The patch applied to the gentoo eggdrop package in 1.6.18-r3 (only) by Nico Golde fixing bug 179354 called "80_all_CVE-2007-2807_servmsg.patch" in the patchset archive introduces a new vulnerability which exposes every eggdrop connected to an irc server (which is the main purpose of eggdrop) to be remotely crashable (by someone being on the same irc network). (I'm not sure about the severity.. it makes the eggdrop packages unusable) Reproducible: Always Steps to Reproduce: Send an empty CTCP via IRC to the eggdrop bot, for example: PRIVMSG eggdrop :\1\1 Actual Results: It segfaults and crashes Expected Results: No reaction References: http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0129.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528778
A new release of eggdrop was made because of this bug: http://www.eggheads.org/news/2009/05/14/35 patch to fix ctcp issue is also given at ftp://ftp.eggheads.org/pub/eggdrop/patches/official/1.6/eggdrop1.6.19+ctcpfix.patch.gz
*** Bug 271804 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =net-irc/eggdrop-1.6.19 Target keywords : "alpha amd64 ia64 ppc sparc x86"
amd64/x86 stable
ppc stable
alpha/ia64/sparc stable
GLSA voting: NO
NO, too. Closing.