IRC-Junkie.org – IRC News

A vulnerability in the Eggdrop and Windrop bot has been found which prompts a new release.

The vulnerabilitiy is present in both latest versions of the bot software 1.6.19 which has been released back in April 2008.

A posting on the Full Disclosure mailinglist goes into more detail, describing how one can at least crash vulnerable bots:

One possible exploit anyone can send to the IRC server to crash eggdrop:

PRIVMSG eggdrop :\1\1

The only resolution at this time is upgrading old bots with the provided fix.

It took almost 2 years for a new release, and even then it consists mostly of bugfixes of which one fixes a serious issue.

Version 1.6.19 of the popular IRC bot Eggdrop fixes a buffer overflow issue in the server module. It is exploitable by a malicious server. As long as the bot connects to a reputable server it should be OK.

IRC-Junkie tried to contact Guppy with a few questions but has received no reply so far, partly explaining the delay in reporting this new release.

A list of all updates according to the updates.txt file:

After valentines day, mothers’ day, secretary day (got to get me one) and you-know-what-else day, we also have bot day!

Not sure what organization or person is behind the invention of this one, but heck, bots deserve all the recognition they can get! Performing un-thankful jobs of maintaining statistics, opping/voicing users, setting topics and a whole range of other tasks we make them able to with expanding them with scripts 24 hours a day, 7 days a week. Except of course, for those moments where the shell is down or the wrong process is killed …

Development has been going slowly lately around the popular Eggdrop bot. We got into contact with lead developer Wcc and asked what causes the delay.

“There are different reasons for the slowdown for each of the branches” Wcc starts. “As for 1.6, there haven’t been any real.. problems. 1.6.17 has been a rock-solid release. As for 1.7, this is mainly due to the fact that I, personally, haven’t had any free time to do any of the major things that need to be done on it.  1.9 is once again fairly active. Alot of progress is being made.”