Hi, * Adam D. Barratt <a...@adam-barratt.org.uk> [2016-09-24 21:24:18 CEST]: > On Sat, 2016-09-24 at 21:18 +0200, Rhonda D'Vine wrote: > > The patch that upstream provides is this: > > https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a > > > > I uploaded it to unstable already and would like to push it to stable, > > too. > > That looks okay, but please could we have a source debdiff for the > proposed upload, as built and hopefully tested on jessie.
I commited it locally to my git, the attached diff is "git diff HEAD^.." which was the commit from the security update. Thanks, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los |
diff --git a/debian/changelog b/debian/changelog index 364754f..79b5c38 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +irssi (0.8.17-1+deb8u2) jessie; urgency=high + + * New patch 23fix-buf.pl to fix an information exposure issue involved with + using buf.pl and /upgrade (closes: #838762) + + -- Rhonda D'Vine <rho...@debian.org> Sat, 24 Sep 2016 16:10:19 +0200 + irssi (0.8.17-1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff --git a/debian/patches/23fix-buf.pl b/debian/patches/23fix-buf.pl new file mode 100644 index 0000000..27963fd --- /dev/null +++ b/debian/patches/23fix-buf.pl @@ -0,0 +1,103 @@ +Author: Rhonda D'Vine <rho...@debian.org> vim:ft=diff: +Description: Fix information exposure during /upgrade, BTS #838762 + +--- a/scripts/buf.pl ++++ b/scripts/buf.pl +@@ -5,7 +5,7 @@ use Irssi qw(command signal_add signal_a + settings_get_str settings_get_bool channels windows + settings_add_str settings_add_bool get_irssi_dir + window_find_refnum signal_stop); +-$VERSION = '2.13'; ++$VERSION = '2.20'; + %IRSSI = ( + authors => 'Juerd', + contact => 'ju...@juerd.nl', +@@ -13,10 +13,8 @@ $VERSION = '2.13'; + description => 'Saves the buffer for /upgrade, so that no information is lost', + license => 'Public Domain', + url => 'http://juerd.nl/irssi/', +- changed => 'Mon May 13 19:41 CET 2002', +- changes => 'Severe formatting bug removed * oops, I ' . +- 'exposed Irssi to ircII foolishness * sorry ' . +- '** removed logging stuff (this is a fix)', ++ changed => 'Thu Sep 22 01:37 CEST 2016', ++ changes => 'Fixed file permissions (leaked everything via filesystem)', + note1 => 'This script HAS TO BE in your scripts/autorun!', + note2 => 'Perl support must be static or in startup', + ); +@@ -39,9 +37,15 @@ use Data::Dumper; + + my %suppress; + ++sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } ++ + sub upgrade { +- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; ++ my $fn = _filename; ++ my $old_umask = umask 0077; ++ open my $fh, q{>}, $fn or die "open $fn: $!"; ++ umask $old_umask; ++ ++ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; + for my $window (windows) { + next unless defined $window; + next if $window->{name} eq 'status'; +@@ -57,36 +61,39 @@ sub upgrade { + redo if defined $line; + } + } +- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; ++ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; + } +- close BUF; ++ close $fh; + unlink sprintf("%s/sessionconfig", get_irssi_dir); + command 'layout save'; + command 'save'; + } + + sub restore { +- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- my @suppress = split /\0/, <BUF>; ++ my $fn = _filename; ++ open my $fh, q{<}, $fn or die "open $fn: $!"; ++ unlink $fn or warn "unlink $fn: $!"; ++ ++ my @suppress = split /\0/, readline $fh; + if (settings_get_bool 'upgrade_suppress_join') { + chomp $suppress[-1]; + @suppress{@suppress} = (2) x @suppress; + } + active_win->command('^window scroll off'); +- while (my $bla = <BUF>){ ++ while (my $bla = readline $fh){ + chomp $bla; + my ($refnum, $lines) = split /:/, $bla; + next unless $lines; + my $window = window_find_refnum $refnum; + unless (defined $window){ +- <BUF> for 1..$lines; ++ readline $fh for 1..$lines; + next; + } + my $view = $window->view; + $view->remove_all_lines(); + $view->redraw(); + my $buf = ''; +- $buf .= <BUF> for 1..$lines; ++ $buf .= readline $fh for 1..$lines; + my $sep = settings_get_str 'upgrade_separator'; + $sep .= "\n" if $sep ne ''; + $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); +@@ -119,3 +126,10 @@ signal_add 'event join' => 's + unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { + Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!'); + } ++ ++# Remove any left-over file. If 'session' doesn't exist (created by irssi ++# during /UPGRADE), neither should our file. ++unless (-e sprintf('%s/session', get_irssi_dir)) { ++ my $fn = _filename; ++ unlink $fn or warn "unlink $fn: $!" if -e $fn; ++} diff --git a/debian/patches/series b/debian/patches/series index fd87a01..50251de 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ ## disabled for now, doesn't apply in new codebase, ahf takes a look #20fix_ssl_proxy_hostname_check 21_CVE-2016-7044_CVE-2016-7045.patch +23fix-buf.pl