Nico Golde
2009-May-15 12:18 UTC
[Secure-testing-team] Bug#528778: eggdrop: incomplete patch for CVE-2007-2807
Package: eggdrop Severity: grave Tags: security Justification: user security hole Hi, turns out my patch has a bug in it which opens this up for a buffer overflow again in case strlen(ctcpbuf) returns 0: http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341 Too bad noone noticed that before. I am going to upload a 0-day NMU now to fix this. debdiff available on: http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch (includes the wrong bug number to close as I tried to reopen it fist but it failed because it was already archived). Cheers Nico
Nico Golde
2009-May-15 18:52 UTC
[Secure-testing-team] Bug#528778: eggdrop: incomplete patch for CVE-2007-2807
Hi, * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-05-15 19:45]:> On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote:[...]> > turns out my patch has a bug in it which opens this up for a > > buffer overflow again in case strlen(ctcpbuf) returns 0: > > http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341 > > > > > > Too bad noone noticed that before. > > I am going to upload a 0-day NMU now to fix this. > > > > debdiff available on: > > http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch > > > > (includes the wrong bug number to close as I tried to reopen it fist but it failed because it was already archived). > > does this mean that DSA-1448 needs to be reissued?Yes> and is that in the works?No> should the etch fixed version get removed from the DSA > list to reindicate that etch is vulnerable?No there will be a -2 DSA if any that reflects the previous fix being incomplete. Cheers Nico P.S. this belongs on the testing-security team mailing list and not to the BTS. -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090515/008a08e3/attachment.pgp>