eggdrop/windrop remote crash vulnerability

The new release is announced here: http://www.eggheads.org/news/2009/05/14/35

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

I can try, but I'm not at home unfortunately, perhaps tomorrow - if
anyone wants to do this, be my guest! :)

I hope these are ok. :)

I can't test them at the moment (maybe in about 4 days when I go back home).
The packages build fine:
https://launchpad.net/~medigeek/+archive/experimental/+sourcepub/631791/+listing-archive-extra
https://launchpad.net/~medigeek/+archive/experimental/+sourcepub/631790/+listing-archive-extra
(Note: in the patch I used -security, in the PPA I uploaded without it)

Does not seem to affect Dapper.

Hi! Thanks very much for the debdiffs. There are a few suggestions I'd like to make:
 - the versioning is almost perfect, but needs to be higher than the existing versions. Instead of 1.6.19-1.1ubuntu0.9.04.1, you'd want 1.6.19-1.1ubuntu1.9.04.1 since 1.6.19-1.1ubuntu1 is already in the archive and higher than 1.6.19-1.1ubuntu0.9.04.1. The distro-numbering is right on, though. :)
 - we tend to prefer that patches carry Description, Ubuntu, Upstream, and sometimes Patch tags, as detailed here: https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

I'm updating the packaging and patches and will upload this shortly. Thanks again!

You believe it affects Hardy, 1.6.18?
By the way, about Karmic, I have opened a request for merge: bug #377247
Should I close it?

Yes, hardy's changelog appears to have the same partial patch mentioned, so I assume it is vulnerable as well. I've just uploaded the merge for Karmic, so I've closed the other bug too.

> - the versioning is almost perfect, but needs to be higher than the existing versions. Instead of 1.6.19-1.1ubuntu0.9.04.1, you'd want 1.6.19-1.1ubuntu1.9.04.1 since 1.6.19-1.1ubuntu1 is already in the archive and higher than 1.6.19-1.1ubuntu0.9.04.1. The distro-numbering is right on, though. :)

I knew I forgot something heh :P
Thanks for the tagging tip, I didn't know that and, of course, thanks
for taking care of it!

This bug was fixed in the package eggdrop - 1.6.19-1.1ubuntu1.8.10.1

---------------
eggdrop (1.6.19-1.1ubuntu1.8.10.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Incomplete patch for CVE-2007-2807, buffer can still
    overflow in case of strlen(ctcpbuf) returning zero (LP: #377054)
    - debian/patches/02_incompCVE-2007-2807.patch: Use memmove instead of
      strncpy to avoid buffer overflow. Patch from Debian.
    - CVE-2007-2807

 -- Savvas Radevic <email address hidden> Fri, 15 May 2009 20:58:58 +0100

This bug was fixed in the package eggdrop - 1.6.19-1.1ubuntu1.9.04.1

---------------
eggdrop (1.6.19-1.1ubuntu1.9.04.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Incomplete patch for CVE-2007-2807, buffer can still
    overflow in case of strlen(ctcpbuf) returning zero (LP: #377054)
    - debian/patches/02_incompCVE-2007-2807.patch: Use memmove instead of
      strncpy to avoid buffer overflow. Patch from Debian.
    - CVE-2007-2807

 -- Savvas Radevic <email address hidden> Fri, 15 May 2009 20:58:58 +0100

ACK, though it took me a minute to figure that the patch removed 01_CVE-2007-2807_servmsg.patch to replace it with CVE-2007-2807.patch. Brian, in the future please either update the existing patch or give instructions in the bug that '-E' should be used when applying the debdiff. These changes should also be mentioned in the changedlog-- ie, that you removed one patch file and are using another or that you updated an existing patch. Also, please be clear on the origin of the patch-- I see that it came from Debian Etch, but the changelog does not mention that and the patch itself does not follow DEP-3 (which is preferred).

This bug was fixed in the package eggdrop - 1.6.18-1.1ubuntu1.1

---------------
eggdrop (1.6.18-1.1ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: Fix buffer overflows (LP: #377054)
  - debian/patches/CVE-2007-2807.patch: Former patch was not fully applied.
    This patch now fully applies the previous fix for a stack based
    buffer-iverflow and also fixes a potential buffer-overflow in case
    strlen(ctcpbuf) returns 0.
  - CVE-2007-2807
  - CVE-2009-1789
 -- Brian Thomason <email address hidden> Wed, 30 Jun 2010 14:29:24 -0400