Your message dated Sat, 29 Apr 2017 16:07:00 +0000
with message-id <f6e28dab-6276-8baf-ff88-b3b25ef3d...@thykier.net>
and subject line Re: Bug#861481: unblock: weechat/1.6-1+deb9u1
has caused the Debian Bug report #861481,
regarding unblock: weechat/1.6-1+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi
Disclaimer: please note, not the maintainer here, but Emmanuel is
X-Debbug-CC'ed.
Please unblock package weechat
I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
unblocked, since the changes to 1.6-1 are way to much (if yes, though,
that would great). If not, I propose a targeted fix to fix this CVE:
+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 29 Apr 2017 16:31:58 +0200
The issue is as well fixed already in stable via a DSA.
unblock weechat/1.6-1+deb9u1
Regards
Salvatore
diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog
--- weechat-1.6/debian/changelog 2016-10-06 13:55:35.000000000 +0200
+++ weechat-1.6/debian/changelog 2017-04-29 16:31:58.000000000 +0200
@@ -1,3 +1,10 @@
+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 29 Apr 2017 16:31:58 +0200
+
weechat (1.6-1) unstable; urgency=medium
* New upstream release
diff -Nru weechat-1.6/debian/patches/02_CVE-2017-8073.patch
weechat-1.6/debian/patches/02_CVE-2017-8073.patch
--- weechat-1.6/debian/patches/02_CVE-2017-8073.patch 1970-01-01
01:00:00.000000000 +0100
+++ weechat-1.6/debian/patches/02_CVE-2017-8073.patch 2017-04-29
16:31:58.000000000 +0200
@@ -0,0 +1,27 @@
+Description: irc: fix parsing of DCC filename (CVE-2017-8073)
+Origin: upstream,
https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b
+Bug-Debian: https://bugs.debian.org/861121
+Forwarded: not-needed
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2017-04-29
+---
+ src/plugins/irc/irc-ctcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c
+index e62832b..8afee68 100644
+--- a/src/plugins/irc/irc-ctcp.c
++++ b/src/plugins/irc/irc-ctcp.c
+@@ -512,7 +512,7 @@ irc_ctcp_dcc_filename_without_quotes (const char *filename)
+ int length;
+
+ length = strlen (filename);
+- if (length > 0)
++ if (length > 1)
+ {
+ if ((filename[0] == '\"') && (filename[length - 1] == '\"'))
+ return weechat_strndup (filename + 1, length - 2);
+--
+2.1.4
+
diff -Nru weechat-1.6/debian/patches/series weechat-1.6/debian/patches/series
--- weechat-1.6/debian/patches/series 2016-10-06 10:17:33.000000000 +0200
+++ weechat-1.6/debian/patches/series 2017-04-29 16:31:58.000000000 +0200
@@ -1 +1,2 @@
01_fix_asciidoctor_options.patch
+02_CVE-2017-8073.patch
--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
>
> Hi,
>
> On Sat, Apr 29, 2017 at 03:23:00PM +0000, Niels Thykier wrote:
>> Control: tags -1 confirmed moreinfo
>>
>> Salvatore Bonaccorso:
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian....@packages.debian.org
>>> Usertags: unblock
>>>
>>> Hi
>>>
>>> Disclaimer: please note, not the maintainer here, but Emmanuel is
>>> X-Debbug-CC'ed.
>>>
>>> Please unblock package weechat
>>>
>>> I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
>>> unblocked, since the changes to 1.6-1 are way to much (if yes, though,
>>> that would great). If not, I propose a targeted fix to fix this CVE:
>>>
>>> +weechat (1.6-1+deb9u1) stretch; urgency=medium
>>> +
>>> + * Non-maintainer upload.
>>> + * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
>>> +
>>> + -- Salvatore Bonaccorso <car...@debian.org> Sat, 29 Apr 2017 16:31:58
>>> +0200
>>>
>>> The issue is as well fixed already in stable via a DSA.
>>>
>>> unblock weechat/1.6-1+deb9u1
>>>
>>> Regards
>>> Salvatore
>>>
>>
>> Ack, please ago ahead with the tpu upload.
>
> Thanks, uploaded.
>
> Salvatore
>
Approved, thanks.
~Niels
--- End Message ---