Bug#989273: unblock: ircii/20210314+really20190117-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989273: unblock: ircii/20210314+really20190117-1
From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
Date: Sun, 30 May 2021 23:43:03 +0200
Message-id: <[🔎] 162241098358.721757.15678175038777269140.reportbug@desktop.bs-production.no>
Reply-to: Håvard Flaget Aasen <haavard_aasen@yahoo.no>, 989273@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: haavard_aasen@yahoo.no

Please unblock package ircii

I reverted all changes made for the current 20210314 release and added a
patch to fix CVE-2020-29376 which also Closes: #986214

The patch has been sourced from upstream, and is also approved for buster.

[ Reason ]
fix denial of service issue [CVE-2021-29376]

[ Impact ]
The CVE's description is:
allows remote attackers to cause a denial of service (segmentation
fault and client crash, disconnecting the victim from an IRC server)
via a crafted CTCP UTC message.

[ Tests ]
I did test these changes and can confirm that this patch fix
CVE-2021-29376

[ Risks ]
Minimal.
The code is taken from upstream.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
No

unblock ircii/20210314+really20190117-1


Håvard

diff -Nru ircii-20190117/debian/changelog ircii-20210314+really20190117/debian/changelog
--- ircii-20190117/debian/changelog	2019-02-21 05:35:56.000000000 +0100
+++ ircii-20210314+really20190117/debian/changelog	2021-05-30 22:39:28.000000000 +0200
@@ -1,3 +1,38 @@
+ircii (20210314+really20190117-1) unstable; urgency=medium
+
+  * QA upload.
+  * Revert to previous release, because of freeze.
+  * Add patch to Fix CVE-2021-29376 Closes: #986214
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Sun, 30 May 2021 22:39:28 +0200
+
+ircii (20210314-1) unstable; urgency=medium
+
+  * QA Upload.
+  [ Debian Janitor ]
+  * Set debhelper-compat version in Build-Depends.
+  * Changes Urgency by urgency in changelog file.
+
+  * New upstream release.
+    Fix (CVE-2021-29376). (Closes: #986214).
+  * debian/control
+    + Bump Standards-Version to 4.5.1. (no changes).
+    + Bump Debhelper-compat to 13.
+    + Add Rules-Requires-Root: no.
+  * debian/patches
+    + Refresh:
+      + 0008-fix-spelling-error.diff
+      + 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
+      + 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
+      + 0006-fix-some-spelling-errors.patch
+  * debian/rules
+    + Remove --as-needed linker flag.
+  * debian/watch
+    + Update to version 4.
+  * Update copyright file.
+
+ -- Daniel Echeverri <epsilon@debian.org>  Sun, 11 Apr 2021 11:19:42 -0500
+
 ircii (20190117-1) unstable; urgency=medium
 
   * QA upload.
diff -Nru ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch
--- ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch	1970-01-01 01:00:00.000000000 +0100
+++ ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch	2021-05-30 22:39:28.000000000 +0200
@@ -0,0 +1,44 @@
+From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
+Date: Thu, 13 May 2021 21:39:51 +0200
+Subject: Fix CVE-2021-29376
+
+CVE-2021-29376 allows remote attackers to cause a denial of service
+(segmentation fault and client crash, disconnecting the victim from an IRC
+server) via a crafted CTCP UTC message.
+
+Bug-Debian: https://bugs.debian.org/#986214
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-29376
+---
+ source/ctcp.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/source/ctcp.c b/source/ctcp.c
+index 1a714c6..c5ddde0 100644
+--- a/source/ctcp.c
++++ b/source/ctcp.c
+@@ -536,12 +536,23 @@ do_utc(CtcpEntry *ctcp, u_char *from, u_char *to, u_char *args)
+ {
+ 	time_t	tm;
+ 	u_char	*date = NULL;
++	char	*curtime;
+ 
+ 	if (!args || !*args)
+ 		return NULL;
+ 	tm = my_atol(args);
+-	malloc_strcpy(&date, UP(ctime(&tm)));
+-	date[my_strlen(date)-1] = '\0';
++	curtime = ctime(&tm);
++	if (curtime)
++	{
++		u_char *s = my_index(curtime, '\n');
++		if (s)
++			*s = '\0';
++
++		malloc_strcpy(&date, UP(curtime));
++	}
++	else
++		/* if we can't find a time, just return the number */
++		malloc_strcpy(&date, args);
+ 	return date;
+ }
+ 
diff -Nru ircii-20190117/debian/patches/series ircii-20210314+really20190117/debian/patches/series
--- ircii-20190117/debian/patches/series	2019-02-20 03:07:03.000000000 +0100
+++ ircii-20210314+really20190117/debian/patches/series	2021-05-30 22:39:28.000000000 +0200
@@ -3,3 +3,4 @@
 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
 0006-fix-some-spelling-errors.patch
+0009-Fix-CVE-2021-29376.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#989273: unblock: ircii/20210314+really20190117-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#989273: unblock: ircii/20210314+really20190117-1
  - From: Sebastian Ramacher <sramacher@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Processed: tnef 1.4.12-1.2+deb10u1 flagged for acceptance
Next by thread: Processed: Re: Bug#989273: unblock: ircii/20210314+really20190117-1
Index(es):
- Date
- Thread