Re: Wheezy update of irssi?
Hey Rhonda,
I've gone ahead and uploaded 0.8.15-5+deb7u5 and announced DLA 1289-1.
> It still would be nice to get some git patchsets for your uploads so I
> can apply them to the repository
Of course! Attached, including the "missing" changes for 0.8.15-5+deb7u2,
0.8.15-5+deb7u3 & 0.8.15-5+deb7u4. They should apply cleanly to the 'wheezy'
branch of git://git.deb.at/pkg/irssi.git.
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
From cd3e047c59d3fe8c679efc4f648f0b85d09d7744 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Feb 2018 20:45:43 +0000
Subject: [PATCH 6/6] CVE-2018-7052: When the number of windows exceeds the
available space, a crash could occur due to a NULL pointer dereference.
(Closes: #890676)
---
debian/changelog | 2 ++
debian/patches/CVE-2018-7052.patch | 13 +++++++++++++
debian/patches/series | 1 +
3 files changed, 16 insertions(+)
create mode 100644 debian/patches/CVE-2018-7052.patch
diff --git a/debian/changelog b/debian/changelog
index 77baea4..12cc7a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ irssi (0.8.15-5+deb7u5) wheezy-security; urgency=high
(Closes: #890678)
* CVE-2018-7051: Prevent an issue where certain nick names could result in
out-of-bounds access when printing theme strings. (Closes: #890677)
+ * CVE-2018-7052: When the number of windows exceeds the available space, a
+ crash could occur due to a NULL pointer dereference. (Closes: #890676)
-- Chris Lamb <lamby@debian.org> Thu, 22 Feb 2018 20:34:59 +0000
diff --git a/debian/patches/CVE-2018-7052.patch b/debian/patches/CVE-2018-7052.patch
new file mode 100644
index 0000000..d7b8a79
--- /dev/null
+++ b/debian/patches/CVE-2018-7052.patch
@@ -0,0 +1,13 @@
+--- irssi.orig/src/fe-text/mainwindows.c
++++ irssi/src/fe-text/mainwindows.c
+@@ -807,6 +807,10 @@ static void cmd_window_show(const char *
+ }
+
+ parent = mainwindow_create();
++ if (parent == NULL) {
++ printformat_window(active_win, MSGLEVEL_CLIENTERROR, TXT_WINDOW_TOO_SMALL);
++ return;
++ }
+ parent->active = window;
+ gui_window_reparent(window, parent);
+
diff --git a/debian/patches/series b/debian/patches/series
index dfb6479..57279e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@
28IRSSI-SA-2017-10.patch
CVE-2018-7050.patch
CVE-2018-7051.patch
+CVE-2018-7052.patch
--
2.16.1
From 62b7a4d1783ab99a6e32ae3f955fd60d22dcb4e7 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Feb 2018 20:42:17 +0000
Subject: [PATCH 5/6] CVE-2018-7051: Prevent an issue where certain nick names
could result in out-of-bounds access when printing theme strings. (Closes:
#890677)
---
debian/changelog | 2 ++
debian/patches/CVE-2018-7051.patch | 0
debian/patches/series | 1 +
3 files changed, 3 insertions(+)
create mode 100644 debian/patches/CVE-2018-7051.patch
diff --git a/debian/changelog b/debian/changelog
index a258df4..77baea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ irssi (0.8.15-5+deb7u5) wheezy-security; urgency=high
* CVE-2018-7050: Prevent a null pointer dereference for an "empty" nick.
(Closes: #890678)
+ * CVE-2018-7051: Prevent an issue where certain nick names could result in
+ out-of-bounds access when printing theme strings. (Closes: #890677)
-- Chris Lamb <lamby@debian.org> Thu, 22 Feb 2018 20:34:59 +0000
diff --git a/debian/patches/CVE-2018-7051.patch b/debian/patches/CVE-2018-7051.patch
new file mode 100644
index 0000000..e69de29
diff --git a/debian/patches/series b/debian/patches/series
index a2c5330..dfb6479 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
24security-fixes
28IRSSI-SA-2017-10.patch
CVE-2018-7050.patch
+CVE-2018-7051.patch
--
2.16.1
From 669ff89c84f7725c2f3f35cd429a3d56f09f13e7 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Feb 2018 20:37:50 +0000
Subject: [PATCH 4/6] CVE-2018-7050: Prevent a null pointer dereference for an
"empty" nick. (Closes: #890678)
---
debian/changelog | 7 +++++++
debian/patches/CVE-2018-7050.patch | 18 ++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 26 insertions(+)
create mode 100644 debian/patches/CVE-2018-7050.patch
diff --git a/debian/changelog b/debian/changelog
index b9b49a2..a258df4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+irssi (0.8.15-5+deb7u5) wheezy-security; urgency=high
+
+ * CVE-2018-7050: Prevent a null pointer dereference for an "empty" nick.
+ (Closes: #890678)
+
+ -- Chris Lamb <lamby@debian.org> Thu, 22 Feb 2018 20:34:59 +0000
+
irssi (0.8.15-5+deb7u4) wheezy-security; urgency=medium
* Non-maintainer upload by the Debian LTS team.
diff --git a/debian/patches/CVE-2018-7050.patch b/debian/patches/CVE-2018-7050.patch
new file mode 100644
index 0000000..74f5727
--- /dev/null
+++ b/debian/patches/CVE-2018-7050.patch
@@ -0,0 +1,18 @@
+--- irssi.orig/src/fe-common/core/chat-completion.c
++++ irssi/src/fe-common/core/chat-completion.c
+@@ -154,6 +154,7 @@ static void sig_message_public(SERVER_RE
+ {
+ CHANNEL_REC *channel;
+ int own;
++ g_return_if_fail(nick != NULL);
+
+ channel = channel_find(server, target);
+ if (channel != NULL) {
+@@ -166,6 +167,7 @@ static void sig_message_join(SERVER_REC
+ const char *nick, const char *address)
+ {
+ CHANNEL_REC *chanrec;
++ g_return_if_fail(nick != NULL);
+
+ chanrec = channel_find(server, channel);
+ if (chanrec != NULL)
diff --git a/debian/patches/series b/debian/patches/series
index b5aa047..a2c5330 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@
23fix-buf.pl
24security-fixes
28IRSSI-SA-2017-10.patch
+CVE-2018-7050.patch
--
2.16.1
From 56b9f837f957291c8cd38b2c06730fa8ef7698e7 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Feb 2018 21:53:38 +0000
Subject: [PATCH 3/6] irssi (0.8.15-5+deb7u4) wheezy-security; urgency=medium
---
debian/changelog | 22 ++++
debian/patches/24security-fixes | 54 ++++++++
debian/patches/27IRSSI-SA-2017-07.patch | 58 +++++++++
debian/patches/28IRSSI-SA-2017-10.patch | 214 ++++++++++++++++++++++++++++++++
debian/patches/series | 2 +
5 files changed, 350 insertions(+)
create mode 100644 debian/patches/24security-fixes
create mode 100644 debian/patches/27IRSSI-SA-2017-07.patch
create mode 100644 debian/patches/28IRSSI-SA-2017-10.patch
diff --git a/debian/changelog b/debian/changelog
index 4d0dc94..b9b49a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,25 @@
+irssi (0.8.15-5+deb7u4) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS team.
+ * IRSSI-SA-2017-10:
+ - CVE-2017-15228: Unterminated colour formatting sequences may cause
+ data access beyond the end of the buffer.
+ - CVE-2017-15227: Failure to remove destroyed channels from
+ the query list while waiting for the channel synchronisation
+ may result in use after free conditions when updating the
+ state later on.
+ - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages
+ could cause NULL pointer dereference.
+ - CVE-2017-15722: Read beyond end of buffer may occur if a Safe
+ channel ID is not long enough.
+ (Closes: #879521)
+ * IRSSI-SA-2017-01:
+ - CVE-2017-5193: NULL pointer dereference in the nickcmp function
+ - CVE-2017-5194: Use-after-freee when receiving invalid nick message
+ - CVE-2017-5196: Out-of-bounds read when Printing the value %[
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Thu, 21 Dec 2017 19:39:37 +0100
+
irssi (0.8.15-5+deb7u3) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS team.
diff --git a/debian/patches/24security-fixes b/debian/patches/24security-fixes
new file mode 100644
index 0000000..a10ff0c
--- /dev/null
+++ b/debian/patches/24security-fixes
@@ -0,0 +1,54 @@
+Author: ailin-nemui vim:ft=diff:
+Description: CVE-2017-5193 CVE-2017-5194 CVE-2017-5195
+ Upstream commit 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
+ besides the fix for CVE-2017-5196 which is for 0.8.18 onward
+
+
+--- a/src/fe-common/core/formats.c
++++ b/src/fe-common/core/formats.c
+@@ -68,7 +68,7 @@
+
+ if (flags == NULL) {
+ /* flags are being ignored - skip the code */
+- while (**format != ']')
++ while (**format != ']' && **format != '\0')
+ (*format)++;
+ return;
+ }
+@@ -161,6 +161,10 @@
+ case '[':
+ /* code */
+ format_expand_code(format, out, flags);
++ if ((*format)[0] == '\0')
++ /* oops, reached end prematurely */
++ (*format)--;
++
+ break;
+ default:
+ /* check if it's a background color */
+--- a/src/irc/core/irc-nicklist.c
++++ b/src/irc/core/irc-nicklist.c
+@@ -316,7 +316,11 @@
+ static void event_nick_invalid(IRC_SERVER_REC *server, const char *data)
+ {
+ if (!server->connected)
+- server_disconnect((SERVER_REC *) server);
++ /* we used to call server_disconnect but that crashes
++ irssi because of undefined memory access. instead,
++ indicate that the connection should be dropped and
++ let the irc method to the clean-up. */
++ server->connection_lost = server->no_reconnect = TRUE;
+ }
+
+ static void event_nick_in_use(IRC_SERVER_REC *server, const char *data)
+--- a/src/irc/core/irc-queries.c
++++ b/src/irc/core/irc-queries.c
+@@ -45,6 +45,8 @@
+ {
+ GSList *tmp;
+
++ g_return_val_if_fail(nick != NULL, NULL);
++
+ for (tmp = server->queries; tmp != NULL; tmp = tmp->next) {
+ QUERY_REC *rec = tmp->data;
+
diff --git a/debian/patches/27IRSSI-SA-2017-07.patch b/debian/patches/27IRSSI-SA-2017-07.patch
new file mode 100644
index 0000000..6b80f9f
--- /dev/null
+++ b/debian/patches/27IRSSI-SA-2017-07.patch
@@ -0,0 +1,58 @@
+Subject: IRSSI-SA-2017-07
+Author: Nei <ailin.nemui@gmail.com>
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Origin: https://github.com/irssi/irssi/commit/29ebac987da1da2c892aed5ed329256b7bc94bca,
+ https://github.com/irssi/irssi/commit/73b851c39c11d01199e6c040749fb20e468f6c8d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10966
+Bug-Debian: https://bugs.debian.org/867598
+---
+
+--- a/src/core/misc.c
++++ b/src/core/misc.c
+@@ -611,6 +611,9 @@ char *my_asctime(time_t t)
+ int len;
+
+ tm = localtime(&t);
++ if (tm == NULL)
++ return g_strdup("???");
++
+ str = g_strdup(asctime(tm));
+
+ len = strlen(str);
+--- a/src/core/nicklist.c
++++ b/src/core/nicklist.c
+@@ -54,23 +54,26 @@ static void nick_hash_add(CHANNEL_REC *c
+
+ static void nick_hash_remove(CHANNEL_REC *channel, NICK_REC *nick)
+ {
+- NICK_REC *list;
++ NICK_REC *list, *newlist;
+
+ list = g_hash_table_lookup(channel->nicks, nick->nick);
+ if (list == NULL)
+ return;
+
+- if (list == nick || list->next == NULL) {
+- g_hash_table_remove(channel->nicks, nick->nick);
+- if (list->next != NULL) {
+- g_hash_table_insert(channel->nicks, nick->next->nick,
+- nick->next);
+- }
++ if (list == nick) {
++ newlist = nick->next;
+ } else {
++ newlist = list;
+ while (list->next != nick)
+ list = list->next;
+ list->next = nick->next;
+ }
++
++ g_hash_table_remove(channel->nicks, nick->nick);
++ if (newlist != NULL) {
++ g_hash_table_insert(channel->nicks, newlist->nick,
++ newlist);
++ }
+ }
+
+ /* Add new nick to list */
diff --git a/debian/patches/28IRSSI-SA-2017-10.patch b/debian/patches/28IRSSI-SA-2017-10.patch
new file mode 100644
index 0000000..771a8bd
--- /dev/null
+++ b/debian/patches/28IRSSI-SA-2017-10.patch
@@ -0,0 +1,214 @@
+From: Nei <ailin.nemui@gmail.com>
+Date: Fri, 20 Oct 2017 13:31:26 +0000
+Subject: Merge branch 'security' into 'master'
+Origin: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
+Bug-Debian: https://bugs.debian.org/879521
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15228
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15227
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15721
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15723
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15722
+
+Security
+
+Closes GL#12, GL#13, GL#14, GL#15, GL#16
+
+See merge request irssi/irssi!23
+---
+ src/core/recode.c | 7 ++++++-
+ src/fe-common/core/themes.c | 7 ++++++-
+ src/irc/core/channel-events.c | 2 +-
+ src/irc/core/channels-query.c | 7 ++++---
+ src/irc/core/irc-servers.c | 5 ++++-
+ src/irc/dcc/dcc-chat.c | 21 +++++++++++++++++++++
+ src/irc/dcc/dcc-get.c | 17 +++++++++++++++--
+ src/irc/dcc/dcc-send.c | 10 ++++++++++
+ 8 files changed, 67 insertions(+), 9 deletions(-)
+
+--- a/src/fe-common/core/themes.c
++++ b/src/fe-common/core/themes.c
+@@ -524,7 +524,7 @@
+ /* a normal character */
+ g_string_append_c(str, *format);
+ format++;
+- } else {
++ } else if (format[1] != '\0') {
+ /* %format */
+ format++;
+ if (IS_OLD_FORMAT(*format, last_fg, last_bg)) {
+@@ -547,6 +547,11 @@
+ last_bg = *format;
+ }
+ format++;
++ } else {
++ /* % at end of string */
++ format++;
++ g_string_append_c(str, '%');
++ g_string_append_c(str, '%');
+ }
+ }
+
+--- a/src/irc/core/channel-events.c
++++ b/src/irc/core/channel-events.c
+@@ -37,7 +37,7 @@
+ channel++; /* server didn't understand !channels */
+
+ chanrec = channel_find(SERVER(server), channel);
+- if (chanrec == NULL && channel[0] == '!') {
++ if (chanrec == NULL && channel[0] == '!' && strlen(channel) > 6) {
+ /* it probably replied with the full !channel name,
+ find the channel with the short name.. */
+ chan2 = g_strdup_printf("!%s", channel+6);
+--- a/src/irc/core/channels-query.c
++++ b/src/irc/core/channels-query.c
+@@ -119,21 +119,22 @@
+ int n;
+
+ rec = channel->server->chanqueries;
++ if (rec == NULL) return;
+
+ /* remove channel from query lists */
+ for (n = 0; n < CHANNEL_QUERIES; n++)
+ rec->queries[n] = g_slist_remove(rec->queries[n], channel);
+ rec->current_queries = g_slist_remove(rec->current_queries, channel);
+
+- query_check(channel->server);
++ if (!channel->server->disconnected)
++ query_check(channel->server);
+ }
+
+ static void sig_channel_destroyed(IRC_CHANNEL_REC *channel)
+ {
+ g_return_if_fail(channel != NULL);
+
+- if (IS_IRC_CHANNEL(channel) && !channel->server->disconnected &&
+- !channel->synced)
++ if (IS_IRC_CHANNEL(channel))
+ query_remove_all(channel);
+ }
+
+--- a/src/irc/dcc/dcc-chat.c
++++ b/src/irc/dcc/dcc-chat.c
+@@ -66,6 +66,13 @@
+ dcc->id = dcc_chat_get_new_id(nick);
+
+ dcc_init_rec(DCC(dcc), server, chat, nick, arg);
++ if (dcc->module_data == NULL) {
++ /* failed to successfully init; TODO: change init_rec API */
++ g_free(dcc->id);
++ g_free(dcc);
++ return NULL;
++ }
++
+ return dcc;
+ }
+
+@@ -471,6 +478,7 @@
+ /* We are accepting a passive DCC CHAT. */
+ dcc_chat_passive(dcc);
+ }
++ cmd_params_free(free_arg);
+ return;
+ }
+
+@@ -485,6 +493,11 @@
+ cmd_param_error(CMDERR_NOT_CONNECTED);
+
+ dcc = dcc_chat_create(server, NULL, nick, "chat");
++ if (dcc == NULL) {
++ cmd_params_free(free_arg);
++ g_warn_if_reached();
++ return;
++ }
+
+ if (g_hash_table_lookup(optlist, "passive") == NULL) {
+ /* Standard DCC CHAT... let's listen for incoming connections */
+@@ -627,6 +640,9 @@
+ }
+ passive = paramcount == 4 && strcmp(params[2], "0") == 0;
+
++ if (nick == NULL)
++ nick = "";
++
+ dcc = DCC_CHAT(dcc_find_request(DCC_CHAT_TYPE, nick, NULL));
+ if (dcc != NULL) {
+ if (dcc_is_listening(dcc)) {
+@@ -658,6 +674,11 @@
+ }
+
+ dcc = dcc_chat_create(server, chat, nick, params[0]);
++ if (dcc == NULL) {
++ g_strfreev(params);
++ g_warn_if_reached();
++ return;
++ }
+ dcc->target = g_strdup(target);
+ dcc->port = atoi(params[2]);
+
+--- a/src/irc/dcc/dcc-get.c
++++ b/src/irc/dcc/dcc-get.c
+@@ -41,6 +41,12 @@
+ dcc->fhandle = -1;
+
+ dcc_init_rec(DCC(dcc), server, chat, nick, arg);
++ if (dcc->module_data == NULL) {
++ /* failed to successfully init; TODO: change API */
++ g_free(dcc);
++ return NULL;
++ }
++
+ return dcc;
+ }
+
+@@ -418,9 +424,10 @@
+ int p_id = -1;
+ int passive = FALSE;
+
+- if (addr == NULL) {
++ if (addr == NULL)
+ addr = "";
+- }
++ if (nick == NULL)
++ nick = "";
+
+ /* SEND <file name> <address> <port> <size> [...] */
+ /* SEND <file name> <address> 0 <size> <id> (DCC SEND passive protocol) */
+@@ -500,6 +507,12 @@
+ dcc_destroy(DCC(dcc)); /* remove the old DCC */
+
+ dcc = dcc_get_create(server, chat, nick, fname);
++ if (dcc == NULL) {
++ g_free(address);
++ g_free(fname);
++ g_warn_if_reached();
++ return;
++ }
+ dcc->target = g_strdup(target);
+
+ if (passive && port == 0)
+--- a/src/irc/dcc/dcc-send.c
++++ b/src/irc/dcc/dcc-send.c
+@@ -237,6 +237,12 @@
+ dcc->queue = -1;
+
+ dcc_init_rec(DCC(dcc), server, chat, nick, arg);
++ if (dcc->module_data == NULL) {
++ /* failed to successfully init; TODO: change API */
++ g_free(dcc);
++ return NULL;
++ }
++
+ return dcc;
+ }
+
+@@ -421,6 +427,10 @@
+
+ dcc = dcc_send_create(server, chat, target, fname);
+ g_free(str);
++ if (dcc == NULL) {
++ g_warn_if_reached();
++ return FALSE;
++ }
+
+ dcc->handle = handle;
+ dcc->port = port;
diff --git a/debian/patches/series b/debian/patches/series
index 5ab21af..b5aa047 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,5 @@
19disable_sslv2
20fix_ssl_proxy_hostname_check
23fix-buf.pl
+24security-fixes
+28IRSSI-SA-2017-10.patch
--
2.16.1
From 8154399b267fe00e52e35c6985b2c20f1b56b713 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Feb 2018 21:52:59 +0000
Subject: [PATCH 2/6] irssi (0.8.15-5+deb7u3) wheezy-security; urgency=high
---
debian/changelog | 9 +++
...e-after-free-and-null-pointer-dereference.patch | 72 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 82 insertions(+)
create mode 100644 debian/patches/28Fix-use-after-free-and-null-pointer-dereference.patch
diff --git a/debian/changelog b/debian/changelog
index eca08ba..4d0dc94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+irssi (0.8.15-5+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Security related update pulling upstream 5e26325317 (closes: 867598):
+ - Fix null pointer dereference (CVE-2017-10965)
+ - Fix use-after-free condition for nicklist (CVE-2017-10966)
+
+ -- Lucas Kanashiro <kanashiro@debian.org> Tue, 05 Sep 2017 12:09:41 -0300
+
irssi (0.8.15-5+deb7u2) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS team.
diff --git a/debian/patches/28Fix-use-after-free-and-null-pointer-dereference.patch b/debian/patches/28Fix-use-after-free-and-null-pointer-dereference.patch
new file mode 100644
index 0000000..30b5192
--- /dev/null
+++ b/debian/patches/28Fix-use-after-free-and-null-pointer-dereference.patch
@@ -0,0 +1,72 @@
+From 29ebac987da1da2c892aed5ed329256b7bc94bca Mon Sep 17 00:00:00 2001
+From: Nei <ailin.nemui@gmail.com>
+Date: Thu, 29 Jun 2017 13:48:44 +0000
+Subject: [PATCH 1/2] Check return value of localtime
+
+Fixes #10
+---
+ src/core/misc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/core/misc.c b/src/core/misc.c
+index ce49925b1..0b2d8e776 100644
+--- a/src/core/misc.c
++++ b/src/core/misc.c
+@@ -560,6 +560,9 @@ char *my_asctime(time_t t)
+ int len;
+
+ tm = localtime(&t);
++ if (tm == NULL)
++ return g_strdup("???");
++
+ str = g_strdup(asctime(tm));
+
+ len = strlen(str);
+
+From 73b851c39c11d01199e6c040749fb20e468f6c8d Mon Sep 17 00:00:00 2001
+From: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date: Tue, 4 Jul 2017 16:10:55 +0200
+Subject: [PATCH 2/2] correct GHashTable usage
+
+---
+ src/core/nicklist.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/nicklist.c b/src/core/nicklist.c
+index 54dfb5fb2..0bc88ab8d 100644
+--- a/src/core/nicklist.c
++++ b/src/core/nicklist.c
+@@ -54,23 +54,26 @@ static void nick_hash_add(CHANNEL_REC *channel, NICK_REC *nick)
+
+ static void nick_hash_remove(CHANNEL_REC *channel, NICK_REC *nick)
+ {
+- NICK_REC *list;
++ NICK_REC *list, *newlist;
+
+ list = g_hash_table_lookup(channel->nicks, nick->nick);
+ if (list == NULL)
+ return;
+
+- if (list == nick || list->next == NULL) {
+- g_hash_table_remove(channel->nicks, nick->nick);
+- if (list->next != NULL) {
+- g_hash_table_insert(channel->nicks, nick->next->nick,
+- nick->next);
+- }
++ if (list == nick) {
++ newlist = nick->next;
+ } else {
++ newlist = list;
+ while (list->next != nick)
+ list = list->next;
+ list->next = nick->next;
+ }
++
++ g_hash_table_remove(channel->nicks, nick->nick);
++ if (newlist != NULL) {
++ g_hash_table_insert(channel->nicks, newlist->nick,
++ newlist);
++ }
+ }
+
+ /* Add new nick to list */
diff --git a/debian/patches/series b/debian/patches/series
index 6b582a1..5ab21af 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+28Fix-use-after-free-and-null-pointer-dereference.patch
26Fix-oob-read-of-one-byte-in-get_file_params_count-_r.patch
25Fix-dcc_request-where-addr-is-NULL.patch
01chanmode_expando_strip
--
2.16.1
From faeb001d034851fd726fb30eda3c182da61c6792 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Feb 2018 21:52:11 +0000
Subject: [PATCH 1/6] irssi (0.8.15-5+deb7u2) wheezy-security; urgency=high
---
debian/changelog | 9 ++++++
.../25Fix-dcc_request-where-addr-is-NULL.patch | 22 ++++++++++++++
...d-of-one-byte-in-get_file_params_count-_r.patch | 34 ++++++++++++++++++++++
debian/patches/series | 2 ++
4 files changed, 67 insertions(+)
create mode 100644 debian/patches/25Fix-dcc_request-where-addr-is-NULL.patch
create mode 100644 debian/patches/26Fix-oob-read-of-one-byte-in-get_file_params_count-_r.patch
diff --git a/debian/changelog b/debian/changelog
index 4fb4d4b..eca08ba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+irssi (0.8.15-5+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix dcc_request where addr is NULL (CVE-2017-9468) (Closes: #864400)
+ * Fix oob read of one byte in get_file_params_count{,_resume}
+ (CVE-2017-9469) (Closes: #864400)
+
+ -- Lucas Kanashiro <kanashiro@debian.org> Mon, 04 Sep 2017 12:52:40 -0300
+
irssi (0.8.15-5+deb7u1) wheezy-security; urgency=high
* New patch 23fix-buf.pl to fix an information exposure issue involved with
diff --git a/debian/patches/25Fix-dcc_request-where-addr-is-NULL.patch b/debian/patches/25Fix-dcc_request-where-addr-is-NULL.patch
new file mode 100644
index 0000000..72d5766
--- /dev/null
+++ b/debian/patches/25Fix-dcc_request-where-addr-is-NULL.patch
@@ -0,0 +1,22 @@
+From 528f51bfbe5c65c5b24546faa244009dd5b3c586 Mon Sep 17 00:00:00 2001
+From: Joseph Bisch <joseph.bisch@gmail.com>
+Date: Wed, 17 May 2017 10:08:51 -0400
+Subject: [PATCH] Fix dcc_request where addr is NULL
+
+---
+ src/irc/dcc/dcc-get.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/irc/dcc/dcc-get.c
++++ b/src/irc/dcc/dcc-get.c
+@@ -418,6 +418,10 @@ static void ctcp_msg_dcc_send(IRC_SERVER
+ int p_id = -1;
+ int passive = FALSE;
+
++ if (addr == NULL) {
++ addr = "";
++ }
++
+ /* SEND <file name> <address> <port> <size> [...] */
+ /* SEND <file name> <address> 0 <size> <id> (DCC SEND passive protocol) */
+ params = g_strsplit(data, " ", -1);
diff --git a/debian/patches/26Fix-oob-read-of-one-byte-in-get_file_params_count-_r.patch b/debian/patches/26Fix-oob-read-of-one-byte-in-get_file_params_count-_r.patch
new file mode 100644
index 0000000..35a1c41
--- /dev/null
+++ b/debian/patches/26Fix-oob-read-of-one-byte-in-get_file_params_count-_r.patch
@@ -0,0 +1,34 @@
+From 30a92754bb650c3dedd507d41110443142899a65 Mon Sep 17 00:00:00 2001
+From: Joseph Bisch <joseph.bisch@gmail.com>
+Date: Mon, 29 May 2017 14:43:24 -0400
+Subject: [PATCH] Fix oob read of one byte in get_file_params_count{,_resume}
+
+We can use continue to handle cases such as:
+"ab<space><space>c"
+---
+ src/irc/dcc/dcc-get.c | 2 ++
+ src/irc/dcc/dcc-resume.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/src/irc/dcc/dcc-get.c
++++ b/src/irc/dcc/dcc-get.c
+@@ -370,6 +370,8 @@ int get_file_params_count(char **params,
+ if (*params[0] == '"') {
+ /* quoted file name? */
+ for (pos = 0; pos < paramcount-3; pos++) {
++ if (strlen(params[pos]) == 0)
++ continue;
+ if (params[pos][strlen(params[pos])-1] == '"' &&
+ get_params_match(params, pos+1))
+ return pos+1;
+--- a/src/irc/dcc/dcc-resume.c
++++ b/src/irc/dcc/dcc-resume.c
+@@ -61,6 +61,8 @@ int get_file_params_count_resume(char **
+ if (*params[0] == '"') {
+ /* quoted file name? */
+ for (pos = 0; pos < paramcount-2; pos++) {
++ if (strlen(params[pos]) == 0)
++ continue;
+ if (params[pos][strlen(params[pos])-1] == '"' &&
+ get_params_match_resume(params, pos+1))
+ return pos+1;
diff --git a/debian/patches/series b/debian/patches/series
index f327981..6b582a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
+26Fix-oob-read-of-one-byte-in-get_file_params_count-_r.patch
+25Fix-dcc_request-where-addr-is-NULL.patch
01chanmode_expando_strip
02ctcp_version_reply
03firsttimer_text
--
2.16.1
Reply to: