Control: tags -1 confirmed moreinfo On 2021-05-30 23:43:03 +0200, Håvard Flaget Aasen wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: haavard_aa...@yahoo.no > > Please unblock package ircii > > I reverted all changes made for the current 20210314 release and added a > patch to fix CVE-2020-29376 which also Closes: #986214 > > The patch has been sourced from upstream, and is also approved for buster. > > [ Reason ] > fix denial of service issue [CVE-2021-29376] > > [ Impact ] > The CVE's description is: > allows remote attackers to cause a denial of service (segmentation > fault and client crash, disconnecting the victim from an IRC server) > via a crafted CTCP UTC message. > > [ Tests ] > I did test these changes and can confirm that this patch fix > CVE-2021-29376 > > [ Risks ] > Minimal. > The code is taken from upstream. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > No > > unblock ircii/20210314+really20190117-1
Please remove the moreinfo tag once the new version is available in unstable. Cheers > > > Håvard > diff -Nru ircii-20190117/debian/changelog > ircii-20210314+really20190117/debian/changelog > --- ircii-20190117/debian/changelog 2019-02-21 05:35:56.000000000 +0100 > +++ ircii-20210314+really20190117/debian/changelog 2021-05-30 > 22:39:28.000000000 +0200 > @@ -1,3 +1,38 @@ > +ircii (20210314+really20190117-1) unstable; urgency=medium > + > + * QA upload. > + * Revert to previous release, because of freeze. > + * Add patch to Fix CVE-2021-29376 Closes: #986214 > + > + -- Håvard Flaget Aasen <haavard_aa...@yahoo.no> Sun, 30 May 2021 22:39:28 > +0200 > + > +ircii (20210314-1) unstable; urgency=medium > + > + * QA Upload. > + [ Debian Janitor ] > + * Set debhelper-compat version in Build-Depends. > + * Changes Urgency by urgency in changelog file. > + > + * New upstream release. > + Fix (CVE-2021-29376). (Closes: #986214). > + * debian/control > + + Bump Standards-Version to 4.5.1. (no changes). > + + Bump Debhelper-compat to 13. > + + Add Rules-Requires-Root: no. > + * debian/patches > + + Refresh: > + + 0008-fix-spelling-error.diff > + + 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch > + + 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch > + + 0006-fix-some-spelling-errors.patch > + * debian/rules > + + Remove --as-needed linker flag. > + * debian/watch > + + Update to version 4. > + * Update copyright file. > + > + -- Daniel Echeverri <epsi...@debian.org> Sun, 11 Apr 2021 11:19:42 -0500 > + > ircii (20190117-1) unstable; urgency=medium > > * QA upload. > diff -Nru ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch > ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch > --- ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch > 2021-05-30 22:39:28.000000000 +0200 > @@ -0,0 +1,44 @@ > +From: Håvard Flaget Aasen <haavard_aa...@yahoo.no> > +Date: Thu, 13 May 2021 21:39:51 +0200 > +Subject: Fix CVE-2021-29376 > + > +CVE-2021-29376 allows remote attackers to cause a denial of service > +(segmentation fault and client crash, disconnecting the victim from an IRC > +server) via a crafted CTCP UTC message. > + > +Bug-Debian: https://bugs.debian.org/#986214 > +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-29376 > +--- > + source/ctcp.c | 15 +++++++++++++-- > + 1 file changed, 13 insertions(+), 2 deletions(-) > + > +diff --git a/source/ctcp.c b/source/ctcp.c > +index 1a714c6..c5ddde0 100644 > +--- a/source/ctcp.c > ++++ b/source/ctcp.c > +@@ -536,12 +536,23 @@ do_utc(CtcpEntry *ctcp, u_char *from, u_char *to, > u_char *args) > + { > + time_t tm; > + u_char *date = NULL; > ++ char *curtime; > + > + if (!args || !*args) > + return NULL; > + tm = my_atol(args); > +- malloc_strcpy(&date, UP(ctime(&tm))); > +- date[my_strlen(date)-1] = '\0'; > ++ curtime = ctime(&tm); > ++ if (curtime) > ++ { > ++ u_char *s = my_index(curtime, '\n'); > ++ if (s) > ++ *s = '\0'; > ++ > ++ malloc_strcpy(&date, UP(curtime)); > ++ } > ++ else > ++ /* if we can't find a time, just return the number */ > ++ malloc_strcpy(&date, args); > + return date; > + } > + > diff -Nru ircii-20190117/debian/patches/series > ircii-20210314+really20190117/debian/patches/series > --- ircii-20190117/debian/patches/series 2019-02-20 03:07:03.000000000 > +0100 > +++ ircii-20210314+really20190117/debian/patches/series 2021-05-30 > 22:39:28.000000000 +0200 > @@ -3,3 +3,4 @@ > 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch > 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch > 0006-fix-some-spelling-errors.patch > +0009-Fix-CVE-2021-29376.patch -- Sebastian Ramacher
signature.asc
Description: PGP signature
