Bugzilla Bug 179354

Bow Sineath has reported a vulnerability in Eggdrop, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the server module
(/mod/server.mod/servrmsg.c) when processing private messages sent by an IRC
server. This can be exploited to cause a stack-based buffer overflow via e.g. a
specially crafted private message sent to the bot as a server reply.

Successful exploitation may allow execution of arbitrary code but requires that
the bot connects to a malicious IRC server.

The vulnerability is reported in version 1.6.18. Other versions may also be
affected.

Solution:
Do not connect to untrusted IRC servers.

Reproducible: Always

lets wait for upstream to provide a fix

upstream takes too long. a simple strncpy should fix this?

Created an attachment (id=125783) [details]
Fix strcpy to strncpy to avoid buffer overflow

(From update of attachment 125783 [details])
><HTML><HEAD/><BODY><PRE>--- servmsg.c	2006-03-28 04:35:51.000000000 +0200
>+++ servmsg.c.new	2007-07-23 22:30:57.000000000 +0200
>@@ -461,7 +461,7 @@ static int gotmsg(char *from, char *msg)
>   to = newsplit(&amp;msg);
>   fixcolon(msg);
>   /* Only check if flood-ctcp is active */
>-  strcpy(uhost, from);
>+  strncpy(uhost, from, UHOSTLEN);
>+  uhost[UHOSTLEN-1] = '\0';
>   nick = splitnick(&amp;uhost);
>   if (flud_ctcp_thr &amp;&amp; detect_avalanche(msg)) {
>     if (!ignoring) {
></PRE></BODY></HTML>

Given the "complexity" of the bug, I think we can just patch it without waiting
upstream. pulling herd for advise.

Created an attachment (id=126537) [details]
Fix strcpy #2

Corrected the patch instead of the html crap above :)
net-irc, any news here?

eggdrop-1.6.18-r2 updated (give it an hour or so to hit the mirrors) with 
pretty much this same patch. If you USE=vanilla then the ebuild will skip 
the security patch all together.

Hi arches, please test and mark stable net-irc/eggdrop-1.6.18-r2.

target keywords are: "alpha amd64 ia64 mips ppc sparc x86"

amd64 stable

Note to arches. This is pretty much the exact same eggdrop that was -r1. While 
proper testing is desired (ie put a bot on IRC) it's probably not required 
assuming the previous keyword was already stable. If 'from' is longer than
'dest'
unexpected results may happen. Unexpected may or may not be better then the
segv 
that probably would of happened otherwise. So on that note it's probably 
good to maybe setup a fake server which might actually attempt to trigger 
this and point all the arch teams at it. (jeeves is an egg)

sparc stable.

alpha/ia64/x86 stable

ppc stable, ready for glsa

mips stable.

GLSA 200709-07

thanks everyone

actually we've got a problem.
my fix was incomplete, thanks to Nico Golde from Debian for pointing that out.
here's his patch: http://nion.modprobe.de/01_CVE-2007-2807_servmsg.patch
checking mandriva to see if they got the same fix.

mandriva used his patch too, so we should do the same. if someone can please
fix this.

eggdrop-1.6.18-r3 is in the tree now as ~alpha ~amd64 ~ia64 ~mips ~ppc ~sparc
~x86

(In reply to comment #18)
> eggdrop-1.6.18-r3 is in the tree now as ~alpha ~amd64 ~ia64 ~mips ~ppc ~sparc
> ~x86
> 

Thanks. Arches, please test and mark stable.

x86 stable

amd64 stable

alpha/ia64 stable

ppc stable

I know the sparc team is currently having some manpower issues, but please
stabilize eggdrop so we can close this one for good. thanks.

sparc stable

Ready to go

GLSA-200709-07 was already published actually :p
mips, don't forget to mark stable so you can benefit from it.

(In reply to comment #26)
> GLSA-200709-07 was already published actually :p

Doesn't this require an errata GLSA with the new unaffected version number?

We need an errata on this one.

mips stable.

any news here?

A Happy New Year... and could someone perhaps clarify the situation here
please?

Since the xml GLSA was already updated, this just needs an ERRATA email be
sent.
I hope we'll do it this week.

errata sent, finally closing and sorry for the long delay :-/