Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 179354 (CVE-2007-2807) - net-irc/eggdrop < 1.6.18-r3 Server Module Private Message Processing Buffer Overflow (CVE-2007-2807)
Summary: net-irc/eggdrop < 1.6.18-r3 Server Module Private Message Processing Buffer O...
Status: RESOLVED FIXED
Alias: CVE-2007-2807
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25276/
Whiteboard: B1 [glsa errata]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-21 20:08 UTC by Lars Hartmann
Modified: 2008-01-08 22:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Fix strcpy to strncpy to avoid buffer overflow (eggdrop.patch,410 bytes, patch)
2007-07-23 20:31 UTC, Pierre-Yves Rofes (RETIRED)
no flags Details | Diff
Fix strcpy #2 (eggdrop-strcpy-fix.patch,439 bytes, patch)
2007-07-31 20:51 UTC, Pierre-Yves Rofes (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-05-21 20:08:49 UTC
Bow Sineath has reported a vulnerability in Eggdrop, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the server module (/mod/server.mod/servrmsg.c) when processing private messages sent by an IRC server. This can be exploited to cause a stack-based buffer overflow via e.g. a specially crafted private message sent to the bot as a server reply.

Successful exploitation may allow execution of arbitrary code but requires that the bot connects to a malicious IRC server.

The vulnerability is reported in version 1.6.18. Other versions may also be affected.

Solution:
Do not connect to untrusted IRC servers.

Reproducible: Always
Comment 1 Lars Hartmann 2007-05-21 20:10:07 UTC
lets wait for upstream to provide a fix
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-13 16:17:54 UTC
upstream takes too long. a simple strncpy should fix this?
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-23 20:31:34 UTC
Created attachment 125783 [details, diff]
Fix strcpy to strncpy to avoid buffer overflow
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-23 20:34:36 UTC
Comment on attachment 125783 [details, diff]
Fix strcpy to strncpy to avoid buffer overflow

><HTML><HEAD/><BODY><PRE>--- servmsg.c	2006-03-28 04:35:51.000000000 +0200
>+++ servmsg.c.new	2007-07-23 22:30:57.000000000 +0200
>@@ -461,7 +461,7 @@ static int gotmsg(char *from, char *msg)
>   to = newsplit(&amp;msg);
>   fixcolon(msg);
>   /* Only check if flood-ctcp is active */
>-  strcpy(uhost, from);
>+  strncpy(uhost, from, UHOSTLEN);
>+  uhost[UHOSTLEN-1] = '\0';
>   nick = splitnick(&amp;uhost);
>   if (flud_ctcp_thr &amp;&amp; detect_avalanche(msg)) {
>     if (!ignoring) {
></PRE></BODY></HTML>
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-23 20:37:36 UTC
Given the "complexity" of the bug, I think we can just patch it without waiting upstream. pulling herd for advise.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-31 20:51:37 UTC
Created attachment 126537 [details, diff]
Fix strcpy #2

Corrected the patch instead of the html crap above :)
net-irc, any news here?
Comment 7 solar (RETIRED) gentoo-dev 2007-07-31 21:59:31 UTC
eggdrop-1.6.18-r2 updated (give it an hour or so to hit the mirrors) with 
pretty much this same patch. If you USE=vanilla then the ebuild will skip 
the security patch all together.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-31 22:18:40 UTC
Hi arches, please test and mark stable net-irc/eggdrop-1.6.18-r2.

target keywords are: "alpha amd64 ia64 mips ppc sparc x86"
Comment 9 Christoph Mende (RETIRED) gentoo-dev 2007-08-01 00:10:36 UTC
amd64 stable
Comment 10 solar (RETIRED) gentoo-dev 2007-08-01 05:23:08 UTC
Note to arches. This is pretty much the exact same eggdrop that was -r1. While 
proper testing is desired (ie put a bot on IRC) it's probably not required 
assuming the previous keyword was already stable. If 'from' is longer than 'dest'
unexpected results may happen. Unexpected may or may not be better then the segv 
that probably would of happened otherwise. So on that note it's probably 
good to maybe setup a fake server which might actually attempt to trigger 
this and point all the arch teams at it. (jeeves is an egg)
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-01 13:18:49 UTC
sparc stable.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-08-01 13:23:47 UTC
alpha/ia64/x86 stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-01 19:28:36 UTC
ppc stable, ready for glsa
Comment 14 Joshua Kinard gentoo-dev 2007-08-06 03:01:45 UTC
mips stable.
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2007-09-15 15:39:40 UTC
GLSA 200709-07

thanks everyone
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-15 16:33:26 UTC
actually we've got a problem.
my fix was incomplete, thanks to Nico Golde from Debian for pointing that out.
here's his patch: http://nion.modprobe.de/01_CVE-2007-2807_servmsg.patch
checking mandriva to see if they got the same fix.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-15 16:47:57 UTC
mandriva used his patch too, so we should do the same. if someone can please fix this.
Comment 18 solar (RETIRED) gentoo-dev 2007-09-15 19:21:32 UTC
eggdrop-1.6.18-r3 is in the tree now as ~alpha ~amd64 ~ia64 ~mips ~ppc ~sparc ~x86
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-15 20:07:05 UTC
(In reply to comment #18)
> eggdrop-1.6.18-r3 is in the tree now as ~alpha ~amd64 ~ia64 ~mips ~ppc ~sparc
> ~x86
> 

Thanks. Arches, please test and mark stable.
Comment 20 Markus Meier gentoo-dev 2007-09-16 10:03:11 UTC
x86 stable
Comment 21 Christoph Mende (RETIRED) gentoo-dev 2007-09-16 16:50:57 UTC
amd64 stable
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2007-09-17 10:15:16 UTC
alpha/ia64 stable
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-17 17:19:26 UTC
ppc stable
Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-22 18:28:21 UTC
I know the sparc team is currently having some manpower issues, but please stabilize eggdrop so we can close this one for good. thanks.
Comment 25 Raúl Porcel (RETIRED) gentoo-dev 2007-09-25 16:22:09 UTC
sparc stable

Ready to go
Comment 26 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-25 23:08:58 UTC
GLSA-200709-07 was already published actually :p
mips, don't forget to mark stable so you can benefit from it.
Comment 27 Robert Buchholz (RETIRED) gentoo-dev 2007-09-26 06:03:11 UTC
(In reply to comment #26)
> GLSA-200709-07 was already published actually :p

Doesn't this require an errata GLSA with the new unaffected version number?
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-26 15:53:01 UTC
We need an errata on this one.
Comment 29 Joshua Kinard gentoo-dev 2007-09-28 02:37:37 UTC
mips stable.
Comment 30 Lars Hartmann 2007-12-02 17:07:47 UTC
any news here?
Comment 31 Jakub Moc (RETIRED) gentoo-dev 2008-01-05 23:55:31 UTC
A Happy New Year... and could someone perhaps clarify the situation here please?
Comment 32 Robert Buchholz (RETIRED) gentoo-dev 2008-01-06 00:08:06 UTC
Since the xml GLSA was already updated, this just needs an ERRATA email be sent.
I hope we'll do it this week.
Comment 33 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-08 22:33:58 UTC
errata sent, finally closing and sorry for the long delay :-/