) unstable; urgency=low
 
   * New upstream release (Closes: #369678).
diff -Nurad eggdrop-1.6.18-1/eggdrop-1.6.18/debian/patches/01_CVE-2007-2807_servmsg.patch eggdrop-1.6.18-1.1/eggdrop-1.6.18/debian/patches/01_CVE-2007-2807_servmsg.patch
--- eggdrop-1.6.18-1/eggdrop-1.6.18/debian/patches/01_CVE-2007-2807_servmsg.patch	1970-01-01 01:00:00.000000000 +0100
+++ eggdrop-1.6.18-1.1/eggdrop-1.6.18/debian/patches/01_CVE-2007-2807_servmsg.patch	2007-08-12 16:42:17.000000000 +0200
@@ -0,0 +1,37 @@
+diff -Nurad src~/mod/server.mod/servmsg.c src/mod/server.mod/servmsg.c
+--- src~/mod/server.mod/servmsg.c	2007-08-12 16:39:34.000000000 +0200
++++ src/mod/server.mod/servmsg.c	2007-08-12 16:39:52.000000000 +0200
+@@ -461,7 +461,8 @@
+   to = newsplit(&msg);
+   fixcolon(msg);
+   /* Only check if flood-ctcp is active */
+-  strcpy(uhost, from);
++  strncpy(uhost, from, sizeof(buf));
++  buf[sizeof(buf) - 1] = '\0';
+   nick = splitnick(&uhost);
+   if (flud_ctcp_thr && detect_avalanche(msg)) {
+     if (!ignoring) {
+@@ -471,7 +472,7 @@
+         p++;
+       else
+         p = uhost;
+-      simple_sprintf(ctcpbuf, "[EMAIL PROTECTED]", p);
++      snprintf(ctcpbuf, sizeof(ctcpbuf), "[EMAIL PROTECTED]", p);
+       addignore(ctcpbuf, botnetnick, "ctcp avalanche",
+                 now + (60 * ignore_time));
+     }
+@@ -486,8 +487,12 @@
+       p++;
+     if (*p == 1) {
+       *p = 0;
+-      ctcp = strcpy(ctcpbuf, p1);
+-      strcpy(p1 - 1, p + 1);
++      ctcp = strncpy(ctcpbuf, p1, sizeof(ctcpbuf));
++      ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
++      /* copy the part after the second : in front of it after
++       * the first :, this is temporary copied to ctcpbuf */
++      strncpy(p1 - 1, p + 1, strlen(ctcpbuf) - 1);
++
+       if (!ignoring)
+         detect_flood(nick, uhost, from,
+                      strncmp(ctcp, "ACTION ", 7) ? FLOOD_CTCP : FLOOD_PRIVMSG);

pgpw4iyXf51sD.pgp
Description: PGP signature