Hello community, here is the log from the commit of package irssi for openSUSE:Factory checked in at 2016-10-10 16:23:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/irssi (Old) and /work/SRC/openSUSE:Factory/.irssi.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "irssi" Changes: -------- --- /work/SRC/openSUSE:Factory/irssi/irssi.changes 2016-09-30 15:35:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.irssi.new/irssi.changes 2016-10-10 16:23:43.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Oct 6 11:31:53 UTC 2016 - meiss...@suse.com + +- irssi-0.8.20-buf.pl.patch: Fixed a information disclosure in buf.pl + (CVE-2016-7553 bsc#1001215) + +------------------------------------------------------------------- New: ---- irssi-0.8.20-buf.pl.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ irssi.spec ++++++ --- /var/tmp/diff_new_pack.EhpWpn/_old 2016-10-10 16:23:45.000000000 +0200 +++ /var/tmp/diff_new_pack.EhpWpn/_new 2016-10-10 16:23:45.000000000 +0200 @@ -50,6 +50,8 @@ Source4: %{name}.keyring Source99: irssi-rpmlintrc Patch: irssi-0.8.15_ssl_proxy.patch +# PATCH-FIX-UPSTREAM irssi-0.8.20-buf.pl.patch 1001215 CVE-2016-7553: +Patch1: irssi-0.8.20-buf.pl.patch # PATCH-FIX-OPENSUSE irssi-0.8.16_missing_prototype_warnings.patch Patch2: irssi-0.8.16_missing_prototype_warnings.patch # @@ -99,7 +101,7 @@ %prep %setup -q -#patch +%patch1 -p1 %patch2 %build ++++++ irssi-0.8.20-buf.pl.patch ++++++ --- irssi/scripts/buf.pl 2016-08-11 14:59:21.000000000 +0200 +++ irssi/scripts/buf.pl 2016-10-06 13:27:20.747016000 +0200 @@ -5,7 +5,7 @@ settings_get_str settings_get_bool channels windows settings_add_str settings_add_bool get_irssi_dir window_find_refnum signal_stop); -$VERSION = '2.13'; +$VERSION = '2.20'; %IRSSI = ( authors => 'Juerd', contact => 'ju...@juerd.nl', @@ -13,10 +13,8 @@ description => 'Saves the buffer for /upgrade, so that no information is lost', license => 'Public Domain', url => 'http://juerd.nl/irssi/', - changed => 'Mon May 13 19:41 CET 2002', - changes => 'Severe formatting bug removed * oops, I ' . - 'exposed Irssi to ircII foolishness * sorry ' . - '** removed logging stuff (this is a fix)', + changed => 'Thu Sep 22 01:37 CEST 2016', + changes => 'Fixed file permissions (leaked everything via filesystem)', note1 => 'This script HAS TO BE in your scripts/autorun!', note2 => 'Perl support must be static or in startup', ); @@ -39,9 +37,15 @@ my %suppress; +sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } + sub upgrade { - open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; - print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; + my $fn = _filename; + my $old_umask = umask 0077; + open my $fh, q{>}, $fn or die "open $fn: $!"; + umask $old_umask; + + print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; for my $window (windows) { next unless defined $window; next if $window->{name} eq 'status'; @@ -57,36 +61,39 @@ redo if defined $line; } } - printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; + printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; } - close BUF; + close $fh; unlink sprintf("%s/sessionconfig", get_irssi_dir); command 'layout save'; command 'save'; } sub restore { - open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; - my @suppress = split /\0/, <BUF>; + my $fn = _filename; + open my $fh, q{<}, $fn or die "open $fn: $!"; + unlink $fn or warn "unlink $fn: $!"; + + my @suppress = split /\0/, readline $fh; if (settings_get_bool 'upgrade_suppress_join') { chomp $suppress[-1]; @suppress{@suppress} = (2) x @suppress; } active_win->command('^window scroll off'); - while (my $bla = <BUF>){ + while (my $bla = readline $fh){ chomp $bla; my ($refnum, $lines) = split /:/, $bla; next unless $lines; my $window = window_find_refnum $refnum; unless (defined $window){ - <BUF> for 1..$lines; + readline $fh for 1..$lines; next; } my $view = $window->view; $view->remove_all_lines(); $view->redraw(); my $buf = ''; - $buf .= <BUF> for 1..$lines; + $buf .= readline $fh for 1..$lines; my $sep = settings_get_str 'upgrade_separator'; $sep .= "\n" if $sep ne ''; $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); @@ -119,3 +126,10 @@ unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!'); } + +# Remove any left-over file. If 'session' doesn't exist (created by irssi +# during /UPGRADE), neither should our file. +unless (-e sprintf('%s/session', get_irssi_dir)) { + my $fn = _filename; + unlink $fn or warn "unlink $fn: $!" if -e $fn; +}