Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: haavard_aa...@yahoo.no
This is a release to fix CVE-2021-29376, which is also Debian bug #986214. [0] The change has been taken from the upstream version 20210314 which is known to work. It is also similar to the commit the scrollz package has. [1] [ Reason ] Fix: CVE-2021-29376 and Closes: #986214 [ Impact ] The CVE's description is: allows remote attackers to cause a denial of service (segmentation fault and client crash, disconnecting the victim from an IRC server) via a crafted CTCP UTC message. [ Tests ] I tested this manually, with sending a crafted CTCP message. The current version crashed, while the new version printed out the wrongly formatted string. [ Risks ] Minimal. The code is taken from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Added a patch to fix CVE-2021-29376 Håvard [0] https://bugs.debian.org/#986214 [1] https://github.com/ScrollZ/ScrollZ/pull/26
