Your message dated Fri, 15 May 2009 14:26:08 +0200
with message-id <20090515122608.ga30...@ngolde.de>
and subject line closing
has caused the Debian Bug report #528778,
regarding eggdrop: incomplete patch for CVE-2007-2807
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
528778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: eggdrop
Severity: grave
Tags: security
Justification: user security hole
Hi,
turns out my patch has a bug in it which opens this up for a
buffer overflow again in case strlen(ctcpbuf) returns 0:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341
Too bad noone noticed that before.
I am going to upload a 0-day NMU now to fix this.
debdiff available on:
http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch
(includes the wrong bug number to close as I tried to reopen it fist but it
failed because it was already archived).
Cheers
Nico
--- End Message ---
--- Begin Message ---
Version: 1.6.19-1.2
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpA95gyX6uWS.pgp
Description: PGP signature
--- End Message ---
