Source: scrollz Followup-For: Bug #986215 (As scrollz seems to be dead upstream / unmaintained, I'm not going to fix this, as the risk is quite big to break stuff, but I want to document my triaging)
Looking at the diff for the ircii version 20210314 that fixes this CVE, (ircii bug is #986214), the relevant changes seems to be that below. (Of course, sources have diverged a bit, so the patch only can serve as inspiration.) --- /home/tobi/workspace/deb/bsp/scrollz/ircii-20190117/source/ctcp.c +++ /home/tobi/workspace/deb/bsp/scrollz/ircii-20210314/source/ctcp.c @@ -33,7 +33,7 @@ */ #include "irc.h" -IRCII_RCSID("@(#)$eterna: ctcp.c,v 1.107 2017/11/02 00:41:42 mrg Exp $"); +IRCII_RCSID("@(#)$eterna: ctcp.c,v 1.110 2021/03/14 18:22:31 mrg Exp $"); #include <pwd.h> @@ -342,6 +342,7 @@ "%s :Use CLIENTINFO <COMMAND> to get more specific information", buffer); new_free(&buffer); + sl_free(sl, 0); } return NULL; } @@ -536,12 +537,23 @@ { time_t tm; u_char *date = NULL; + char *curtime; if (!args || !*args) return NULL; tm = my_atol(args); - malloc_strcpy(&date, UP(ctime(&tm))); - date[my_strlen(date)-1] = '\0'; + curtime = ctime(&tm); + if (curtime) + { + u_char *s = my_index(curtime, '\n'); + if (s) + *s = '\0'; + + malloc_strcpy(&date, UP(curtime)); + } + else + /* if we can't find a time, just return the number */ + malloc_strcpy(&date, args); return date; } @@ -807,9 +819,10 @@ if (do_hook(CTCP_REPLY_LIST, "%s %s %s %s", from, to, cmd, args) && !(flags & CTCP_NOREPLY)) { + u_char buf[20]; + if (!my_strcmp(cmd, "PING")) { - u_char buf[20]; time_t timediff, currenttime;