Bug#989190: unblock: scrollz/2.2.3-2
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package scrollz
This upload fixes a grave bug (#986215) by applying a patch from an
upstream PR targeting that specific issue. I've received exploit code
from upstream and tested that it is able to crash 2.2.3-1 but not 2.2.3-2.
unblock scrollz/2.2.3-2
diff -Nru scrollz-2.2.3/debian/changelog scrollz-2.2.3/debian/changelog
--- scrollz-2.2.3/debian/changelog 2014-11-05 17:37:01.000000000 -0700
+++ scrollz-2.2.3/debian/changelog 2021-04-29 17:55:12.000000000 -0600
@@ -1,3 +1,11 @@
+scrollz (2.2.3-2) UNRELEASED; urgency=medium
+
+ * Applied patch to ctcp.c to fix CVE-2021-29376 from
+ https://github.com/ScrollZ/ScrollZ/pull/26
+ * Applied minor patch from upstream to the above fix
+
+ -- Mike Markley <mike@markley.org> Thu, 29 Apr 2021 17:55:12 -0600
+
scrollz (2.2.3-1) unstable; urgency=low
* New release.
diff -Nru scrollz-2.2.3/debian/patches/CVE-2021-29376.patch scrollz-2.2.3/debian/patches/CVE-2021-29376.patch
--- scrollz-2.2.3/debian/patches/CVE-2021-29376.patch 1969-12-31 17:00:00.000000000 -0700
+++ scrollz-2.2.3/debian/patches/CVE-2021-29376.patch 2021-04-29 12:51:47.000000000 -0600
@@ -0,0 +1,46 @@
+diff --git a/source/ctcp.c b/source/ctcp.c
+index b977f9b..32a496a 100644
+--- a/source/ctcp.c
++++ b/source/ctcp.c
+@@ -31,7 +31,7 @@
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+- * $Id: ctcp.c,v 1.56 2009-12-21 14:39:21 f Exp $
++ * $Id: ctcp.c,v 1.56 2021-04-26 19:57:28 t Exp $
+ */
+
+ #include "irc.h"
+@@ -1629,14 +1629,29 @@ do_utc(ctcp, from, to, args)
+ *to,
+ *args;
+ {
+- time_t tm;
++ time_t tm = time(NULL),
++ curtime = time(NULL);
+ char *date = NULL;
+
+ if (!args || !*args)
+ return NULL;
+ tm = atol(args);
+- malloc_strcpy(&date, ctime(&tm));
+- date[strlen(date)-1] = '\0';
++ curtime = ctime(&tm);
++
++ if (curtime)
++ {
++ u_char *s = index(curtime, '\n');
++ if (s)
++ {
++ *s = '\0';
++ }
++ malloc_strcpy(&date, UP(curtime));
++ }
++ else
++ {
++ /* if we can't find a time, just return the number */
++ malloc_strcpy(&date, args);
++ }
+ return date;
+ }
+
diff -Nru scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch
--- scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch 1969-12-31 17:00:00.000000000 -0700
+++ scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch 2021-04-29 17:55:12.000000000 -0600
@@ -0,0 +1,13 @@
+diff --git a/source/ctcp.c b/source/ctcp.c
+index 32a496a..2b661bd 100644
+--- a/source/ctcp.c
++++ b/source/ctcp.c
+@@ -1630,7 +1630,7 @@ do_utc(ctcp, from, to, args)
+ *args;
+ {
+ time_t tm = time(NULL),
+- curtime = time(NULL);
++ curtime;
+ char *date = NULL;
+
+ if (!args || !*args)
diff -Nru scrollz-2.2.3/debian/patches/series scrollz-2.2.3/debian/patches/series
--- scrollz-2.2.3/debian/patches/series 2014-10-22 16:08:28.000000000 -0600
+++ scrollz-2.2.3/debian/patches/series 2021-04-29 17:55:12.000000000 -0600
@@ -4,3 +4,5 @@
spelling-errors.patch
rijndael-prototypes.patch
sys-stat-h.patch
+CVE-2021-29376.patch
+CVE-2021-29376-update.patch
Reply to: