- new, based on http://nion.modprobe.de/01_CVE-2007-2807_servmsg.patch

Changed files:
    eggdrop-CVE-2007-2807.patch -> 1.1

diff --git a/eggdrop-CVE-2007-2807.patch b/eggdrop-CVE-2007-2807.patch
new file mode 100644 (file)
index 0000000..b48fd77
--- /dev/null
+++ b/eggdrop-CVE-2007-2807.patch
@@ -0,0 +1,36 @@
+--- eggdrop/src~/mod/server.mod/servmsg.c      2007-08-12 16:39:34.000000000 +0200
++++ eggdrop/src/mod/server.mod/servmsg.c       2007-08-12 16:39:52.000000000 +0200
+@@ -461,7 +461,8 @@
+   to = newsplit(&msg);
+   fixcolon(msg);
+   /* Only check if flood-ctcp is active */
+-  strcpy(uhost, from);
++  strncpy(uhost, from, sizeof(buf));
++  buf[sizeof(buf) - 1] = '\0';
+   nick = splitnick(&uhost);
+   if (flud_ctcp_thr && detect_avalanche(msg)) {
+     if (!ignoring) {
+@@ -471,7 +472,7 @@
+         p++;
+       else
+         p = uhost;
+-      simple_sprintf(ctcpbuf, "*!*@%s", p);
++      snprintf(ctcpbuf, sizeof(ctcpbuf), "*!*@%s", p);
+       addignore(ctcpbuf, botnetnick, "ctcp avalanche",
+                 now + (60 * ignore_time));
+     }
+@@ -486,8 +487,12 @@
+       p++;
+     if (*p == 1) {
+       *p = 0;
+-      ctcp = strcpy(ctcpbuf, p1);
+-      strcpy(p1 - 1, p + 1);
++      ctcp = strncpy(ctcpbuf, p1, sizeof(ctcpbuf));
++      ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
++      /* copy the part after the second : in front of it after
++       * the first :, this is temporary copied to ctcpbuf */
++      strncpy(p1 - 1, p + 1, strlen(ctcpbuf) - 1);
++
+       if (!ignoring)
+         detect_flood(nick, uhost, from,
+                      strncmp(ctcp, "ACTION ", 7) ? FLOOD_CTCP : FLOOD_PRIVMSG);