Bug#850539: stable-pu: irssi

To: submit@bugs.debian.org
Subject: Bug#850539: stable-pu: irssi
From: Rhonda D'Vine <rhonda@debian.org>
Date: Sat, 7 Jan 2017 16:36:40 +0100
Message-id: <[🔎] 20170107153640.GA10394@anguilla.debian.or.at>
Reply-to: Rhonda D'Vine <rhonda@debian.org>, 850539@bugs.debian.org

Package: release.debian.org
Severity: high
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

      Hi!

 irssi got some security related updates, and I prepared an update.  I'm
sending the debdiff for it, should be pretty straight forward, it's
mostly the upstream commit fixing the security issues in a patch file,
and I'm going to upload it now so it makes it in time for the point
release.  If anything more is needed please let me know and I can try to
fix that ASAP.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

diff -u irssi-0.8.17/debian/changelog irssi-0.8.17/debian/changelog
--- irssi-0.8.17/debian/changelog
+++ irssi-0.8.17/debian/changelog
@@ -1,3 +1,15 @@
+irssi (0.8.17-1+deb8u3) jessie; urgency=low
+
+  * New patch 24security-fixes pulled from upstream commit 6c6c42e3d1b4
+    (besides the one issue in src/fe-text/term-terminfo.c which is 0.8.18
+    onward only), closes: #850403:
+    - CVE-2017-5193: NULL pointer dereference in the nickcmp function
+    - CVE-2017-5194: Use-after-freee when receiving invalid nick message
+    - CVE-2017-5195: Out-of-bounds read in certain incomplete control codes
+  * Set PACKAGE_VERSION for configure as suggested by upstream.
+
+ -- Rhonda D'Vine <rhonda@debian.org>  Sat, 07 Jan 2017 15:54:02 +0100
+
 irssi (0.8.17-1+deb8u2) jessie; urgency=high
 
   * New patch 23fix-buf.pl to fix an information exposure issue involved with
diff -u irssi-0.8.17/debian/patches/series irssi-0.8.17/debian/patches/series
--- irssi-0.8.17/debian/patches/series
+++ irssi-0.8.17/debian/patches/series
@@ -10,0 +11 @@
+24security-fixes
diff -u irssi-0.8.17/debian/rules irssi-0.8.17/debian/rules
--- irssi-0.8.17/debian/rules
+++ irssi-0.8.17/debian/rules
@@ -42,6 +42,8 @@
 	--enable-ipv6 --with-bot --with-proxy --enable-true-color \
 	--with-perl-lib=vendor
 
+VERSION = $(shell dpkg-parsechangelog | grep "^Version:" | cut -d" " -f2)
+
 # enable DANE only on linux, libval doesn't compile on kfreebsd (yet)
 ifneq (,$(findstring linux,$(DEB_HOST_ARCH_OS)))
 	CONFIGURE_SWITCHES += --enable-dane
@@ -51,7 +53,7 @@
 	dh_testdir
 	# Add here commands to configure the package.
 	dh_autotools-dev_updateconfig
-	CFLAGS="$(CFLAGS)" ./configure $(CONFIGURE_SWITCHES)
+	CFLAGS="$(CFLAGS)" ./configure $(CONFIGURE_SWITCHES) PACKAGE_VERSION=$(VERSION)
 
 
 build: build-arch build-indep
only in patch2:
unchanged:
--- irssi-0.8.17.orig/debian/patches/24security-fixes
+++ irssi-0.8.17/debian/patches/24security-fixes
@@ -0,0 +1,79 @@
+Author: ailin-nemui	vim:ft=diff:
+Description: CVE-2017-5193 CVE-2017-5194 CVE-2017-5195
+    Upstream commit 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
+    besides the fix for CVE-2017-5196 which is for 0.8.18 onward
+
+
+--- a/src/fe-common/core/formats.c
++++ b/src/fe-common/core/formats.c
+@@ -68,7 +68,7 @@ static void format_expand_code(const cha
+ 
+ 	if (flags == NULL) {
+ 		/* flags are being ignored - skip the code */
+-		while (**format != ']')
++		while (**format != ']' && **format != '\0')
+ 			(*format)++;
+ 		return;
+ 	}
+@@ -246,6 +246,10 @@ int format_expand_styles(GString *out, c
+ 	case '[':
+ 		/* code */
+ 		format_expand_code(format, out, flags);
++		if ((*format)[0] == '\0')
++			/* oops, reached end prematurely */
++			(*format)--;
++
+ 		break;
+ 	case 'x':
+ 	case 'X':
+@@ -969,6 +973,7 @@ static const char *get_ansi_color(THEME_
+ 			str++;
+ 			for (num2 = 0; i_isdigit(*str); str++)
+ 				num2 = num2*10 + (*str-'0');
++			if (*str == '\0') return start;
+ 
+ 			switch (num2) {
+ 			case 2:
+@@ -986,6 +991,8 @@ static const char *get_ansi_color(THEME_
+ 					for (; i_isdigit(*str); str++)
+ 						num2 = (num2&~0xff) |
+ 							(((num2&0xff) * 10 + (*str-'0'))&0xff);
++
++					if (*str == '\0') return start;
+ 				}
+ 
+ 				if (i == -1) break;
+@@ -1014,6 +1021,7 @@ static const char *get_ansi_color(THEME_
+ 				str++;
+ 				for (num2 = 0; i_isdigit(*str); str++)
+ 					num2 = num2*10 + (*str-'0');
++				if (*str == '\0') return start;
+ 
+ 				if (num == 38) {
+ 					flags &= ~GUI_PRINT_FLAG_COLOR_24_FG;
+--- a/src/irc/core/irc-nicklist.c
++++ b/src/irc/core/irc-nicklist.c
+@@ -338,7 +338,11 @@ static void event_whois_ircop(SERVER_REC
+ static void event_nick_invalid(IRC_SERVER_REC *server, const char *data)
+ {
+ 	if (!server->connected)
+-		server_disconnect((SERVER_REC *) server);
++		/* we used to call server_disconnect but that crashes
++		   irssi because of undefined memory access. instead,
++		   indicate that the connection should be dropped and
++		   let the irc method to the clean-up. */
++		server->connection_lost = server->no_reconnect = TRUE;
+ }
+ 
+ static void event_nick_in_use(IRC_SERVER_REC *server, const char *data)
+--- a/src/irc/core/irc-queries.c
++++ b/src/irc/core/irc-queries.c
+@@ -45,6 +45,8 @@ QUERY_REC *irc_query_find(IRC_SERVER_REC
+ {
+ 	GSList *tmp;
+ 
++	g_return_val_if_fail(nick != NULL, NULL);
++
+ 	for (tmp = server->queries; tmp != NULL; tmp = tmp->next) {
+ 		QUERY_REC *rec = tmp->data;
+

Reply to:

Follow-Ups:
- Processed: Re: Bug#850539: stable-pu: irssi
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#850539: stable-pu: irssi
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#850539: marked as done (stable-pu: irssi)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#850527: marked as done (unblock: frescobaldi/3.0.0~git20161001.0.eec60717+ds1-2)
Next by thread: Processed: Re: Bug#850539: stable-pu: irssi
Index(es):
- Date
- Thread