Bug#989273: marked as done (unblock: ircii/20210314+really20190117-1)
Your message dated Tue, 1 Jun 2021 12:09:15 +0200
with message-id <YLYHS7XPwnBrJg+7@ramacher.at>
and subject line Re: Bug#989273: unblock: ircii/20210314+really20190117-1
has caused the Debian Bug report #989273,
regarding unblock: ircii/20210314+really20190117-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
989273: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989273
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ircii/20210314+really20190117-1
- From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
- Date: Sun, 30 May 2021 23:43:03 +0200
- Message-id: <162241098358.721757.15678175038777269140.reportbug@desktop.bs-production.no>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: haavard_aasen@yahoo.no
Please unblock package ircii
I reverted all changes made for the current 20210314 release and added a
patch to fix CVE-2020-29376 which also Closes: #986214
The patch has been sourced from upstream, and is also approved for buster.
[ Reason ]
fix denial of service issue [CVE-2021-29376]
[ Impact ]
The CVE's description is:
allows remote attackers to cause a denial of service (segmentation
fault and client crash, disconnecting the victim from an IRC server)
via a crafted CTCP UTC message.
[ Tests ]
I did test these changes and can confirm that this patch fix
CVE-2021-29376
[ Risks ]
Minimal.
The code is taken from upstream.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
No
unblock ircii/20210314+really20190117-1
Håvard
diff -Nru ircii-20190117/debian/changelog ircii-20210314+really20190117/debian/changelog
--- ircii-20190117/debian/changelog 2019-02-21 05:35:56.000000000 +0100
+++ ircii-20210314+really20190117/debian/changelog 2021-05-30 22:39:28.000000000 +0200
@@ -1,3 +1,38 @@
+ircii (20210314+really20190117-1) unstable; urgency=medium
+
+ * QA upload.
+ * Revert to previous release, because of freeze.
+ * Add patch to Fix CVE-2021-29376 Closes: #986214
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Sun, 30 May 2021 22:39:28 +0200
+
+ircii (20210314-1) unstable; urgency=medium
+
+ * QA Upload.
+ [ Debian Janitor ]
+ * Set debhelper-compat version in Build-Depends.
+ * Changes Urgency by urgency in changelog file.
+
+ * New upstream release.
+ Fix (CVE-2021-29376). (Closes: #986214).
+ * debian/control
+ + Bump Standards-Version to 4.5.1. (no changes).
+ + Bump Debhelper-compat to 13.
+ + Add Rules-Requires-Root: no.
+ * debian/patches
+ + Refresh:
+ + 0008-fix-spelling-error.diff
+ + 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
+ + 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
+ + 0006-fix-some-spelling-errors.patch
+ * debian/rules
+ + Remove --as-needed linker flag.
+ * debian/watch
+ + Update to version 4.
+ * Update copyright file.
+
+ -- Daniel Echeverri <epsilon@debian.org> Sun, 11 Apr 2021 11:19:42 -0500
+
ircii (20190117-1) unstable; urgency=medium
* QA upload.
diff -Nru ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch
--- ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch 1970-01-01 01:00:00.000000000 +0100
+++ ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch 2021-05-30 22:39:28.000000000 +0200
@@ -0,0 +1,44 @@
+From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
+Date: Thu, 13 May 2021 21:39:51 +0200
+Subject: Fix CVE-2021-29376
+
+CVE-2021-29376 allows remote attackers to cause a denial of service
+(segmentation fault and client crash, disconnecting the victim from an IRC
+server) via a crafted CTCP UTC message.
+
+Bug-Debian: https://bugs.debian.org/#986214
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-29376
+---
+ source/ctcp.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/source/ctcp.c b/source/ctcp.c
+index 1a714c6..c5ddde0 100644
+--- a/source/ctcp.c
++++ b/source/ctcp.c
+@@ -536,12 +536,23 @@ do_utc(CtcpEntry *ctcp, u_char *from, u_char *to, u_char *args)
+ {
+ time_t tm;
+ u_char *date = NULL;
++ char *curtime;
+
+ if (!args || !*args)
+ return NULL;
+ tm = my_atol(args);
+- malloc_strcpy(&date, UP(ctime(&tm)));
+- date[my_strlen(date)-1] = '\0';
++ curtime = ctime(&tm);
++ if (curtime)
++ {
++ u_char *s = my_index(curtime, '\n');
++ if (s)
++ *s = '\0';
++
++ malloc_strcpy(&date, UP(curtime));
++ }
++ else
++ /* if we can't find a time, just return the number */
++ malloc_strcpy(&date, args);
+ return date;
+ }
+
diff -Nru ircii-20190117/debian/patches/series ircii-20210314+really20190117/debian/patches/series
--- ircii-20190117/debian/patches/series 2019-02-20 03:07:03.000000000 +0100
+++ ircii-20210314+really20190117/debian/patches/series 2021-05-30 22:39:28.000000000 +0200
@@ -3,3 +3,4 @@
0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
0006-fix-some-spelling-errors.patch
+0009-Fix-CVE-2021-29376.patch
--- End Message ---
--- Begin Message ---
- To: 989273-done@bugs.debian.org
- Subject: Re: Bug#989273: unblock: ircii/20210314+really20190117-1
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Tue, 1 Jun 2021 12:09:15 +0200
- Message-id: <YLYHS7XPwnBrJg+7@ramacher.at>
- In-reply-to: <YLUz36SsOyrVlBGo@ramacher.at>
- References: <162241098358.721757.15678175038777269140.reportbug@desktop.bs-production.no> <162241098358.721757.15678175038777269140.reportbug@desktop.bs-production.no> <YLUz36SsOyrVlBGo@ramacher.at>
On 2021-05-31 21:07:11, Sebastian Ramacher wrote:
> Control: tags -1 confirmed moreinfo
>
> On 2021-05-30 23:43:03 +0200, Håvard Flaget Aasen wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: haavard_aasen@yahoo.no
> >
> > Please unblock package ircii
> >
> > I reverted all changes made for the current 20210314 release and added a
> > patch to fix CVE-2020-29376 which also Closes: #986214
> >
> > The patch has been sourced from upstream, and is also approved for buster.
> >
> > [ Reason ]
> > fix denial of service issue [CVE-2021-29376]
> >
> > [ Impact ]
> > The CVE's description is:
> > allows remote attackers to cause a denial of service (segmentation
> > fault and client crash, disconnecting the victim from an IRC server)
> > via a crafted CTCP UTC message.
> >
> > [ Tests ]
> > I did test these changes and can confirm that this patch fix
> > CVE-2021-29376
> >
> > [ Risks ]
> > Minimal.
> > The code is taken from upstream.
> >
> > [ Checklist ]
> > [x] all changes are documented in the d/changelog
> > [x] I reviewed all changes and I approve them
> > [x] attach debdiff against the package in testing
> >
> > [ Other info ]
> > No
> >
> > unblock ircii/20210314+really20190117-1
>
> Please remove the moreinfo tag once the new version is available in
> unstable.
Unblocked
Cheers
>
> Cheers
>
> >
> >
> > Håvard
>
> > diff -Nru ircii-20190117/debian/changelog ircii-20210314+really20190117/debian/changelog
> > --- ircii-20190117/debian/changelog 2019-02-21 05:35:56.000000000 +0100
> > +++ ircii-20210314+really20190117/debian/changelog 2021-05-30 22:39:28.000000000 +0200
> > @@ -1,3 +1,38 @@
> > +ircii (20210314+really20190117-1) unstable; urgency=medium
> > +
> > + * QA upload.
> > + * Revert to previous release, because of freeze.
> > + * Add patch to Fix CVE-2021-29376 Closes: #986214
> > +
> > + -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Sun, 30 May 2021 22:39:28 +0200
> > +
> > +ircii (20210314-1) unstable; urgency=medium
> > +
> > + * QA Upload.
> > + [ Debian Janitor ]
> > + * Set debhelper-compat version in Build-Depends.
> > + * Changes Urgency by urgency in changelog file.
> > +
> > + * New upstream release.
> > + Fix (CVE-2021-29376). (Closes: #986214).
> > + * debian/control
> > + + Bump Standards-Version to 4.5.1. (no changes).
> > + + Bump Debhelper-compat to 13.
> > + + Add Rules-Requires-Root: no.
> > + * debian/patches
> > + + Refresh:
> > + + 0008-fix-spelling-error.diff
> > + + 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
> > + + 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
> > + + 0006-fix-some-spelling-errors.patch
> > + * debian/rules
> > + + Remove --as-needed linker flag.
> > + * debian/watch
> > + + Update to version 4.
> > + * Update copyright file.
> > +
> > + -- Daniel Echeverri <epsilon@debian.org> Sun, 11 Apr 2021 11:19:42 -0500
> > +
> > ircii (20190117-1) unstable; urgency=medium
> >
> > * QA upload.
> > diff -Nru ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch
> > --- ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch 1970-01-01 01:00:00.000000000 +0100
> > +++ ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch 2021-05-30 22:39:28.000000000 +0200
> > @@ -0,0 +1,44 @@
> > +From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
> > +Date: Thu, 13 May 2021 21:39:51 +0200
> > +Subject: Fix CVE-2021-29376
> > +
> > +CVE-2021-29376 allows remote attackers to cause a denial of service
> > +(segmentation fault and client crash, disconnecting the victim from an IRC
> > +server) via a crafted CTCP UTC message.
> > +
> > +Bug-Debian: https://bugs.debian.org/#986214
> > +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-29376
> > +---
> > + source/ctcp.c | 15 +++++++++++++--
> > + 1 file changed, 13 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/source/ctcp.c b/source/ctcp.c
> > +index 1a714c6..c5ddde0 100644
> > +--- a/source/ctcp.c
> > ++++ b/source/ctcp.c
> > +@@ -536,12 +536,23 @@ do_utc(CtcpEntry *ctcp, u_char *from, u_char *to, u_char *args)
> > + {
> > + time_t tm;
> > + u_char *date = NULL;
> > ++ char *curtime;
> > +
> > + if (!args || !*args)
> > + return NULL;
> > + tm = my_atol(args);
> > +- malloc_strcpy(&date, UP(ctime(&tm)));
> > +- date[my_strlen(date)-1] = '\0';
> > ++ curtime = ctime(&tm);
> > ++ if (curtime)
> > ++ {
> > ++ u_char *s = my_index(curtime, '\n');
> > ++ if (s)
> > ++ *s = '\0';
> > ++
> > ++ malloc_strcpy(&date, UP(curtime));
> > ++ }
> > ++ else
> > ++ /* if we can't find a time, just return the number */
> > ++ malloc_strcpy(&date, args);
> > + return date;
> > + }
> > +
> > diff -Nru ircii-20190117/debian/patches/series ircii-20210314+really20190117/debian/patches/series
> > --- ircii-20190117/debian/patches/series 2019-02-20 03:07:03.000000000 +0100
> > +++ ircii-20210314+really20190117/debian/patches/series 2021-05-30 22:39:28.000000000 +0200
> > @@ -3,3 +3,4 @@
> > 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch
> > 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch
> > 0006-fix-some-spelling-errors.patch
> > +0009-Fix-CVE-2021-29376.patch
>
>
> --
> Sebastian Ramacher
--
Sebastian Ramacher
--- End Message ---
Reply to: