--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Emmanuel Bouthenot <kol...@debian.org>, t...@security.debian.org
* CVE-2020-8955: A crafted irc message 324 (channel mode) could
result in a crash. (Closes: #951289)
* CVE-2020-9759: A crafted irc message 352 (who) could result
in a crash.
* CVE-2020-9760: A crafted irc message 005 (setting a new mode
for a nick) could result in a crash.
* CVE-2021-40516: A crafted WebSocket frame could result in a crash
in the Relay plugin. (Closes: #993803)
diff -Nru weechat-2.3/debian/changelog weechat-2.3/debian/changelog
--- weechat-2.3/debian/changelog 2019-01-04 18:06:44.000000000 +0200
+++ weechat-2.3/debian/changelog 2022-01-23 16:02:29.000000000 +0200
@@ -1,3 +1,17 @@
+weechat (2.3-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2020-8955: A crafted irc message 324 (channel mode) could
+ result in a crash. (Closes: #951289)
+ * CVE-2020-9759: A crafted irc message 352 (who) could result
+ in a crash.
+ * CVE-2020-9760: A crafted irc message 005 (setting a new mode
+ for a nick) could result in a crash.
+ * CVE-2021-40516: A crafted WebSocket frame could result in a crash
+ in the Relay plugin. (Closes: #993803)
+
+ -- Adrian Bunk <b...@debian.org> Sun, 23 Jan 2022 16:02:29 +0200
+
weechat (2.3-1) unstable; urgency=medium
* New upstream release
diff -Nru
weechat-2.3/debian/patches/0001-irc-fix-crash-when-receiving-a-malformed-message-324.patch
weechat-2.3/debian/patches/0001-irc-fix-crash-when-receiving-a-malformed-message-324.patch
---
weechat-2.3/debian/patches/0001-irc-fix-crash-when-receiving-a-malformed-message-324.patch
1970-01-01 02:00:00.000000000 +0200
+++
weechat-2.3/debian/patches/0001-irc-fix-crash-when-receiving-a-malformed-message-324.patch
2022-01-23 16:00:54.000000000 +0200
@@ -0,0 +1,47 @@
+From db4ffe7ccf4b0654cca6993ecaecd5b86070c658 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashc...@flashtux.org>
+Date: Sat, 8 Feb 2020 20:24:50 +0100
+Subject: irc: fix crash when receiving a malformed message 324 (channel mode)
+
+Thanks to Stuart Nevans Locke for reporting the issue.
+---
+ src/plugins/irc/irc-mode.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/plugins/irc/irc-mode.c b/src/plugins/irc/irc-mode.c
+index b5d525c6c..5381bfda6 100644
+--- a/src/plugins/irc/irc-mode.c
++++ b/src/plugins/irc/irc-mode.c
+@@ -177,17 +177,20 @@ irc_mode_channel_update (struct t_irc_server *server,
+ current_arg++;
+ if (pos[0] == chanmode)
+ {
+- chanmode_found = 1;
+- if (set_flag == '+')
++ if (!chanmode_found)
+ {
+- str_mode[0] = pos[0];
+- str_mode[1] = '\0';
+- strcat (new_modes, str_mode);
+- if (argument)
++ chanmode_found = 1;
++ if (set_flag == '+')
+ {
+- if (new_args[0])
+- strcat (new_args, " ");
+- strcat (new_args, argument);
++ str_mode[0] = pos[0];
++ str_mode[1] = '\0';
++ strcat (new_modes, str_mode);
++ if (argument)
++ {
++ if (new_args[0])
++ strcat (new_args, " ");
++ strcat (new_args, argument);
++ }
+ }
+ }
+ }
+--
+2.20.1
+
diff -Nru
weechat-2.3/debian/patches/0002-irc-fix-crash-when-receiving-a-malformed-message-352.patch
weechat-2.3/debian/patches/0002-irc-fix-crash-when-receiving-a-malformed-message-352.patch
---
weechat-2.3/debian/patches/0002-irc-fix-crash-when-receiving-a-malformed-message-352.patch
1970-01-01 02:00:00.000000000 +0200
+++
weechat-2.3/debian/patches/0002-irc-fix-crash-when-receiving-a-malformed-message-352.patch
2022-01-23 16:00:54.000000000 +0200
@@ -0,0 +1,26 @@
+From 43a8cb9a3b9d8202465fc2b91ff36e7fe51f0a74 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashc...@flashtux.org>
+Date: Fri, 14 Feb 2020 08:14:31 +0100
+Subject: irc: fix crash when receiving a malformed message 352 (who)
+
+Thanks to Stuart Nevans Locke for reporting the issue.
+---
+ src/plugins/irc/irc-protocol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/irc/irc-protocol.c b/src/plugins/irc/irc-protocol.c
+index fb7ba870a..6bfbd5240 100644
+--- a/src/plugins/irc/irc-protocol.c
++++ b/src/plugins/irc/irc-protocol.c
+@@ -4521,7 +4521,7 @@ IRC_PROTOCOL_CALLBACK(352)
+
+ if (argc > 8)
+ {
+- arg_start = (strcmp (argv[8], "*") == 0) ? 9 : 8;
++ arg_start = ((argc > 9) && (strcmp (argv[8], "*") == 0)) ? 9 : 8;
+ if (argv[arg_start][0] == ':')
+ {
+ pos_attr = NULL;
+--
+2.20.1
+
diff -Nru
weechat-2.3/debian/patches/0003-irc-fix-crash-when-a-new-message-005-is-received-wit.patch
weechat-2.3/debian/patches/0003-irc-fix-crash-when-a-new-message-005-is-received-wit.patch
---
weechat-2.3/debian/patches/0003-irc-fix-crash-when-a-new-message-005-is-received-wit.patch
1970-01-01 02:00:00.000000000 +0200
+++
weechat-2.3/debian/patches/0003-irc-fix-crash-when-a-new-message-005-is-received-wit.patch
2022-01-23 16:00:54.000000000 +0200
@@ -0,0 +1,122 @@
+From 3eec48f74201e5489b5cf612651781e03b284211 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashc...@flashtux.org>
+Date: Fri, 14 Feb 2020 08:11:02 +0100
+Subject: irc: fix crash when a new message 005 is received with longer nick
+ prefixes
+
+Thanks to Stuart Nevans Locke for reporting the issue.
+---
+ src/plugins/irc/irc-nick.c | 47 ++++++++++++++++++++++++++++++++++++
+ src/plugins/irc/irc-nick.h | 2 ++
+ src/plugins/irc/irc-server.c | 13 +++++++++-
+ 3 files changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/irc/irc-nick.c b/src/plugins/irc/irc-nick.c
+index 22e89da26..21846f5cc 100644
+--- a/src/plugins/irc/irc-nick.c
++++ b/src/plugins/irc/irc-nick.c
+@@ -601,6 +601,53 @@ irc_nick_set_mode (struct t_irc_server *server, struct
t_irc_channel *channel,
+ weechat_bar_item_update ("input_prompt");
+ }
+
++/*
++ * Reallocates the "prefixes" string in all nicks of all channels on the
server
++ * (after 005 has been received).
++ */
++
++void
++irc_nick_realloc_prefixes (struct t_irc_server *server,
++ int old_length, int new_length)
++{
++ struct t_irc_channel *ptr_channel;
++ struct t_irc_nick *ptr_nick;
++ char *new_prefixes;
++
++ for (ptr_channel = server->channels; ptr_channel;
++ ptr_channel = ptr_channel->next_channel)
++ {
++ for (ptr_nick = ptr_channel->nicks; ptr_nick;
++ ptr_nick = ptr_nick->next_nick)
++ {
++ if (ptr_nick->prefixes)
++ {
++ new_prefixes = realloc (ptr_nick->prefixes, new_length + 1);
++ if (new_prefixes)
++ {
++ ptr_nick->prefixes = new_prefixes;
++ if (new_length > old_length)
++ {
++ memset (ptr_nick->prefixes + old_length,
++ ' ',
++ new_length - old_length);
++ }
++ ptr_nick->prefixes[new_length] = '\0';
++ }
++ }
++ else
++ {
++ ptr_nick->prefixes = malloc (new_length + 1);
++ if (ptr_nick->prefixes)
++ {
++ memset (ptr_nick->prefixes, ' ', new_length);
++ ptr_nick->prefixes[new_length] = '\0';
++ }
++ }
++ }
++ }
++}
++
+ /*
+ * Removes a nick from a channel.
+ */
+diff --git a/src/plugins/irc/irc-nick.h b/src/plugins/irc/irc-nick.h
+index 92ef6f199..b4885c6e1 100644
+--- a/src/plugins/irc/irc-nick.h
++++ b/src/plugins/irc/irc-nick.h
+@@ -73,6 +73,8 @@ extern void irc_nick_change (struct t_irc_server *server,
+ extern void irc_nick_set_mode (struct t_irc_server *server,
+ struct t_irc_channel *channel,
+ struct t_irc_nick *nick, int set, char mode);
++extern void irc_nick_realloc_prefixes (struct t_irc_server *server,
++ int old_length, int new_length);
+ extern void irc_nick_free (struct t_irc_server *server,
+ struct t_irc_channel *channel,
+ struct t_irc_nick *nick);
+diff --git a/src/plugins/irc/irc-server.c b/src/plugins/irc/irc-server.c
+index 813d802dc..2b540e33f 100644
+--- a/src/plugins/irc/irc-server.c
++++ b/src/plugins/irc/irc-server.c
+@@ -922,11 +922,15 @@ irc_server_set_prefix_modes_chars (struct t_irc_server
*server,
+ const char *prefix)
+ {
+ char *pos;
+- int i, length_modes, length_chars;
++ int i, old_length_chars, length_modes, length_chars;
+
+ if (!server || !prefix)
+ return;
+
++ old_length_chars = (server->prefix_chars) ?
++ strlen (server->prefix_chars) :
++ strlen (irc_server_prefix_chars_default);
++
+ /* free previous values */
+ if (server->prefix_modes)
+ {
+@@ -966,6 +970,13 @@ irc_server_set_prefix_modes_chars (struct t_irc_server
*server,
+ }
+ }
+ }
++
++ length_chars = (server->prefix_chars) ?
++ strlen (server->prefix_chars) :
++ strlen (irc_server_prefix_chars_default);
++
++ if (length_chars != old_length_chars)
++ irc_nick_realloc_prefixes (server, old_length_chars, length_chars);
+ }
+
+ /*
+--
+2.20.1
+
diff -Nru
weechat-2.3/debian/patches/0004-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
weechat-2.3/debian/patches/0004-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
---
weechat-2.3/debian/patches/0004-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
1970-01-01 02:00:00.000000000 +0200
+++
weechat-2.3/debian/patches/0004-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
2022-01-23 16:00:54.000000000 +0200
@@ -0,0 +1,65 @@
+From 48b6fffbf9ec277fbdea251b6542682f4f46b13b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashc...@flashtux.org>
+Date: Tue, 7 Sep 2021 19:05:06 +0200
+Subject: relay: fix crash when decoding a malformed websocket frame
+ (CVE-2021-40516)
+
+---
+ src/plugins/relay/relay-websocket.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/src/plugins/relay/relay-websocket.c
b/src/plugins/relay/relay-websocket.c
+index bbac751dc..7cbe60826 100644
+--- a/src/plugins/relay/relay-websocket.c
++++ b/src/plugins/relay/relay-websocket.c
+@@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ index_buffer = 0;
+
+ /* loop to decode all frames in message */
+- while (index_buffer + 2 <= buffer_length)
++ while (index_buffer + 1 < buffer_length)
+ {
+ opcode = buffer[index_buffer] & 15;
+
+@@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char
*buffer,
+ length_frame_size = 1;
+ length_frame = buffer[index_buffer + 1] & 127;
+ index_buffer += 2;
++ if (index_buffer >= buffer_length)
++ return 0;
+ if ((length_frame == 126) || (length_frame == 127))
+ {
+ length_frame_size = (length_frame == 126) ? 2 : 8;
+- if (buffer_length < 1 + length_frame_size)
++ if (index_buffer + length_frame_size > buffer_length)
+ return 0;
+ length_frame = 0;
+ for (i = 0; i < length_frame_size; i++)
+@@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ index_buffer += length_frame_size;
+ }
+
+- if (buffer_length < 1 + length_frame_size + 4 + length_frame)
+- return 0;
+-
+ /* read masks (4 bytes) */
++ if (index_buffer + 4 > buffer_length)
++ return 0;
+ int masks[4];
+ for (i = 0; i < 4; i++)
+ {
+@@ -323,6 +324,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
+ *decoded_length += 1;
+
+ /* decode data using masks */
++ if ((length_frame > buffer_length)
++ || (index_buffer + length_frame > buffer_length))
++ {
++ return 0;
++ }
+ for (i = 0; i < length_frame; i++)
+ {
+ decoded[*decoded_length + i] = (int)((unsigned
char)buffer[index_buffer + i]) ^ masks[i % 4];
+--
+2.20.1
+
diff -Nru weechat-2.3/debian/patches/series weechat-2.3/debian/patches/series
--- weechat-2.3/debian/patches/series 2018-09-28 00:23:52.000000000 +0300
+++ weechat-2.3/debian/patches/series 2022-01-23 16:02:27.000000000 +0200
@@ -1 +1,5 @@
01_fix_asciidoctor_options.patch
+0001-irc-fix-crash-when-receiving-a-malformed-message-324.patch
+0002-irc-fix-crash-when-receiving-a-malformed-message-352.patch
+0003-irc-fix-crash-when-a-new-message-005-is-received-wit.patch
+0004-relay-fix-crash-when-decoding-a-malformed-websocket-.patch
--- End Message ---
