Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package scrollz This upload fixes a grave bug (#986215) by applying a patch from an upstream PR targeting that specific issue. I've received exploit code from upstream and tested that it is able to crash 2.2.3-1 but not 2.2.3-2. unblock scrollz/2.2.3-2
diff -Nru scrollz-2.2.3/debian/changelog scrollz-2.2.3/debian/changelog --- scrollz-2.2.3/debian/changelog 2014-11-05 17:37:01.000000000 -0700 +++ scrollz-2.2.3/debian/changelog 2021-04-29 17:55:12.000000000 -0600 @@ -1,3 +1,11 @@ +scrollz (2.2.3-2) UNRELEASED; urgency=medium + + * Applied patch to ctcp.c to fix CVE-2021-29376 from + https://github.com/ScrollZ/ScrollZ/pull/26 + * Applied minor patch from upstream to the above fix + + -- Mike Markley <m...@markley.org> Thu, 29 Apr 2021 17:55:12 -0600 + scrollz (2.2.3-1) unstable; urgency=low * New release. diff -Nru scrollz-2.2.3/debian/patches/CVE-2021-29376.patch scrollz-2.2.3/debian/patches/CVE-2021-29376.patch --- scrollz-2.2.3/debian/patches/CVE-2021-29376.patch 1969-12-31 17:00:00.000000000 -0700 +++ scrollz-2.2.3/debian/patches/CVE-2021-29376.patch 2021-04-29 12:51:47.000000000 -0600 @@ -0,0 +1,46 @@ +diff --git a/source/ctcp.c b/source/ctcp.c +index b977f9b..32a496a 100644 +--- a/source/ctcp.c ++++ b/source/ctcp.c +@@ -31,7 +31,7 @@ + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * +- * $Id: ctcp.c,v 1.56 2009-12-21 14:39:21 f Exp $ ++ * $Id: ctcp.c,v 1.56 2021-04-26 19:57:28 t Exp $ + */ + + #include "irc.h" +@@ -1629,14 +1629,29 @@ do_utc(ctcp, from, to, args) + *to, + *args; + { +- time_t tm; ++ time_t tm = time(NULL), ++ curtime = time(NULL); + char *date = NULL; + + if (!args || !*args) + return NULL; + tm = atol(args); +- malloc_strcpy(&date, ctime(&tm)); +- date[strlen(date)-1] = '\0'; ++ curtime = ctime(&tm); ++ ++ if (curtime) ++ { ++ u_char *s = index(curtime, '\n'); ++ if (s) ++ { ++ *s = '\0'; ++ } ++ malloc_strcpy(&date, UP(curtime)); ++ } ++ else ++ { ++ /* if we can't find a time, just return the number */ ++ malloc_strcpy(&date, args); ++ } + return date; + } + diff -Nru scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch --- scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch 1969-12-31 17:00:00.000000000 -0700 +++ scrollz-2.2.3/debian/patches/CVE-2021-29376-update.patch 2021-04-29 17:55:12.000000000 -0600 @@ -0,0 +1,13 @@ +diff --git a/source/ctcp.c b/source/ctcp.c +index 32a496a..2b661bd 100644 +--- a/source/ctcp.c ++++ b/source/ctcp.c +@@ -1630,7 +1630,7 @@ do_utc(ctcp, from, to, args) + *args; + { + time_t tm = time(NULL), +- curtime = time(NULL); ++ curtime; + char *date = NULL; + + if (!args || !*args) diff -Nru scrollz-2.2.3/debian/patches/series scrollz-2.2.3/debian/patches/series --- scrollz-2.2.3/debian/patches/series 2014-10-22 16:08:28.000000000 -0600 +++ scrollz-2.2.3/debian/patches/series 2021-04-29 17:55:12.000000000 -0600 @@ -4,3 +4,5 @@ spelling-errors.patch rijndael-prototypes.patch sys-stat-h.patch +CVE-2021-29376.patch +CVE-2021-29376-update.patch