Bug#991641: buster-pu: package irssi/1.2.0-2
Package: release.debian.org
Severity: important
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
This update fixes CVE-2019-13045 for buster by pulling in the upstream
commit that is included in newer versions of the package.
[ Impact ]
May affect the stability of Irssi. SASL logins may fail, especially
during (manual and automated) reconnect.
[ Tests ]
It is the fix that got applied in other distributions and been used by
lots of folks for quite a while now.
[ Risks ]
The changes are quite straight forward.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
It's just the upstream patch pulled in.
So long,
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
diff -Nru irssi-1.2.0/debian/changelog irssi-1.2.0/debian/changelog
--- irssi-1.2.0/debian/changelog 2019-02-12 21:59:00.000000000 +0100
+++ irssi-1.2.0/debian/changelog 2021-07-29 14:11:39.000000000 +0200
@@ -1,3 +1,9 @@
+irssi (1.2.0-2+deb10u1) buster; urgency=medium
+
+ * Import upstream security fix for CVE-2019-13045 (closes: #931264)
+
+ -- Rhonda D'Vine <rhonda@debian.org> Thu, 29 Jul 2021 14:11:39 +0200
+
irssi (1.2.0-2) unstable; urgency=medium
[ Rhonda D'Vine ]
diff -Nru irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values
--- irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values 1970-01-01 01:00:00.000000000 +0100
+++ irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values 2021-07-29 14:11:39.000000000 +0200
@@ -0,0 +1,41 @@
+Description: copy sasl username and password values
+Origin: Upstream, https://github.com/irssi/irssi/pull/1058
+Author: ailin-nemui
+
+--- a/src/irc/core/irc-core.c
++++ b/src/irc/core/irc-core.c
+@@ -75,6 +75,8 @@
+
+ g_free_not_null(ircconn->usermode);
+ g_free_not_null(ircconn->alternate_nick);
++ g_free_not_null(ircconn->sasl_username);
++ g_free_not_null(ircconn->sasl_password);
+ }
+
+ void irc_core_init(void)
+--- a/src/irc/core/irc-servers-reconnect.c
++++ b/src/irc/core/irc-servers-reconnect.c
+@@ -49,8 +49,8 @@
+ rec->usermode = g_strdup(src->usermode);
+ rec->alternate_nick = g_strdup(src->alternate_nick);
+ rec->sasl_mechanism = src->sasl_mechanism;
+- rec->sasl_username = src->sasl_username;
+- rec->sasl_password = src->sasl_password;
++ rec->sasl_username = g_strdup(src->sasl_username);
++ rec->sasl_password = g_strdup(src->sasl_password);
+ *dest = (SERVER_CONNECT_REC *) rec;
+ }
+
+--- a/src/irc/core/irc-servers-setup.c
++++ b/src/irc/core/irc-servers-setup.c
+@@ -101,8 +101,8 @@
+ conn->sasl_mechanism = SASL_MECHANISM_PLAIN;
+ if (ircnet->sasl_username != NULL && *ircnet->sasl_username &&
+ ircnet->sasl_password != NULL && *ircnet->sasl_password) {
+- conn->sasl_username = ircnet->sasl_username;
+- conn->sasl_password = ircnet->sasl_password;
++ conn->sasl_username = g_strdup(ircnet->sasl_username);
++ conn->sasl_password = g_strdup(ircnet->sasl_password);
+ } else
+ g_warning("The fields sasl_username and sasl_password are either missing or empty");
+ }
diff -Nru irssi-1.2.0/debian/patches/series irssi-1.2.0/debian/patches/series
--- irssi-1.2.0/debian/patches/series 2019-02-12 21:59:00.000000000 +0100
+++ irssi-1.2.0/debian/patches/series 2021-07-29 14:11:39.000000000 +0200
@@ -1,3 +1,4 @@
+98copy-sasl-username-and-password-values
01chanmode_expando_strip
02ctcp_version_reply
03firsttimer_text
Reply to: