Package: irssi-plugin-xmpp
Version: 0.52-1
Severity: important
If a user in the roster has a description which only consists of a single
space character, irssi-xmpp will segfault.
This is caused by faulty code in the stroneline-function in file
src/fe-common/fe-rosters.c. The code of that function is severely
broken and can cause memory corruption in the circumstances mentioned
(and maybe more). See my report with explanation and patch here.
http://cybione.org/lists/irssi-xmpp-list/msg00118.html
The upstream author proposed a slightly different with broken code
again (inappropriate use of memcpy) and has not changed the code
in CVS in any way since then.
This MIGHT be a security problem as this might be somehow exploited,
so a severity of grave MIGHT be warranted. I have set it to important
for now.
So I propose to include the attached patch to the debian version of
irssi-xmpp and try to get it into the next release still.
Regards
Michael
--- irssi-plugin-xmpp-0.52.orig/src/fe-common/fe-rosters.c
+++ irssi-plugin-xmpp-0.52/src/fe-common/fe-rosters.c
@@ -40,16 +40,15 @@ stroneline(char *s)
if (isspace(*p1)) {
*p1 = ' ';
p2 = p1;
- spaces = 0;
- while (*(p2++) != '\0' && isspace(*p2))
- ++spaces;
- if (spaces > 0) {
- len = strlen(p1);
- for (i = 0; i < len-spaces+1; ++i)
- p1[i-spaces] = p1[i];
- }
- }
- }
+
+ while (*p2 != '\0' && isspace(*p2)) p2++;
+ spaces = p2-p1;
+
+ if ( spaces > 1 )
+ memmove(p1, p1+spaces-1, strlen(p1)-spaces+2);
+ }
+
+ }
}
static gboolean
