Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 270221 (CVE-2009-1789)

Summary: net-irc/eggdrop Fix for CVE-2007-2807 incomplete, remote DoS (CVE-2009-1789)
Product: Gentoo Security Reporter: Thomas Sader <thommey>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: craig, net-irc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 222483    
Bug Blocks:    

Description Thomas Sader 2009-05-17 17:21:04 UTC
The patch applied to the gentoo eggdrop package in 1.6.18-r3 (only) by Nico Golde fixing bug 179354 called "80_all_CVE-2007-2807_servmsg.patch" in the patchset archive introduces a new vulnerability which exposes every eggdrop connected to an irc server (which is the main purpose of eggdrop) to be remotely crashable (by someone being on the same irc network).
(I'm not sure about the severity.. it makes the eggdrop packages unusable)

Reproducible: Always

Steps to Reproduce:
Send an empty CTCP via IRC to the eggdrop bot, for example:

PRIVMSG eggdrop :\1\1
Actual Results:  
It segfaults and crashes

Expected Results:  
No reaction

Comment 1 Alex Miller 2009-05-17 23:31:08 UTC
A new release of eggdrop was made because of this bug:

patch to fix ctcp issue is also given at
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 22:53:53 UTC
*** Bug 271804 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-02 19:36:42 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ia64 ppc sparc x86"
Comment 4 Markus Meier gentoo-dev 2009-08-03 20:10:34 UTC
amd64/x86 stable
Comment 5 nixnut (RETIRED) gentoo-dev 2009-08-09 11:35:39 UTC
ppc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-08-09 16:46:06 UTC
alpha/ia64/sparc stable
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-19 10:57:54 UTC
GLSA voting: NO
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 21:59:06 UTC
NO, too. Closing.