Bug#989273: unblock: ircii/20210314+really20190117-1

[Sebastian Ramacher <sramacher@debian.org>]

Control: tags -1 confirmed moreinfo

On 2021-05-30 23:43:03 +0200, Håvard Flaget Aasen wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: haavard_aasen@yahoo.no
> 
> Please unblock package ircii
> 
> I reverted all changes made for the current 20210314 release and added a
> patch to fix CVE-2020-29376 which also Closes: #986214
> 
> The patch has been sourced from upstream, and is also approved for buster.
> 
> [ Reason ]
> fix denial of service issue [CVE-2021-29376]
> 
> [ Impact ]
> The CVE's description is:
> allows remote attackers to cause a denial of service (segmentation
> fault and client crash, disconnecting the victim from an IRC server)
> via a crafted CTCP UTC message.
> 
> [ Tests ]
> I did test these changes and can confirm that this patch fix
> CVE-2021-29376
> 
> [ Risks ]
> Minimal.
> The code is taken from upstream.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> No
> 
> unblock ircii/20210314+really20190117-1

Please remove the moreinfo tag once the new version is available in
unstable.

Cheers

> 
> 
> Håvard

> diff -Nru ircii-20190117/debian/changelog ircii-20210314+really20190117/debian/changelog
> --- ircii-20190117/debian/changelog	2019-02-21 05:35:56.000000000 +0100
> +++ ircii-20210314+really20190117/debian/changelog	2021-05-30 22:39:28.000000000 +0200
> @@ -1,3 +1,38 @@
> +ircii (20210314+really20190117-1) unstable; urgency=medium
> +
> +  * QA upload.
> +  * Revert to previous release, because of freeze.
> +  * Add patch to Fix CVE-2021-29376 Closes: #986214
> +
> + -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Sun, 30 May 2021 22:39:28 +0200
> +
> +ircii (20210314-1) unstable; urgency=medium
> +
> +  * QA Upload.
> +  [ Debian Janitor ]
> +  * Set debhelper-compat version in Build-Depends.
> +  * Changes Urgency by urgency in changelog file.
> +
> +  * New upstream release.
> +    Fix (CVE-2021-29376). (Closes: #986214).
> +  * debian/control
> +    + Bump Standards-Version to 4.5.1. (no changes).
> +    + Bump Debhelper-compat to 13.
> +    + Add Rules-Requires-Root: no.
> +  * debian/patches
> +    + Refresh:
> +      + 0008-fix-spelling-error.diff
> +      + 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
> +      + 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
> +      + 0006-fix-some-spelling-errors.patch
> +  * debian/rules
> +    + Remove --as-needed linker flag.
> +  * debian/watch
> +    + Update to version 4.
> +  * Update copyright file.
> +
> + -- Daniel Echeverri <epsilon@debian.org>  Sun, 11 Apr 2021 11:19:42 -0500
> +
>  ircii (20190117-1) unstable; urgency=medium
>  
>    * QA upload.
> diff -Nru ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch
> --- ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch	1970-01-01 01:00:00.000000000 +0100
> +++ ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch	2021-05-30 22:39:28.000000000 +0200
> @@ -0,0 +1,44 @@
> +From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
> +Date: Thu, 13 May 2021 21:39:51 +0200
> +Subject: Fix CVE-2021-29376
> +
> +CVE-2021-29376 allows remote attackers to cause a denial of service
> +(segmentation fault and client crash, disconnecting the victim from an IRC
> +server) via a crafted CTCP UTC message.
> +
> +Bug-Debian: https://bugs.debian.org/#986214
> +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-29376
> +---
> + source/ctcp.c | 15 +++++++++++++--
> + 1 file changed, 13 insertions(+), 2 deletions(-)
> +
> +diff --git a/source/ctcp.c b/source/ctcp.c
> +index 1a714c6..c5ddde0 100644
> +--- a/source/ctcp.c
> ++++ b/source/ctcp.c
> +@@ -536,12 +536,23 @@ do_utc(CtcpEntry *ctcp, u_char *from, u_char *to, u_char *args)
> + {
> + 	time_t	tm;
> + 	u_char	*date = NULL;
> ++	char	*curtime;
> + 
> + 	if (!args || !*args)
> + 		return NULL;
> + 	tm = my_atol(args);
> +-	malloc_strcpy(&date, UP(ctime(&tm)));
> +-	date[my_strlen(date)-1] = '\0';
> ++	curtime = ctime(&tm);
> ++	if (curtime)
> ++	{
> ++		u_char *s = my_index(curtime, '\n');
> ++		if (s)
> ++			*s = '\0';
> ++
> ++		malloc_strcpy(&date, UP(curtime));
> ++	}
> ++	else
> ++		/* if we can't find a time, just return the number */
> ++		malloc_strcpy(&date, args);
> + 	return date;
> + }
> + 
> diff -Nru ircii-20190117/debian/patches/series ircii-20210314+really20190117/debian/patches/series
> --- ircii-20190117/debian/patches/series	2019-02-20 03:07:03.000000000 +0100
> +++ ircii-20210314+really20190117/debian/patches/series	2021-05-30 22:39:28.000000000 +0200
> @@ -3,3 +3,4 @@
>  0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
>  0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
>  0006-fix-some-spelling-errors.patch
> +0009-Fix-CVE-2021-29376.patch


-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature