Hello community,
here is the log from the commit of package irssi for openSUSE:Factory checked
in at 2016-10-10 16:23:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/irssi (Old)
and /work/SRC/openSUSE:Factory/.irssi.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "irssi"
Changes:
--------
--- /work/SRC/openSUSE:Factory/irssi/irssi.changes 2016-09-30
15:35:48.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.irssi.new/irssi.changes 2016-10-10
16:23:43.000000000 +0200
@@ -1,0 +2,6 @@
+Thu Oct 6 11:31:53 UTC 2016 - meiss...@suse.com
+
+- irssi-0.8.20-buf.pl.patch: Fixed a information disclosure in buf.pl
+ (CVE-2016-7553 bsc#1001215)
+
+-------------------------------------------------------------------
New:
----
irssi-0.8.20-buf.pl.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ irssi.spec ++++++
--- /var/tmp/diff_new_pack.EhpWpn/_old 2016-10-10 16:23:45.000000000 +0200
+++ /var/tmp/diff_new_pack.EhpWpn/_new 2016-10-10 16:23:45.000000000 +0200
@@ -50,6 +50,8 @@
Source4: %{name}.keyring
Source99: irssi-rpmlintrc
Patch: irssi-0.8.15_ssl_proxy.patch
+# PATCH-FIX-UPSTREAM irssi-0.8.20-buf.pl.patch 1001215 CVE-2016-7553:
+Patch1: irssi-0.8.20-buf.pl.patch
# PATCH-FIX-OPENSUSE irssi-0.8.16_missing_prototype_warnings.patch
Patch2: irssi-0.8.16_missing_prototype_warnings.patch
#
@@ -99,7 +101,7 @@
%prep
%setup -q
-#patch
+%patch1 -p1
%patch2
%build
++++++ irssi-0.8.20-buf.pl.patch ++++++
--- irssi/scripts/buf.pl 2016-08-11 14:59:21.000000000 +0200
+++ irssi/scripts/buf.pl 2016-10-06 13:27:20.747016000 +0200
@@ -5,7 +5,7 @@
settings_get_str settings_get_bool channels windows
settings_add_str settings_add_bool get_irssi_dir
window_find_refnum signal_stop);
-$VERSION = '2.13';
+$VERSION = '2.20';
%IRSSI = (
authors => 'Juerd',
contact => 'ju...@juerd.nl',
@@ -13,10 +13,8 @@
description => 'Saves the buffer for /upgrade, so that no
information is lost',
license => 'Public Domain',
url => 'http://juerd.nl/irssi/',
- changed => 'Mon May 13 19:41 CET 2002',
- changes => 'Severe formatting bug removed * oops, I ' .
- 'exposed Irssi to ircII foolishness * sorry ' .
- '** removed logging stuff (this is a fix)',
+ changed => 'Thu Sep 22 01:37 CEST 2016',
+ changes => 'Fixed file permissions (leaked everything via filesystem)',
note1 => 'This script HAS TO BE in your scripts/autorun!',
note2 => 'Perl support must be static or in startup',
);
@@ -39,9 +37,15 @@
my %suppress;
+sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir }
+
sub upgrade {
- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!;
- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels),
"\n";
+ my $fn = _filename;
+ my $old_umask = umask 0077;
+ open my $fh, q{>}, $fn or die "open $fn: $!";
+ umask $old_umask;
+
+ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels),
"\n";
for my $window (windows) {
next unless defined $window;
next if $window->{name} eq 'status';
@@ -57,36 +61,39 @@
redo if defined $line;
}
}
- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf;
+ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf;
}
- close BUF;
+ close $fh;
unlink sprintf("%s/sessionconfig", get_irssi_dir);
command 'layout save';
command 'save';
}
sub restore {
- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!;
- my @suppress = split /\0/, <BUF>;
+ my $fn = _filename;
+ open my $fh, q{<}, $fn or die "open $fn: $!";
+ unlink $fn or warn "unlink $fn: $!";
+
+ my @suppress = split /\0/, readline $fh;
if (settings_get_bool 'upgrade_suppress_join') {
chomp $suppress[-1];
@suppress{@suppress} = (2) x @suppress;
}
active_win->command('^window scroll off');
- while (my $bla = <BUF>){
+ while (my $bla = readline $fh){
chomp $bla;
my ($refnum, $lines) = split /:/, $bla;
next unless $lines;
my $window = window_find_refnum $refnum;
unless (defined $window){
- <BUF> for 1..$lines;
+ readline $fh for 1..$lines;
next;
}
my $view = $window->view;
$view->remove_all_lines();
$view->redraw();
my $buf = '';
- $buf .= <BUF> for 1..$lines;
+ $buf .= readline $fh for 1..$lines;
my $sep = settings_get_str 'upgrade_separator';
$sep .= "\n" if $sep ne '';
$window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE,
"$buf\cO$sep");
@@ -119,3 +126,10 @@
unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) {
Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE
/UPGRADING!!');
}
+
+# Remove any left-over file. If 'session' doesn't exist (created by irssi
+# during /UPGRADE), neither should our file.
+unless (-e sprintf('%s/session', get_irssi_dir)) {
+ my $fn = _filename;
+ unlink $fn or warn "unlink $fn: $!" if -e $fn;
+}
