[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991641: marked as done (buster-pu: package irssi/1.2.0-2)

Your message dated Sat, 09 Oct 2021 12:11:43 +0100
with message-id <896b7609401ceb0e1c537222e26587ea2351415d.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in the 10.11 point release
has caused the Debian Bug report #991641,
regarding buster-pu: package irssi/1.2.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991641
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: important
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
This update fixes CVE-2019-13045 for buster by pulling in the upstream
commit that is included in newer versions of the package.

[ Impact ]
May affect the stability of Irssi. SASL logins may fail, especially
during (manual and automated) reconnect.

[ Tests ]
It is the fix that got applied in other distributions and been used by
lots of folks for quite a while now.

[ Risks ]
The changes are quite straight forward.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
It's just the upstream patch pulled in.

 So long,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

diff -Nru irssi-1.2.0/debian/changelog irssi-1.2.0/debian/changelog
--- irssi-1.2.0/debian/changelog	2019-02-12 21:59:00.000000000 +0100
+++ irssi-1.2.0/debian/changelog	2021-07-29 14:11:39.000000000 +0200
@@ -1,3 +1,9 @@
+irssi (1.2.0-2+deb10u1) buster; urgency=medium
+
+  * Import upstream security fix for CVE-2019-13045 (closes: #931264)
+
+ -- Rhonda D'Vine <rhonda@debian.org>  Thu, 29 Jul 2021 14:11:39 +0200
+
 irssi (1.2.0-2) unstable; urgency=medium
 
   [ Rhonda D'Vine ]
diff -Nru irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values
--- irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values	1970-01-01 01:00:00.000000000 +0100
+++ irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values	2021-07-29 14:11:39.000000000 +0200
@@ -0,0 +1,41 @@
+Description: copy sasl username and password values
+Origin: Upstream, https://github.com/irssi/irssi/pull/1058
+Author: ailin-nemui
+
+--- a/src/irc/core/irc-core.c
++++ b/src/irc/core/irc-core.c
+@@ -75,6 +75,8 @@
+ 
+ 	g_free_not_null(ircconn->usermode);
+ 	g_free_not_null(ircconn->alternate_nick);
++	g_free_not_null(ircconn->sasl_username);
++	g_free_not_null(ircconn->sasl_password);
+ }
+ 
+ void irc_core_init(void)
+--- a/src/irc/core/irc-servers-reconnect.c
++++ b/src/irc/core/irc-servers-reconnect.c
+@@ -49,8 +49,8 @@
+ 	rec->usermode = g_strdup(src->usermode);
+ 	rec->alternate_nick = g_strdup(src->alternate_nick);
+ 	rec->sasl_mechanism = src->sasl_mechanism;
+-	rec->sasl_username = src->sasl_username;
+-	rec->sasl_password = src->sasl_password;
++	rec->sasl_username = g_strdup(src->sasl_username);
++	rec->sasl_password = g_strdup(src->sasl_password);
+ 	*dest = (SERVER_CONNECT_REC *) rec;
+ }
+ 
+--- a/src/irc/core/irc-servers-setup.c
++++ b/src/irc/core/irc-servers-setup.c
+@@ -101,8 +101,8 @@
+ 			conn->sasl_mechanism = SASL_MECHANISM_PLAIN;
+ 			if (ircnet->sasl_username != NULL && *ircnet->sasl_username &&
+ 			    ircnet->sasl_password != NULL && *ircnet->sasl_password) {
+-				conn->sasl_username = ircnet->sasl_username;
+-				conn->sasl_password = ircnet->sasl_password;
++				conn->sasl_username = g_strdup(ircnet->sasl_username);
++				conn->sasl_password = g_strdup(ircnet->sasl_password);
+ 			} else
+ 				g_warning("The fields sasl_username and sasl_password are either missing or empty");
+ 		}
diff -Nru irssi-1.2.0/debian/patches/series irssi-1.2.0/debian/patches/series
--- irssi-1.2.0/debian/patches/series	2019-02-12 21:59:00.000000000 +0100
+++ irssi-1.2.0/debian/patches/series	2021-07-29 14:11:39.000000000 +0200
@@ -1,3 +1,4 @@
+98copy-sasl-username-and-password-values
 01chanmode_expando_strip
 02ctcp_version_reply
 03firsttimer_text

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.11

Hi,

The updates relating to these bugs were included in this morning's
10.11 point release for buster.

Regards,

Adam

--- End Message ---
Reply to: