Commit 0cd6b82a authored by Leonardo Arena's avatar Leonardo Arena

main/irssi: security fixes (CVE-2017-9468)

Fixes #7396. Not affected by CVE-2017-9469.
parent 478ed456
......@@ -2,7 +2,7 @@
# Maintainer: Kiyoshi Aman <kiyoshi.aman@gmail.com>
pkgname=irssi
pkgver=0.8.21
pkgrel=0
pkgrel=1
pkgdesc="A modular textUI IRC client with IPv6 support"
url="http://irssi.org/"
arch="all"
......@@ -10,9 +10,15 @@ license="GPL2+"
depends=
makedepends="glib-dev libressl-dev ncurses-dev perl-dev automake autoconf libtool"
subpackages="$pkgname-doc $pkgname-dev $pkgname-proxy $pkgname-perl"
source="https://github.com/irssi/irssi/releases/download/$pkgver/irssi-$pkgver.tar.xz"
source="https://github.com/irssi/irssi/releases/download/$pkgver/irssi-$pkgver.tar.xz
CVE-2017-9468.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
# 0.8.21-r1:
# - CVE-2017-9468
prepare() {
local i
cd "$_builddir"
......@@ -68,6 +74,9 @@ proxy() {
mv "$pkgdir"/usr/lib/irssi/modules/libirc_proxy.* "$subpkgdir"/usr/lib/irssi/modules/
}
md5sums="b820760c3b4f3b0c24abe4db82b6366a irssi-0.8.21.tar.xz"
sha256sums="e433063b8714dcf17438126902c9a9d5c97944b3185ecd0fc5ae25c4959bf35a irssi-0.8.21.tar.xz"
sha512sums="110934ab85c8574fc76bce367c58378e28603898e63a5014a72170ffe441ffe3dbda432531e899176f5c4126f47d929a3a01a2f87bcacbfe0ba4d6d8cb31e642 irssi-0.8.21.tar.xz"
md5sums="b820760c3b4f3b0c24abe4db82b6366a irssi-0.8.21.tar.xz
09307e506db9deef2d678101041ac79a CVE-2017-9468.patch"
sha256sums="e433063b8714dcf17438126902c9a9d5c97944b3185ecd0fc5ae25c4959bf35a irssi-0.8.21.tar.xz
8d032e96ff6273de052dfc203fb2b16b90cfd029b71805fda9cfda0ce1a053ba CVE-2017-9468.patch"
sha512sums="110934ab85c8574fc76bce367c58378e28603898e63a5014a72170ffe441ffe3dbda432531e899176f5c4126f47d929a3a01a2f87bcacbfe0ba4d6d8cb31e642 irssi-0.8.21.tar.xz
9fe90deea2002c976678739bda7a58f88c611969a1800bf2e15e152fff3075b63117f3dddc3f491ef845b84dc928503b95f7db13b6a23d80a2f9bb8aef3f2bb6 CVE-2017-9468.patch"
From 30a92754bb650c3dedd507d41110443142899a65 Mon Sep 17 00:00:00 2001
From: Joseph Bisch <joseph.bisch@gmail.com>
Date: Mon, 29 May 2017 14:43:24 -0400
Subject: [PATCH 1/2] Fix oob read of one byte in
get_file_params_count{,_resume}
We can use continue to handle cases such as:
"ab<space><space>c"
---
src/irc/dcc/dcc-get.c | 2 ++
src/irc/dcc/dcc-resume.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/irc/dcc/dcc-get.c b/src/irc/dcc/dcc-get.c
index 73c1b8648..eff516dbc 100644
--- a/src/irc/dcc/dcc-get.c
+++ b/src/irc/dcc/dcc-get.c
@@ -382,6 +382,8 @@ int get_file_params_count(char **params, int paramcount)
if (*params[0] == '"') {
/* quoted file name? */
for (pos = 0; pos < paramcount-3; pos++) {
+ if (strlen(params[pos]) == 0)
+ continue;
if (params[pos][strlen(params[pos])-1] == '"' &&
get_params_match(params, pos+1))
return pos+1;
diff --git a/src/irc/dcc/dcc-resume.c b/src/irc/dcc/dcc-resume.c
index 36f84ddfd..ce0ac9251 100644
--- a/src/irc/dcc/dcc-resume.c
+++ b/src/irc/dcc/dcc-resume.c
@@ -62,6 +62,8 @@ int get_file_params_count_resume(char **params, int paramcount)
if (*params[0] == '"') {
/* quoted file name? */
for (pos = 0; pos < paramcount-2; pos++) {
+ if (strlen(params[pos]) == 0)
+ continue;
if (params[pos][strlen(params[pos])-1] == '"' &&
get_params_match_resume(params, pos+1))
return pos+1;
From 528f51bfbe5c65c5b24546faa244009dd5b3c586 Mon Sep 17 00:00:00 2001
From: Joseph Bisch <joseph.bisch@gmail.com>
Date: Wed, 17 May 2017 10:08:51 -0400
Subject: [PATCH 2/2] Fix dcc_request where addr is NULL
---
src/irc/dcc/dcc-get.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/irc/dcc/dcc-get.c b/src/irc/dcc/dcc-get.c
index 73c1b8648..982940995 100644
--- a/src/irc/dcc/dcc-get.c
+++ b/src/irc/dcc/dcc-get.c
@@ -428,6 +428,10 @@ static void ctcp_msg_dcc_send(IRC_SERVER_REC *server, const char *data,
int p_id = -1;
int passive = FALSE;
+ if (addr == NULL) {
+ addr = "";
+ }
+
/* SEND <file name> <address> <port> <size> [...] */
/* SEND <file name> <address> 0 <size> <id> (DCC SEND passive protocol) */
params = g_strsplit(data, " ", -1);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment