From rea-fbsd@codelabs.ru  Wed May 20 11:33:17 2009
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1C2291065679
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 20 May 2009 11:33:17 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id AFA428FC1A
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 20 May 2009 11:33:16 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1M6k2s-000K1I-PN for FreeBSD-gnats-submit@freebsd.org; Wed, 20 May 2009 15:33:14 +0400
Message-Id: <20090520113314.AB94BDA81E@void.codelabs.ru>
Date: Wed, 20 May 2009 15:33:14 +0400 (MSD)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch][vuxml] irc/eggdrop: apply 1.6.19/ctcpfix and eliminate remote crash
X-Send-Pr-Version: 3.113
X-GNATS-Notify: beech@freebsd.org, miwi@freebsd.org

>Number:         134748
>Category:       ports
>Synopsis:       [patch][vuxml] irc/eggdrop: apply 1.6.19/ctcpfix and eliminate remote crash
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    beech
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 20 11:40:01 UTC 2009
>Closed-Date:    Sat May 30 20:57:56 UTC 2009
>Last-Modified:  Sat May 30 21:00:07 UTC 2009
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.2-STABLE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.2-STABLE amd64

>Description:

There is remote crash in eggdrop >= 1.6.19 < 1.6.19+ctcpfix: [1], [2].

>How-To-Repeat:

[1] http://www.eggheads.org/news/2009/05/14/35
[2] http://www.securityfocus.com/archive/1/503574/30/30/threaded

>Fix:

The following patch adds upstream fix to the FreeBSD port.  Patched port
compiles fine, but I can't test its actual operations because of lack of
the IRC stuff at hand, sorry.
--- 1.6.19-apply-ctcpfix.diff begins here ---
From 5457a18e9144e3194d3f6a21cff837cf7e76aa54 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 20 May 2009 15:18:20 +0400

...and thus fix remote crash possibility.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 irc/eggdrop/Makefile |   10 ++++++----
 irc/eggdrop/distinfo |    3 +++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/irc/eggdrop/Makefile b/irc/eggdrop/Makefile
index 7c20798..9da4602 100644
--- a/irc/eggdrop/Makefile
+++ b/irc/eggdrop/Makefile
@@ -7,15 +7,17 @@
 
 PORTNAME=	eggdrop
 PORTVERSION=	1.6.19
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	irc
 MASTER_SITES=	ftp://ftp.eggheads.org/pub/eggdrop/source/1.6/ \
 		LOCAL/beech
 DISTNAME=	${PORTNAME}${PORTVERSION}
 
-PATCHFILES=	${PORTNAME}-${PORTVERSION}-ssl-rootie.patch.gz
-PATCH_SITES=	http://www.egghelp.org/files/patches/ \
-		LOCAL/beech
+PATCHFILES=	${PORTNAME}-${PORTVERSION}-ssl-rootie.patch.gz:ssl \
+		eggdrop1.6.19+ctcpfix.patch.gz:ctcpfix
+PATCH_SITES=	http://www.egghelp.org/files/patches/:ssl \
+		LOCAL/beech:ssl \
+		ftp://ftp.eggheads.org/pub/eggdrop/patches/official/1.6/:ctcpfix
 
 MAINTAINER=	beech@FreeBSD.org
 COMMENT=	The most popular open source Internet Relay Chat bot
diff --git a/irc/eggdrop/distinfo b/irc/eggdrop/distinfo
index e3e062b..1b379ee 100644
--- a/irc/eggdrop/distinfo
+++ b/irc/eggdrop/distinfo
@@ -4,3 +4,6 @@ SIZE (eggdrop1.6.19.tar.bz2) = 811072
 MD5 (eggdrop-1.6.19-ssl-rootie.patch.gz) = 6d477d54e16afff3215b9b53e34a0521
 SHA256 (eggdrop-1.6.19-ssl-rootie.patch.gz) = 94b06c392da5f13c04cc1d3e87b52e3c2ed9af8ba58cf360f121bb0a06f49ce3
 SIZE (eggdrop-1.6.19-ssl-rootie.patch.gz) = 9285
+MD5 (eggdrop1.6.19+ctcpfix.patch.gz) = 86d159a5e3460ec8fb30cb1a27a32acc
+SHA256 (eggdrop1.6.19+ctcpfix.patch.gz) = 2f01f00692c29fb9568721d80cf38289031a09bc15d2fac483ad16aec4b788a7
+SIZE (eggdrop1.6.19+ctcpfix.patch.gz) = 666
-- 
1.6.3.1
--- 1.6.19-apply-ctcpfix.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="22876fd9-4530-11de-9b62-0022156e8794">
    <topic>eggdrop -- remote crash</topic>
    <affects>
      <package>
        <name></name>
        <range><ge>1.6.19</ge><lt>1.6.19_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>SecurityFocus reports:</p>
        <blockquote
          cite="http://www.securityfocus.com/bid/34985/discuss">
          <p>Eggdrop is prone to a remote denial-of-service
          vulnerability because it fails to adequately validate
          user-supplied input.</p>
          <p>An attacker may exploit this issue to crash the
          application, resulting in a denial-of-service condition.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <bid>34985</bid>
      <url>http://www.securityfocus.com/archive/1/503574/30/30/threaded</url>
      <url>http://www.eggheads.org/news/2009/05/14/35</url>
    </references>
    <dates>
      <discovery>2009-05-20</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->beech 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed May 20 11:40:16 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134748 
State-Changed-From-To: open->closed 
State-Changed-By: miwi 
State-Changed-When: Sat May 30 20:57:55 UTC 2009 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134748 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/134748: commit references a PR
Date: Sat, 30 May 2009 20:57:51 +0000 (UTC)

 miwi        2009-05-30 20:57:42 UTC
 
   FreeBSD ports repository
 
   Modified files:
     irc/eggdrop          Makefile distinfo 
   Log:
   - Fix CVE-2009-1789
   
   PR:             134748
   Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
   Approved by:    maintainer implicit
   Security:       http://www.freebsd.org/ports/portaudit/399f4cd7-4d59-11de-8811-0030843d3802.html
   
   Revision  Changes    Path
   1.20      +5 -4      ports/irc/eggdrop/Makefile
   1.9       +3 -0      ports/irc/eggdrop/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
