Source: scrollz
Followup-For: Bug #986215
(As scrollz seems to be dead upstream / unmaintained, I'm not going to fix
this, as the
risk is quite big to break stuff, but I want to document my triaging)
Looking at the diff for the ircii version 20210314 that fixes this CVE,
(ircii bug is #986214), the relevant changes seems to be that below.
(Of course, sources have diverged a bit, so the patch only can serve
as inspiration.)
--- /home/tobi/workspace/deb/bsp/scrollz/ircii-20190117/source/ctcp.c
+++ /home/tobi/workspace/deb/bsp/scrollz/ircii-20210314/source/ctcp.c
@@ -33,7 +33,7 @@
*/
#include "irc.h"
-IRCII_RCSID("@(#)$eterna: ctcp.c,v 1.107 2017/11/02 00:41:42 mrg Exp $");
+IRCII_RCSID("@(#)$eterna: ctcp.c,v 1.110 2021/03/14 18:22:31 mrg Exp $");
#include <pwd.h>
@@ -342,6 +342,7 @@
"%s :Use CLIENTINFO <COMMAND> to get more specific
information",
buffer);
new_free(&buffer);
+ sl_free(sl, 0);
}
return NULL;
}
@@ -536,12 +537,23 @@
{
time_t tm;
u_char *date = NULL;
+ char *curtime;
if (!args || !*args)
return NULL;
tm = my_atol(args);
- malloc_strcpy(&date, UP(ctime(&tm)));
- date[my_strlen(date)-1] = '\0';
+ curtime = ctime(&tm);
+ if (curtime)
+ {
+ u_char *s = my_index(curtime, '\n');
+ if (s)
+ *s = '\0';
+
+ malloc_strcpy(&date, UP(curtime));
+ }
+ else
+ /* if we can't find a time, just return the number */
+ malloc_strcpy(&date, args);
return date;
}
@@ -807,9 +819,10 @@
if (do_hook(CTCP_REPLY_LIST, "%s %s %s %s", from, to, cmd,
args) && !(flags & CTCP_NOREPLY))
{
+ u_char buf[20];
+
if (!my_strcmp(cmd, "PING"))
{
- u_char buf[20];
time_t timediff,
currenttime;
