Bug#861481: marked as done (unblock: weechat/1.6-1+deb9u1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 29 Apr 2017 16:07:00 +0000
with message-id <f6e28dab-6276-8baf-ff88-b3b25ef3de36@thykier.net>
and subject line Re: Bug#861481: unblock: weechat/1.6-1+deb9u1
has caused the Debian Bug report #861481,
regarding unblock: weechat/1.6-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861481
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: weechat/1.6-1+deb9u1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 29 Apr 2017 16:58:57 +0200
• Message-id: <[🔎] 149347793708.2669.8911407783817607998.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Disclaimer: please note, not the maintainer here, but Emmanuel is
X-Debbug-CC'ed.

Please unblock package weechat

I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
unblocked, since the changes to 1.6-1 are way to much (if yes, though,
that would great). If not, I propose a targeted fix to fix this CVE:

+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200

The issue is as well fixed already in stable via a DSA.

unblock weechat/1.6-1+deb9u1

Regards
Salvatore

diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog
--- weechat-1.6/debian/changelog	2016-10-06 13:55:35.000000000 +0200
+++ weechat-1.6/debian/changelog	2017-04-29 16:31:58.000000000 +0200
@@ -1,3 +1,10 @@
+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200
+
 weechat (1.6-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru weechat-1.6/debian/patches/02_CVE-2017-8073.patch weechat-1.6/debian/patches/02_CVE-2017-8073.patch
--- weechat-1.6/debian/patches/02_CVE-2017-8073.patch	1970-01-01 01:00:00.000000000 +0100
+++ weechat-1.6/debian/patches/02_CVE-2017-8073.patch	2017-04-29 16:31:58.000000000 +0200
@@ -0,0 +1,27 @@
+Description: irc: fix parsing of DCC filename (CVE-2017-8073)
+Origin: upstream, https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b
+Bug-Debian: https://bugs.debian.org/861121
+Forwarded: not-needed
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-04-29
+---
+ src/plugins/irc/irc-ctcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c
+index e62832b..8afee68 100644
+--- a/src/plugins/irc/irc-ctcp.c
++++ b/src/plugins/irc/irc-ctcp.c
+@@ -512,7 +512,7 @@ irc_ctcp_dcc_filename_without_quotes (const char *filename)
+     int length;
+ 
+     length = strlen (filename);
+-    if (length > 0)
++    if (length > 1)
+     {
+         if ((filename[0] == '\"') && (filename[length - 1] == '\"'))
+             return weechat_strndup (filename + 1, length - 2);
+-- 
+2.1.4
+
diff -Nru weechat-1.6/debian/patches/series weechat-1.6/debian/patches/series
--- weechat-1.6/debian/patches/series	2016-10-06 10:17:33.000000000 +0200
+++ weechat-1.6/debian/patches/series	2017-04-29 16:31:58.000000000 +0200
@@ -1 +1,2 @@
 01_fix_asciidoctor_options.patch
+02_CVE-2017-8073.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 861481-done@bugs.debian.org
• Subject: Re: Bug#861481: unblock: weechat/1.6-1+deb9u1
• From: Niels Thykier <niels@thykier.net>
• Date: Sat, 29 Apr 2017 16:07:00 +0000
• Message-id: <f6e28dab-6276-8baf-ff88-b3b25ef3de36@thykier.net>
• In-reply-to: <[🔎] 20170429153601.GB9365@lorien.valinor.li>
• References: <[🔎] 149347793708.2669.8911407783817607998.reportbug@lorien.valinor.li> <[🔎] c9ec091e-6a9b-2945-7aa5-826f0f73a6fa@thykier.net> <[🔎] 20170429153601.GB9365@lorien.valinor.li>

Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
> 
> Hi,
> 
> On Sat, Apr 29, 2017 at 03:23:00PM +0000, Niels Thykier wrote:
>> Control: tags -1 confirmed moreinfo
>>
>> Salvatore Bonaccorso:
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian.org@packages.debian.org
>>> Usertags: unblock
>>>
>>> Hi
>>>
>>> Disclaimer: please note, not the maintainer here, but Emmanuel is
>>> X-Debbug-CC'ed.
>>>
>>> Please unblock package weechat
>>>
>>> I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
>>> unblocked, since the changes to 1.6-1 are way to much (if yes, though,
>>> that would great). If not, I propose a targeted fix to fix this CVE:
>>>
>>> +weechat (1.6-1+deb9u1) stretch; urgency=medium
>>> +
>>> +  * Non-maintainer upload.
>>> +  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
>>> +
>>> + -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200
>>>
>>> The issue is as well fixed already in stable via a DSA.
>>>
>>> unblock weechat/1.6-1+deb9u1
>>>
>>> Regards
>>> Salvatore
>>>
>>
>> Ack, please ago ahead with the tpu upload.
> 
> Thanks, uploaded.
> 
> Salvatore
> 

Approved, thanks.

~Niels

--- End Message ---