Re: Wheezy update of kildclient?
On 16-12-2017 07:23, Chris Lamb wrote:
> I've marked this as "assigned" to me" in the internal LTS tool, so if
> when you have a patch ready, please just send it over and I will upload
> it to wheezy.
>
> Alternatively, I can work on a patch.. Just let me know.
I've prepared and updated package, you can download it with
dget https://www.kildclient.org/debian/kildclient_2.11.1-1+deb7u1.dsc
I'm also attaching the debdiff for convenience.
The issue does not seem serious (and I'm not sure if it even warrants being called a security issue), but there is a convenience GTK+ function for opening URLs that avoids the use of a user-defined command or $BROWSER. It does require a new dependency on gvfs, though.
I've built and tested the package in a wheezy virtual machine.
[I'm not subscribed to this list, so please CC me.]
--
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
diff -Nru kildclient-2.11.1/debian/changelog kildclient-2.11.1/debian/changelog
--- kildclient-2.11.1/debian/changelog 2011-05-29 17:14:01.000000000 -0300
+++ kildclient-2.11.1/debian/changelog 2017-12-16 11:56:43.000000000 -0200
@@ -1,3 +1,10 @@
+kildclient (2.11.1-1+deb7u1) wheezy-security; urgency=high
+
+ * Fix for CVE-2017-17511. New dependency 'gvfs' required in order to use
+ GTK+ function for opening URLs.
+
+ -- Eduardo M Kalinowski <eduardo@kalinowski.com.br> Sat, 16 Dec 2017 11:56:41 -0200
+
kildclient (2.11.1-1) unstable; urgency=low
* New upstream version: 2.11.1:
diff -Nru kildclient-2.11.1/debian/control kildclient-2.11.1/debian/control
--- kildclient-2.11.1/debian/control 2011-05-29 17:14:01.000000000 -0300
+++ kildclient-2.11.1/debian/control 2017-12-16 11:44:18.000000000 -0200
@@ -10,7 +10,7 @@
Package: kildclient
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, gvfs
Suggests: kildclient-doc, libgtk2-perl
Description: powerful MUD client with a built-in Perl interpreter
KildClient is a MUD Client written with the GTK+ windowing toolkit.
diff -Nru kildclient-2.11.1/debian/patches/cve-2017-17511.patch kildclient-2.11.1/debian/patches/cve-2017-17511.patch
--- kildclient-2.11.1/debian/patches/cve-2017-17511.patch 1969-12-31 21:00:00.000000000 -0300
+++ kildclient-2.11.1/debian/patches/cve-2017-17511.patch 2017-12-16 12:36:01.000000000 -0200
@@ -0,0 +1,192 @@
+Description: Fix for CVE-2017-17511
+ Uses a GTK+ function to open URLs, instead of using a command
+ supplied by the user or $BROWSER.
+Author: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
+Last-Update: 2017-12-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/kildclient.h
++++ b/src/kildclient.h
+@@ -599,7 +599,6 @@
+ GtkPositionType tab_position;
+ gboolean hide_single_tab;
+ gboolean urgency_hint;
+- char *browser_command;
+ char *audio_player_command;
+ char *last_open_world;
+ gboolean no_plugin_help_msg;
+--- a/src/prefs.c
++++ b/src/prefs.c
+@@ -94,7 +94,6 @@
+ GObject *txtProxyUser;
+ GObject *txtProxyPassword;
+ #ifndef __WIN32__
+- GObject *txtBrowserCommand;
+ GObject *txtAudioPlayerCommand;
+ #else
+ GtkWidget *tabPrograms;
+@@ -181,12 +180,6 @@
+
+ #ifndef __WIN32__
+ /* Load commands */
+- txtBrowserCommand = gtk_builder_get_object(main_builder, "txtBrowserCommand");
+- gtk_entry_set_text(GTK_ENTRY(txtBrowserCommand),
+- globalPrefs.browser_command);
+- g_signal_connect(txtBrowserCommand, "focus_out_event",
+- G_CALLBACK(txt_cmd_focus_out_cb),
+- &globalPrefs.browser_command);
+ txtAudioPlayerCommand
+ = gtk_builder_get_object(main_builder, "txtAudioPlayerCommand");
+ gtk_entry_set_text(GTK_ENTRY(txtAudioPlayerCommand),
+@@ -322,9 +315,6 @@
+ }
+
+ /* Has the commands been set? */
+- if (!globalPrefs.browser_command) {
+- globalPrefs.browser_command = g_strdup("${BROWSER} \"%s\" &");
+- }
+ if (!globalPrefs.audio_player_command) {
+ globalPrefs.audio_player_command = g_strdup("play \"%s\" &");
+ }
+@@ -383,8 +373,6 @@
+ globalPrefs.hide_single_tab = atoi(line + pos + 1);
+ } else if (strcmp(first_word, "urgencyhint") == 0) {
+ globalPrefs.urgency_hint = atoi(line + pos + 1);
+- } else if (strcmp(first_word, "browsercommand") == 0) {
+- globalPrefs.browser_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "audioplayercommand") == 0) {
+ globalPrefs.audio_player_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "lastopenworld") == 0) {
+@@ -478,8 +466,6 @@
+ g_string_append_printf(str, "urgencyhint %d\n", globalPrefs.urgency_hint);
+
+ g_string_append_printf(str,
+- "browsercommand %s\n", globalPrefs.browser_command);
+- g_string_append_printf(str,
+ "audioplayercommand %s\n",
+ globalPrefs.audio_player_command);
+
+--- a/src/worldgui.c
++++ b/src/worldgui.c
+@@ -1145,13 +1145,15 @@
+ void
+ menu_url_open(GtkAction *action, char *url)
+ {
+- char *to_run;
++ GError *err = NULL;
+
+- to_run = g_strdup_printf(globalPrefs.browser_command, url);
++ gtk_show_uri(NULL, url, GDK_CURRENT_TIME, &err);
++ if (err != NULL) {
++ fprintf(stderr, "Error opening URL: %s\nCheck if gvfs is installed\n",
++ err->message);
++ g_error_free(err);
++ }
+
+- system(to_run);
+-
+- g_free(to_run);
+ g_free(url);
+ }
+ #else /* defined __WIN32__ */
+--- a/src/dlgPreferences.glade
++++ b/src/dlgPreferences.glade
+@@ -453,89 +453,6 @@
+ <property name="orientation">vertical</property>
+ <property name="spacing">18</property>
+ <child>
+- <widget class="GtkVBox" id="vbox_browser">
+- <property name="visible">True</property>
+- <property name="orientation">vertical</property>
+- <property name="spacing">6</property>
+- <child>
+- <widget class="GtkLabel" id="label46">
+- <property name="visible">True</property>
+- <property name="xalign">0</property>
+- <property name="yalign">0</property>
+- <property name="label" translatable="yes"><b>Web Browser</b></property>
+- <property name="use_markup">True</property>
+- </widget>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">False</property>
+- <property name="position">0</property>
+- </packing>
+- </child>
+- <child>
+- <widget class="GtkHBox" id="hbox_ident_browser">
+- <property name="visible">True</property>
+- <child>
+- <widget class="GtkLabel" id="label_ident_browser">
+- <property name="visible">True</property>
+- <property name="label"> </property>
+- </widget>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">False</property>
+- <property name="position">0</property>
+- </packing>
+- </child>
+- <child>
+- <widget class="GtkVBox" id="vbox_int_browser">
+- <property name="visible">True</property>
+- <property name="orientation">vertical</property>
+- <property name="spacing">6</property>
+- <property name="homogeneous">True</property>
+- <child>
+- <widget class="GtkEntry" id="txtBrowserCommand">
+- <property name="visible">True</property>
+- <property name="can_focus">True</property>
+- <property name="tooltip" translatable="yes">Specify the command used to launch a web browser</property>
+- <property name="invisible_char">●</property>
+- <property name="activates_default">True</property>
+- </widget>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">False</property>
+- <property name="position">0</property>
+- </packing>
+- </child>
+- <child>
+- <widget class="GtkLabel" id="label49">
+- <property name="visible">True</property>
+- <property name="xalign">0</property>
+- <property name="label" translatable="yes">Enter the command to run a web browser. %s will be substituted by the web page address.</property>
+- <property name="wrap">True</property>
+- </widget>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">False</property>
+- <property name="position">1</property>
+- </packing>
+- </child>
+- </widget>
+- <packing>
+- <property name="position">1</property>
+- </packing>
+- </child>
+- </widget>
+- <packing>
+- <property name="position">1</property>
+- </packing>
+- </child>
+- </widget>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">False</property>
+- <property name="position">0</property>
+- </packing>
+- </child>
+- <child>
+ <widget class="GtkVBox" id="vbox_player">
+ <property name="visible">True</property>
+ <property name="orientation">vertical</property>
+@@ -618,7 +535,7 @@
+ </child>
+ </widget>
+ <packing>
+- <property name="position">2</property>
++ <property name="position">1</property>
+ </packing>
+ </child>
+ <child>
diff -Nru kildclient-2.11.1/debian/patches/series kildclient-2.11.1/debian/patches/series
--- kildclient-2.11.1/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ kildclient-2.11.1/debian/patches/series 2017-12-16 11:35:16.000000000 -0200
@@ -0,0 +1 @@
+cve-2017-17511.patch
Reply to: