Hi, I'd like to get your approval about the upload of weechat 0.3.8-2wheezy1 to testing-proposed-updates in order to fix a security issue which could permit to a remote attacker to crash weechat by forging malicious IRC messages: http://bugs.debian.org/693026
As said in the bug report, A CVE ID has been requested, but not yet assigned. This bug has already been fixed in unstable with the upload of weechat 0.3.9.1-1 a few hours ago. Attached is the diff. Thanks for your replies. Regards, M. -- Emmanuel Bouthenot mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3 xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc}
diff --git a/debian/changelog b/debian/changelog index e7a34cb..70a57d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +weechat (0.3.8-2wheezy1) testing-proposed-updates; urgency=high + + * Add a patch to fix a crash while decoding IRC colors in strings. A remote + attacker could exploit this issue by forging malicious IRC messages + (Closes: #693026) + + -- Emmanuel Bouthenot <kol...@debian.org> Mon, 12 Nov 2012 00:14:24 +0100 + weechat (0.3.8-1) unstable; urgency=low * New upstream release diff --git a/debian/patches/fix_crash_with_irc_colors b/debian/patches/fix_crash_with_irc_colors new file mode 100644 index 0000000..af95ed1 --- /dev/null +++ b/debian/patches/fix_crash_with_irc_colors @@ -0,0 +1,139 @@ +From: Sebastien Helleu <flashc...@flashtux.org> +Description: fix crash when decoding IRC colors in strings +Origin: upstream, http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commitdiff;h=80f477f2c37b46bafcde1a35660cf095a95a05c4 +Bug: http://savannah.nongnu.org/bugs/?37704 +Bug-Debian: http://bugs.debian.org/693026 +Forwarded: not-needed +Last-Update: 2012-11-12 +--- a/src/plugins/irc/irc-color.c ++++ b/src/plugins/irc/irc-color.c +@@ -62,13 +62,15 @@ char *irc_color_to_weechat[IRC_NUM_COLORS] = + char * + irc_color_decode (const char *string, int keep_colors) + { +- unsigned char *out, *ptr_string; +- int out_length, length, out_pos; +- char str_fg[3], str_bg[3], str_color[128], str_key[128]; ++ unsigned char *out, *out2, *ptr_string; ++ int out_length, length, out_pos, length_to_add; ++ char str_fg[3], str_bg[3], str_color[128], str_key[128], str_to_add[128]; + const char *remapped_color; + int fg, bg, bold, reverse, italic, underline, rc; + + out_length = (strlen (string) * 2) + 1; ++ if (out_length < 128) ++ out_length = 128; + out = malloc (out_length); + if (!out) + return NULL; +@@ -80,20 +82,27 @@ irc_color_decode (const char *string, int keep_colors) + + ptr_string = (unsigned char *)string; + out[0] = '\0'; ++ out_pos = 0; + while (ptr_string && ptr_string[0]) + { ++ str_to_add[0] = '\0'; + switch (ptr_string[0]) + { + case IRC_COLOR_BOLD_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((bold) ? "-bold" : "bold")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((bold) ? "-bold" : "bold")); ++ } + bold ^= 1; + ptr_string++; + break; + case IRC_COLOR_RESET_CHAR: + if (keep_colors) +- strcat ((char *)out, weechat_color("reset")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ("reset")); ++ } + bold = 0; + reverse = 0; + italic = 0; +@@ -106,22 +115,28 @@ irc_color_decode (const char *string, int keep_colors) + case IRC_COLOR_REVERSE_CHAR: + case IRC_COLOR_REVERSE2_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((reverse) ? "-reverse" : "reverse")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((reverse) ? "-reverse" : "reverse")); ++ } + reverse ^= 1; + ptr_string++; + break; + case IRC_COLOR_ITALIC_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((italic) ? "-italic" : "italic")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((italic) ? "-italic" : "italic")); ++ } + italic ^= 1; + ptr_string++; + break; + case IRC_COLOR_UNDERLINE_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((underline) ? "-underline" : "underline")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((underline) ? "-underline" : "underline")); ++ } + underline ^= 1; + ptr_string++; + break; +@@ -194,22 +209,39 @@ irc_color_decode (const char *string, int keep_colors) + (bg >= 0) ? "," : "", + (bg >= 0) ? irc_color_to_weechat[bg] : ""); + } +- strcat ((char *)out, weechat_color(str_color)); ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color (str_color)); + } + else +- strcat ((char *)out, weechat_color("resetcolor")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ("resetcolor")); ++ } + } + break; + default: + length = weechat_utf8_char_size ((char *)ptr_string); + if (length == 0) + length = 1; +- out_pos = strlen ((char *)out); +- memcpy (out + out_pos, ptr_string, length); +- out[out_pos + length] = '\0'; ++ memcpy (str_to_add, ptr_string, length); ++ str_to_add[length] = '\0'; + ptr_string += length; + break; + } ++ if (str_to_add[0]) ++ { ++ length_to_add = strlen (str_to_add); ++ if (out_pos + length_to_add >= out_length) ++ { ++ out_length *= 2; ++ out2 = realloc (out, out_length); ++ if (!out2) ++ return (char *)out; ++ out = out2; ++ } ++ memcpy (out + out_pos, str_to_add, length_to_add + 1); ++ out_pos += length_to_add; ++ } + } + + return (char *)out; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..697c809 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +fix_crash_with_irc_colors