Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package irssi The update has just a one-line fix for CVE-2023-29132 applied. See #1033785 about it. [ Reason ] Fixes a security issue. [ Risks ] It's one-line that got removed, so the code change is trivial. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock irssi/1.4.3-2 -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los |
diff -Nru irssi-1.4.3/debian/changelog irssi-1.4.3/debian/changelog --- irssi-1.4.3/debian/changelog 2022-11-04 04:12:48.000000000 +0100 +++ irssi-1.4.3/debian/changelog 2023-04-14 10:25:21.000000000 +0200 @@ -1,3 +1,9 @@ +irssi (1.4.3-2) unstable; urgency=critical + + * Pull commit c554a4 from upstream to fix CVE-2023-29132 (closes: #1033785) + + -- Rhonda D'Vine <rho...@debian.org> Fri, 14 Apr 2023 10:25:21 +0200 + irssi (1.4.3-1) unstable; urgency=medium * New upstream release. diff -Nru irssi-1.4.3/debian/patches/04fix_stale_special_collector irssi-1.4.3/debian/patches/04fix_stale_special_collector --- irssi-1.4.3/debian/patches/04fix_stale_special_collector 1970-01-01 01:00:00.000000000 +0100 +++ irssi-1.4.3/debian/patches/04fix_stale_special_collector 2023-04-14 10:23:46.000000000 +0200 @@ -0,0 +1,20 @@ +From c554a45738712219c066897b09a44d99afeb4240 Mon Sep 17 00:00:00 2001 +From: Ailin Nemui <ailin@d5421s.localdomain> +Date: Sun, 26 Mar 2023 23:36:41 +0200 +Subject: [PATCH] fix stale special collector use after free + +reported by ednash and investigated by @dwfreed +--- + src/fe-text/textbuffer-formats.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/src/fe-text/textbuffer-formats.c ++++ b/src/fe-text/textbuffer-formats.c +@@ -213,7 +213,6 @@ + if (!scrollback_format) + return; + +- special_push_collector(NULL); + info = store_lineinfo_tmp(dest); + + info->format = format_rec_new(NULL, NULL, 2, (const char *[]){ NULL, text }); diff -Nru irssi-1.4.3/debian/patches/series irssi-1.4.3/debian/patches/series --- irssi-1.4.3/debian/patches/series 2022-07-16 21:12:10.000000000 +0200 +++ irssi-1.4.3/debian/patches/series 2023-04-14 10:23:24.000000000 +0200 @@ -1,6 +1,7 @@ 01chanmode_expando_strip 02ctcp_version_reply 03firsttimer_text +04fix_stale_special_collector 12manpage-fix ## disabled for now, Ubuntu-only patch. #20fix_ssl_proxy_hostname_check