Bug#1004247: bullseye-pu: package weechat/3.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Emmanuel Bouthenot <kolter@debian.org>, team@security.debian.org
* CVE-2021-40516: A crafted WebSocket frame could result in a crash
in the Relay plugin. (Closes: #993803)
diff -Nru weechat-3.0/debian/changelog weechat-3.0/debian/changelog
--- weechat-3.0/debian/changelog 2020-11-21 09:34:12.000000000 +0200
+++ weechat-3.0/debian/changelog 2022-01-23 16:29:14.000000000 +0200
@@ -1,3 +1,11 @@
+weechat (3.0-1+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2021-40516: A crafted WebSocket frame could result in a crash
+ in the Relay plugin. (Closes: #993803)
+
+ -- Adrian Bunk <bunk@debian.org> Sun, 23 Jan 2022 16:29:14 +0200
+
weechat (3.0-1) unstable; urgency=medium
* New upstream release
diff -Nru weechat-3.0/debian/patches/0001-relay-fix-crash-when-decoding-a-malformed-websocket-.patch weechat-3.0/debian/patches/0001-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
--- weechat-3.0/debian/patches/0001-relay-fix-crash-when-decoding-a-malformed-websocket-.patch 1970-01-01 02:00:00.000000000 +0200
+++ weechat-3.0/debian/patches/0001-relay-fix-crash-when-decoding-a-malformed-websocket-.patch 2022-01-23 16:29:14.000000000 +0200
@@ -0,0 +1,64 @@
+From ede4582879f31cc29be54fdcdf8bc168dc7ea6e3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashcode@flashtux.org>
+Date: Sat, 4 Sep 2021 23:09:19 +0200
+Subject: relay: fix crash when decoding a malformed websocket frame
+
+---
+ src/plugins/relay/relay-websocket.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/src/plugins/relay/relay-websocket.c b/src/plugins/relay/relay-websocket.c
+index e3b768d0a..789f67e20 100644
+--- a/src/plugins/relay/relay-websocket.c
++++ b/src/plugins/relay/relay-websocket.c
+@@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ index_buffer = 0;
+
+ /* loop to decode all frames in message */
+- while (index_buffer + 2 <= buffer_length)
++ while (index_buffer + 1 < buffer_length)
+ {
+ opcode = buffer[index_buffer] & 15;
+
+@@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ length_frame_size = 1;
+ length_frame = buffer[index_buffer + 1] & 127;
+ index_buffer += 2;
++ if (index_buffer >= buffer_length)
++ return 0;
+ if ((length_frame == 126) || (length_frame == 127))
+ {
+ length_frame_size = (length_frame == 126) ? 2 : 8;
+- if (buffer_length < 1 + length_frame_size)
++ if (index_buffer + length_frame_size > buffer_length)
+ return 0;
+ length_frame = 0;
+ for (i = 0; i < length_frame_size; i++)
+@@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ index_buffer += length_frame_size;
+ }
+
+- if (buffer_length < 1 + length_frame_size + 4 + length_frame)
+- return 0;
+-
+ /* read masks (4 bytes) */
++ if (index_buffer + 4 > buffer_length)
++ return 0;
+ int masks[4];
+ for (i = 0; i < 4; i++)
+ {
+@@ -333,6 +334,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ *decoded_length += 1;
+
+ /* decode data using masks */
++ if ((length_frame > buffer_length)
++ || (index_buffer + length_frame > buffer_length))
++ {
++ return 0;
++ }
+ for (i = 0; i < length_frame; i++)
+ {
+ decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];
+--
+2.20.1
+
diff -Nru weechat-3.0/debian/patches/series weechat-3.0/debian/patches/series
--- weechat-3.0/debian/patches/series 2020-04-04 12:31:17.000000000 +0300
+++ weechat-3.0/debian/patches/series 2022-01-23 16:29:14.000000000 +0200
@@ -1 +1,2 @@
01_fix_asciidoctor_options.patch
+0001-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
Reply to: