--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package kildclient/3.1.0-1+deb9u1
- From: Eduardo M Kalinowski <eduardo@kalinowski.com.br>
- Date: Sat, 23 Dec 2017 15:56:40 -0200
- Message-id: <151405180087.4570.177473663760404582.reportbug@tyrion>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to upload an update to kildclient to fix
bug #885007 / CVE-2017-17511:
| KildClient 3.1.0 does not validate strings before launching the program
| specified by the BROWSER environment variable, which might allow remote
| attackers to conduct argument-injection attacks via a crafted URL,
| related to prefs.c and worldgui.c.
This issue is of minimal impact, and the security team considered that a DSA is
not necessary, but there is a simple fix that avoids the use of a user-
specified command or $BROWSER, and I'd like to include it in the next point
release. The debdiff is attached.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
diff -Nru kildclient-3.1.0/debian/changelog kildclient-3.1.0/debian/changelog
--- kildclient-3.1.0/debian/changelog 2016-12-04 20:46:22.000000000 -0200
+++ kildclient-3.1.0/debian/changelog 2017-12-23 08:40:07.000000000 -0200
@@ -1,3 +1,10 @@
+kildclient (3.1.0-1+deb9u1) stretch; urgency=low
+
+ * Fix for CVE-2017-17511. New dependency 'gvfs' required in order to use
+ GTK+ function for opening URLs. Closes: #885007
+
+ -- Eduardo M Kalinowski <eduardo@kalinowski.com.br> Sat, 23 Dec 2017 08:40:07 -0200
+
kildclient (3.1.0-1) unstable; urgency=low
* New upstream version: 3.1.0.
diff -Nru kildclient-3.1.0/debian/control kildclient-3.1.0/debian/control
--- kildclient-3.1.0/debian/control 2016-12-04 20:46:22.000000000 -0200
+++ kildclient-3.1.0/debian/control 2017-12-17 09:42:44.000000000 -0200
@@ -10,7 +10,7 @@
Package: kildclient
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl, gvfs
Suggests: kildclient-doc, libgtk3-perl
Description: powerful MUD client with a built-in Perl interpreter
KildClient is a MUD Client written with the GTK+ windowing toolkit.
diff -Nru kildclient-3.1.0/debian/NEWS.Debian kildclient-3.1.0/debian/NEWS.Debian
--- kildclient-3.1.0/debian/NEWS.Debian 2016-12-04 20:46:22.000000000 -0200
+++ kildclient-3.1.0/debian/NEWS.Debian 2017-12-17 09:43:58.000000000 -0200
@@ -1,3 +1,10 @@
+kildclient (3.1.0-1+deb9u1) stretch-security; urgency=high
+
+ * The option to define the command used to run a web browser has been
+ removed; the default browser (as selected by gvfs) is now used.
+
+ -- Eduardo M Kalinowski <eduardo@kalinowski.com.br> Sun, 17 Dec 2017 09:42:23 -0200
+
kildclient (2.8.1-1) experimental; urgency=low
The HTML manual is now in the package kildclient-doc.
diff -Nru kildclient-3.1.0/debian/patches/cve-2017-17511.patch kildclient-3.1.0/debian/patches/cve-2017-17511.patch
--- kildclient-3.1.0/debian/patches/cve-2017-17511.patch 1969-12-31 21:00:00.000000000 -0300
+++ kildclient-3.1.0/debian/patches/cve-2017-17511.patch 2017-12-17 09:56:25.000000000 -0200
@@ -0,0 +1,183 @@
+Description: Fix for CVE-2017-17511
+ Uses a GTK+ function to open URLs, instead of using a command
+ supplied by the user or $BROWSER.
+Author: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
+Last-Update: 2017-12-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/doc/C/kildclient.xml
++++ b/doc/C/kildclient.xml
+@@ -1233,20 +1233,16 @@
+ </mediaobject>
+ </figure>
+
+-<para>In this section you can configure the command that will be run
+-when you right-click in a URL that appears in the MUD window and
+-select <guilabel>Open Link</guilabel>. The command will be executed,
+-with <literal>%s</literal> replaced with the URL's address. The
+-ampersand (<literal>&</literal>) in the end means that the command
+-is to be executed in the background, so that you can continue using
+-KildClient while browsing the URL.</para>
+-
+-<para>You can also set a command used to play audio files (see <xref
++<para>In this section you can set a command used to play audio files (see <xref
+ linkend="sec_sounds"/>). Enter the command, with <literal>%s</literal>
+ in the place of the file path. The default should work (it uses the
+ SOX program, which is usually installed), but you can use other
+ commands if you use ALSA, ARTS, ESD, JACK, etc.</para>
+
++<para>Previously it was also possible to define a command to run a web
++browser. This option has been removed, and the default browser is now
++used instead.</para>
++
+ </sect1>
+
+
+--- a/src/dlgPreferences.ui
++++ b/src/dlgPreferences.ui
+@@ -521,61 +521,6 @@
+ <property name="orientation">vertical</property>
+ <property name="spacing">6</property>
+ <child>
+- <object class="GtkLabel" id="label_browser">
+- <property name="can_focus">False</property>
+- <property name="label" translatable="yes"><b>Web browser</b></property>
+- <property name="use_markup">True</property>
+- <property name="xalign">0</property>
+- <property name="yalign">0</property>
+- </object>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">True</property>
+- <property name="position">0</property>
+- </packing>
+- </child>
+- <child>
+- <object class="GtkBox" id="vbox_int_browser">
+- <property name="can_focus">False</property>
+- <property name="margin_start">16</property>
+- <property name="orientation">vertical</property>
+- <property name="spacing">6</property>
+- <child>
+- <object class="GtkLabel" id="label49">
+- <property name="can_focus">False</property>
+- <property name="label" translatable="yes">Enter the command to run a _web browser. %s will be substituted by the web page address:</property>
+- <property name="use_underline">True</property>
+- <property name="wrap">True</property>
+- <property name="mnemonic_widget">txtBrowserCommand</property>
+- <property name="xalign">0</property>
+- </object>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">True</property>
+- <property name="position">0</property>
+- </packing>
+- </child>
+- <child>
+- <object class="GtkEntry" id="txtBrowserCommand">
+- <property name="can_focus">True</property>
+- <property name="tooltip_text" translatable="yes">Specify the command used to launch a web browser</property>
+- <property name="invisible_char">●</property>
+- <property name="activates_default">True</property>
+- </object>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">True</property>
+- <property name="position">1</property>
+- </packing>
+- </child>
+- </object>
+- <packing>
+- <property name="expand">False</property>
+- <property name="fill">True</property>
+- <property name="position">1</property>
+- </packing>
+- </child>
+- <child>
+ <object class="GtkLabel" id="label_player">
+ <property name="can_focus">False</property>
+ <property name="margin_top">12</property>
+--- a/src/kildclient.h
++++ b/src/kildclient.h
+@@ -628,7 +628,6 @@
+ GtkPositionType tab_position;
+ gboolean hide_single_tab;
+ gboolean urgency_hint;
+- char *browser_command;
+ char *audio_player_command;
+ char *last_open_world;
+ gboolean no_plugin_help_msg;
+--- a/src/prefs.c
++++ b/src/prefs.c
+@@ -92,7 +92,6 @@
+ GObject *txtProxyUser;
+ GObject *txtProxyPassword;
+ #ifndef __MINGW32__
+- GObject *txtBrowserCommand;
+ GObject *txtAudioPlayerCommand;
+ #else
+ GtkWidget *tabPrograms;
+@@ -179,12 +178,6 @@
+
+ #ifndef __MINGW32__
+ /* Load commands */
+- txtBrowserCommand = gtk_builder_get_object(main_builder, "txtBrowserCommand");
+- gtk_entry_set_text(GTK_ENTRY(txtBrowserCommand),
+- globalPrefs.browser_command);
+- g_signal_connect(txtBrowserCommand, "focus_out_event",
+- G_CALLBACK(txt_cmd_focus_out_cb),
+- &globalPrefs.browser_command);
+ txtAudioPlayerCommand
+ = gtk_builder_get_object(main_builder, "txtAudioPlayerCommand");
+ gtk_entry_set_text(GTK_ENTRY(txtAudioPlayerCommand),
+@@ -320,9 +313,6 @@
+ }
+
+ /* Has the commands been set? */
+- if (!globalPrefs.browser_command) {
+- globalPrefs.browser_command = g_strdup("${BROWSER} \"%s\" &");
+- }
+ if (!globalPrefs.audio_player_command) {
+ globalPrefs.audio_player_command = g_strdup("play \"%s\" &");
+ }
+@@ -381,8 +371,6 @@
+ globalPrefs.hide_single_tab = atoi(line + pos + 1);
+ } else if (strcmp(first_word, "urgencyhint") == 0) {
+ globalPrefs.urgency_hint = atoi(line + pos + 1);
+- } else if (strcmp(first_word, "browsercommand") == 0) {
+- globalPrefs.browser_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "audioplayercommand") == 0) {
+ globalPrefs.audio_player_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "lastopenworld") == 0) {
+@@ -469,8 +457,6 @@
+ g_string_append_printf(str, "urgencyhint %d\n", globalPrefs.urgency_hint);
+
+ g_string_append_printf(str,
+- "browsercommand %s\n", globalPrefs.browser_command);
+- g_string_append_printf(str,
+ "audioplayercommand %s\n",
+ globalPrefs.audio_player_command);
+
+--- a/src/worldgui.c
++++ b/src/worldgui.c
+@@ -1154,13 +1154,15 @@
+ void
+ menu_url_open(GtkMenuItem *menu, char *url)
+ {
+- char *to_run;
++ GError *err = NULL;
+
+- to_run = g_strdup_printf(globalPrefs.browser_command, url);
++ gtk_show_uri(NULL, url, GDK_CURRENT_TIME, &err);
++ if (err != NULL) {
++ fprintf(stderr, "Error opening URL: %s\nCheck if gvfs is installed\n",
++ err->message);
++ g_error_free(err);
++ }
+
+- system(to_run);
+-
+- g_free(to_run);
+ g_free(url);
+ }
+ #else /* defined __MINGW32__ */
diff -Nru kildclient-3.1.0/debian/patches/series kildclient-3.1.0/debian/patches/series
--- kildclient-3.1.0/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ kildclient-3.1.0/debian/patches/series 2017-12-17 09:48:01.000000000 -0200
@@ -0,0 +1 @@
+cve-2017-17511.patch
--- End Message ---