Bug#988492: buster-pu: package ircii/20190117-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no
This is a release to fix CVE-2021-29376, which is also Debian bug #986214. [0]
The change has been taken from the upstream version 20210314 which is
known to work. It is also similar to the commit the scrollz package has. [1]
[ Reason ]
Fix: CVE-2021-29376 and Closes: #986214
[ Impact ]
The CVE's description is:
allows remote attackers to cause a denial of service (segmentation
fault and client crash, disconnecting the victim from an IRC server)
via a crafted CTCP UTC message.
[ Tests ]
I tested this manually, with sending a crafted CTCP message. The current
version crashed, while the new version printed out the wrongly
formatted string.
[ Risks ]
Minimal.
The code is taken from upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added a patch to fix CVE-2021-29376
Håvard
[0] https://bugs.debian.org/#986214
[1] https://github.com/ScrollZ/ScrollZ/pull/26
Reply to: