Manually applying the Eggdrop security patch may 2009

From TykWiki
Jump to navigationJump to search


In may 2009 a rather serious vulnerability was found in the eggdrop irc bot program. I run a couple of eggdrops on FreeBSD installed from the ports tree, and at the time of writing, the day after the public disclosure of the vulnerability, the port in /usr/ports/irc/eggdrop has not yet been updated. Due to the sometimes malicious nature of IRC I was interested in getting this fixed as soon as possible, so I headed over to the eggdrop download page and downloaded the patch for 1.6.19.

It is relatively simple to patch a port on FreeBSD if you know how, so here goes. This all assumes that you have the relevant version of eggdrop installed from ports (if you don't, update your ports tree, update the port to the latest version, and proceed from there):

[tykling@doobie ~]$ pkg_info | grep eggdrop
eggdrop-1.6.19_1    The most popular open source Internet Relay Chat bot

Download the patch

[tykling@doobie ~]$ fetch -o eggdrop1.6.19+ctcpfix.patch.gz
eggdrop1.6.19+ctcpfix.patch.gz                100% of  666  B 1663 kBps
[tykling@doobie ~]$ gunzip eggdrop1.6.19+ctcpfix.patch.gz
[tykling@doobie ~]$ ls -l eggdrop1.6.19+ctcpfix.patch
-rw-r--r--  1 tykling  tykling  1273 May 15 04:30 eggdrop1.6.19+ctcpfix.patch

Extract the port sources

Make sure you have a clean copy of the sources:

[tykling@doobie /usr/ports/irc/eggdrop]$ sudo make distclean
===>  Cleaning for eggdrop-1.6.19_1
===>  Deleting distfiles for eggdrop-1.6.19_1
[tykling@doobie /usr/ports/irc/eggdrop]$

Fetch and extract the sources:

[tykling@doobie /usr/ports/irc/eggdrop]$ sudo make fetch
===>  Found saved configuration for eggdrop-1.6.19
=> eggdrop1.6.19.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from
eggdrop1.6.19.tar.bz2                         100% of  792 kB  243 kBps
=> eggdrop-1.6.19-ssl-rootie.patch.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from
eggdrop-1.6.19-ssl-rootie.patch.gz            100% of 9285  B   25 kBps
[tykling@doobie /usr/ports/irc/eggdrop]$ sudo make extract
===>  Found saved configuration for eggdrop-1.6.19
===>  Extracting for eggdrop-1.6.19_1
=> MD5 Checksum OK for eggdrop1.6.19.tar.bz2.
=> SHA256 Checksum OK for eggdrop1.6.19.tar.bz2.
=> MD5 Checksum OK for eggdrop-1.6.19-ssl-rootie.patch.gz.
=> SHA256 Checksum OK for eggdrop-1.6.19-ssl-rootie.patch.gz.

Apply the patch

To apply the patch, go to the work/eggdrop1.6.19/ dir and run the following. But before you do, you may need to edit the patch. If it fails to build later, see the next step.

[tykling@doobie /usr/ports/irc/eggdrop/work/eggdrop1.6.19]$ sudo patch -p1 < ~/eggdrop1.6.19+ctcpfix.patch
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
|--- ../eggdrop1.6.19.orig/doc/UPDATES1.6       2008-04-18 23:23:06.000000000 -0500
|+++ ./doc/UPDATES1.6   2009-05-14 21:27:58.248868873 -0500
Patching file doc/UPDATES1.6 using Plan A...
Hunk #1 succeeded at 10.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
|--- ../eggdrop1.6.19.orig/src/mod/server.mod/servmsg.c 2008-02-16 15:41:10.000000000 -0600
|+++ ./src/mod/server.mod/servmsg.c     2009-05-14 21:27:58.248868873 -0500
Patching file src/mod/server.mod/servmsg.c using Plan A...
Hunk #1 succeeded at 488.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
|--- ../eggdrop1.6.19.orig/src/patch.h  2008-04-18 23:21:20.000000000 -0500
|+++ ./src/patch.h      2009-05-14 21:27:58.248868873 -0500
Patching file src/patch.h using Plan A...
Hunk #1 succeeded at 36.

Ready to compile

After applying the patch you are ready to compile the patched eggdrop, however something is not right because when running make the following happens (for me, at least):

[tykling@doobie /usr/ports/irc/eggdrop]$ sudo make
===>  Patching for eggdrop-1.6.19_1
===>  Applying distribution patches for eggdrop-1.6.19_1
1 out of 1 hunks failed--saving rejects to src/patch.h.rej
*** Error code 1

Stop in /usr/ports/irc/eggdrop.
*** Error code 1

Stop in /usr/ports/irc/eggdrop.
[tykling@doobie /usr/ports/irc/eggdrop]$

A patch to the patch

I'm not quite sure how, but I came up with this slightly altered patch, a patch to the patch if you will, that made it both apply correctly, and compile correctly. Start over and edit eggdrop1.6.19+ctcpfix.patch and in line 32 change:

@@ -36,7 +36,7 @@


@@ -39,7 +39,7 @@

Apply the patch (to a fresh set of sources, ie:

  • run make clean && make extract
  • apply the edited patch
  • run make again

And it should compile correctly. Run make install to install and when starting the eggdrop you should see eggdrop v1.6.19+ctcpfix instead of just eggdrop v1.6.19 in the output of .status in the console.

--Tykling 17:39, 15 May 2009 (UTC)