Your message dated Sat, 29 Apr 2017 16:07:00 +0000
with message-id <f6e28dab-6276-8baf-ff88-b3b25ef3d...@thykier.net>
and subject line Re: Bug#861481: unblock: weechat/1.6-1+deb9u1
has caused the Debian Bug report #861481,
regarding unblock: weechat/1.6-1+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hi

Disclaimer: please note, not the maintainer here, but Emmanuel is
X-Debbug-CC'ed.

Please unblock package weechat

I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
unblocked, since the changes to 1.6-1 are way to much (if yes, though,
that would great). If not, I propose a targeted fix to fix this CVE:

+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200

The issue is as well fixed already in stable via a DSA.

unblock weechat/1.6-1+deb9u1

Regards
Salvatore
diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog
--- weechat-1.6/debian/changelog        2016-10-06 13:55:35.000000000 +0200
+++ weechat-1.6/debian/changelog        2017-04-29 16:31:58.000000000 +0200
@@ -1,3 +1,10 @@
+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200
+
 weechat (1.6-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru weechat-1.6/debian/patches/02_CVE-2017-8073.patch 
weechat-1.6/debian/patches/02_CVE-2017-8073.patch
--- weechat-1.6/debian/patches/02_CVE-2017-8073.patch   1970-01-01 
01:00:00.000000000 +0100
+++ weechat-1.6/debian/patches/02_CVE-2017-8073.patch   2017-04-29 
16:31:58.000000000 +0200
@@ -0,0 +1,27 @@
+Description: irc: fix parsing of DCC filename (CVE-2017-8073)
+Origin: upstream, 
https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b
+Bug-Debian: https://bugs.debian.org/861121
+Forwarded: not-needed
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2017-04-29
+---
+ src/plugins/irc/irc-ctcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c
+index e62832b..8afee68 100644
+--- a/src/plugins/irc/irc-ctcp.c
++++ b/src/plugins/irc/irc-ctcp.c
+@@ -512,7 +512,7 @@ irc_ctcp_dcc_filename_without_quotes (const char *filename)
+     int length;
+ 
+     length = strlen (filename);
+-    if (length > 0)
++    if (length > 1)
+     {
+         if ((filename[0] == '\"') && (filename[length - 1] == '\"'))
+             return weechat_strndup (filename + 1, length - 2);
+-- 
+2.1.4
+
diff -Nru weechat-1.6/debian/patches/series weechat-1.6/debian/patches/series
--- weechat-1.6/debian/patches/series   2016-10-06 10:17:33.000000000 +0200
+++ weechat-1.6/debian/patches/series   2017-04-29 16:31:58.000000000 +0200
@@ -1 +1,2 @@
 01_fix_asciidoctor_options.patch
+02_CVE-2017-8073.patch

--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
> 
> Hi,
> 
> On Sat, Apr 29, 2017 at 03:23:00PM +0000, Niels Thykier wrote:
>> Control: tags -1 confirmed moreinfo
>>
>> Salvatore Bonaccorso:
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian....@packages.debian.org
>>> Usertags: unblock
>>>
>>> Hi
>>>
>>> Disclaimer: please note, not the maintainer here, but Emmanuel is
>>> X-Debbug-CC'ed.
>>>
>>> Please unblock package weechat
>>>
>>> I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
>>> unblocked, since the changes to 1.6-1 are way to much (if yes, though,
>>> that would great). If not, I propose a targeted fix to fix this CVE:
>>>
>>> +weechat (1.6-1+deb9u1) stretch; urgency=medium
>>> +
>>> +  * Non-maintainer upload.
>>> +  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
>>> +
>>> + -- Salvatore Bonaccorso <car...@debian.org>  Sat, 29 Apr 2017 16:31:58 
>>> +0200
>>>
>>> The issue is as well fixed already in stable via a DSA.
>>>
>>> unblock weechat/1.6-1+deb9u1
>>>
>>> Regards
>>> Salvatore
>>>
>>
>> Ack, please ago ahead with the tpu upload.
> 
> Thanks, uploaded.
> 
> Salvatore
> 

Approved, thanks.

~Niels

--- End Message ---

Reply via email to