Your message dated Sat, 04 Jul 2009 13:54:32 +0000
with message-id <e1mn5hi-0002oq...@ries.debian.org>
and subject line Bug#528778: fixed in eggdrop 1.6.18-1etch2
has caused the Debian Bug report #528778,
regarding eggdrop: incomplete patch for CVE-2007-2807
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
528778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: eggdrop
Severity: grave
Tags: security
Justification: user security hole
Hi,
turns out my patch has a bug in it which opens this up for a
buffer overflow again in case strlen(ctcpbuf) returns 0:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341
Too bad noone noticed that before.
I am going to upload a 0-day NMU now to fix this.
debdiff available on:
http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch
(includes the wrong bug number to close as I tried to reopen it fist but it
failed because it was already archived).
Cheers
Nico
--- End Message ---
--- Begin Message ---
Source: eggdrop
Source-Version: 1.6.18-1etch2
We believe that the bug you reported is fixed in the latest version of
eggdrop, which is due to be installed in the Debian FTP archive:
eggdrop-data_1.6.18-1etch2_all.deb
to pool/main/e/eggdrop/eggdrop-data_1.6.18-1etch2_all.deb
eggdrop_1.6.18-1etch2.diff.gz
to pool/main/e/eggdrop/eggdrop_1.6.18-1etch2.diff.gz
eggdrop_1.6.18-1etch2.dsc
to pool/main/e/eggdrop/eggdrop_1.6.18-1etch2.dsc
eggdrop_1.6.18-1etch2_i386.deb
to pool/main/e/eggdrop/eggdrop_1.6.18-1etch2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 528...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated eggdrop package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 22 Jun 2009 12:53:51 +0200
Source: eggdrop
Binary: eggdrop-data eggdrop
Architecture: source i386 all
Version: 1.6.18-1etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Guilherme de S. Pastore <gpast...@debian.org>
Changed-By: Sebastien Delafond <s...@debian.org>
Description:
eggdrop - Advanced IRC Robot
eggdrop-data - Architecture independent files for eggdrop
Closes: 528778
Changes:
eggdrop (1.6.18-1etch2) oldstable-security; urgency=high
.
* Security: Fix buffer overflow in case strlen(ctcpbuf) returns zero
(Closes: #528778).
Fixes: CVE-2009-1789
.
* Security: actually apply patch from 1.6.18-1etch1, that somehow got
messed up and was never applied to mod/server.mod/servrmsg.c.
Fixes: CVE-2007-2807
Files:
594b4749b9ec89f7d369643895710ad8 650 net extra eggdrop_1.6.18-1etch2.dsc
1a18e0a558c7de704c220e6ed0f14bff 8016 net extra eggdrop_1.6.18-1etch2.diff.gz
5f8afe289ebefcc7921fc1a9189c7efd 413124 net extra
eggdrop-data_1.6.18-1etch2_all.deb
945bb805188e10c0ce96e0b5d2295deb 475340 net extra
eggdrop_1.6.18-1etch2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko/aTwACgkQiZgNKcDdyD+VDQCfXb8AyKNp25xSUrrOA309Q8Cs
XZAAnjfklqbOMMnWIp1aSqKDoOGgcqF5
=Sr2l
-----END PGP SIGNATURE-----
--- End Message ---
