Hello community,
here is the log from the commit of package irssi for openSUSE:Factory checked
in at 2018-01-07 17:23:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/irssi (Old)
and /work/SRC/openSUSE:Factory/.irssi.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "irssi"
Sun Jan 7 17:23:24 2018 rev:48 rq:562174 version:1.0.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/irssi/irssi.changes 2017-10-23
16:52:56.529666656 +0200
+++ /work/SRC/openSUSE:Factory/.irssi.new/irssi.changes 2018-01-07
17:23:28.155380585 +0100
@@ -1,0 +2,15 @@
+Sat Jan 6 13:47:12 UTC 2018 - ailin.ne...@gmail.com
+
+- update to 1.0.6
+ - Fix invalid memory access when reading hilight configuration
+ (#787, #788).
+ - Fix null pointer dereference when the channel topic is set
+ without specifying a sender (GL#20, GL!25). CVE-2018-5206
+ - Fix return of random memory when using incomplete escape
+ codes (GL#21, GL!26). CVE-2018-5205
+ - Fix heap buffer overflow when completing certain strings
+ (GL#19, GL!27). CVE-2018-5208
+ - Fix return of random memory when using an incomplete
+ variable argument (GL#18, GL!28). CVE-2018-5207
+
+-------------------------------------------------------------------
Old:
----
irssi-1.0.5.tar.xz
irssi-1.0.5.tar.xz.asc
New:
----
irssi-1.0.6.tar.xz
irssi-1.0.6.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ irssi.spec ++++++
--- /var/tmp/diff_new_pack.OrRpG4/_old 2018-01-07 17:23:28.811349838 +0100
+++ /var/tmp/diff_new_pack.OrRpG4/_new 2018-01-07 17:23:28.815349650 +0100
@@ -1,7 +1,7 @@
#
# spec file for package irssi
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%bcond_with socks
Name: irssi
-Version: 1.0.5
+Version: 1.0.6
Release: 0
#
Summary: Modular, Secure, and Well Designed IRC Client
++++++ irssi-1.0.5.tar.xz -> irssi-1.0.6.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/ChangeLog new/irssi-1.0.6/ChangeLog
--- old/irssi-1.0.5/ChangeLog 2017-10-20 17:16:49.000000000 +0200
+++ new/irssi-1.0.6/ChangeLog 2018-01-05 00:07:44.000000000 +0100
@@ -1,42 +1,80 @@
-commit 7a770022be9a77aeda7af4b7090fb780a23c3b4e
+commit fe6e377beb57a11ce47683055834722e0ed6ba2b
+Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
+Date: Fri Jan 5 00:04:58 2018 +0100
+
+ tag as 1.0.6
+
+commit cacb48e4f458bc419ae90c5f2f219dacf769a814
+Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
+Date: Tue Nov 14 08:50:06 2017 +0100
+
+ Merge pull request #788 from LemonBoy/fix-787
+
+ Keep a copy of the strings coming from the config
+
+ (cherry picked from commit 933fac7e9d4d1cea93887cb38bab51c938a8c687)
+
+commit aea58025194811d9a92ad7a8d708476e43a4816e
+Author: Nei <ailin.ne...@gmail.com>
+Date: Thu Jan 4 22:29:29 2018 +0000
+
+ Merge branch 'security' into 'master'
+
+ Security
+
+ Closes GL#18, GL#19, GL#20, GL#21
+
+ See merge request irssi/irssi!29
+
+ (cherry picked from commit 9df3d92598108b6e68fcc5521cd1fab8462d7ec5)
+
+commit b00b45cf2181a8d40817b000c9a851ce4469d0b5
Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
Date: Fri Oct 20 17:15:30 2017 +0200
tag as 1.0.5
-commit eef318301421b0ade7f184543f7165df583744c2
+commit 11f0d046dee47c1965eeeab21faf9219b8144a98
Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
Date: Fri Oct 13 17:14:47 2017 +0200
Merge pull request #769 from horgh/horgh/error-check-server-connect
Set host to an empty string on error
+
+ (cherry picked from commit 437fbef6eb8f605320841cba119d3abbb3571a75)
-commit 404eb0995e3b3ac87d59430250644827a421ed23
+commit 2d0f7bcc5072ca5df1e02797119706c3a60a2f3f
Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
Date: Sun Oct 8 18:50:19 2017 +0200
Merge pull request #763 from rbisewski/master
Improvements to statusbar documentation and help text.
+
+ (cherry picked from commit 016fd344362ddcc4b1a0781df9ac2416acc54e69)
-commit dd53f3fc9601e3d6a07dffe85b985f309a4e87a1
+commit d2bfd44c16a10888a88ee3676a514c474c91c902
Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
Date: Thu Aug 10 16:49:32 2017 +0200
Merge pull request #737 from ailin-nemui/fix-733
Revert "Merge pull request #452 from LemonBoy/terminfo-cup"
+
+ (cherry picked from commit 13471013f31be1e2f459dfce9bc7425800b2824b)
-commit d2ccea03d4bc7dd76b5cdf2df64e2416858fe014
+commit 32d0daf87e7b59e473a78494cf6bdf8c89a48174
Author: ailin-nemui <ailin-ne...@users.noreply.github.com>
Date: Wed Jul 26 10:57:05 2017 +0200
Merge pull request #719 from LemonBoy/sasl-disable-none
Setting sasl_mechanism to '' disables the auth
+
+ (cherry picked from commit 7b97edf9d1de8c270e4482c85d142303e07525c9)
-commit 43e44d553d44e313003cee87e6ea5e24d68b84a1
+commit 29f0ed96d55448f8baad21af6f2b1efdcbbd7000
Author: Nei <ailin.ne...@gmail.com>
Date: Fri Oct 20 13:31:26 2017 +0000
@@ -47,6 +85,8 @@
Closes GL#12, GL#13, GL#14, GL#15, GL#16
See merge request irssi/irssi!23
+
+ (cherry picked from commit 0557a2cb7c03483012b1557ccb0b23fe0becc264)
commit 527c19803b56cc0ec84050ca63d992fbecadac1e
Author: Ailin Nemui <ailin@z30a.localdomain>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/NEWS new/irssi-1.0.6/NEWS
--- old/irssi-1.0.5/NEWS 2017-10-20 17:16:43.000000000 +0200
+++ new/irssi-1.0.6/NEWS 2018-01-05 00:07:25.000000000 +0100
@@ -1,3 +1,15 @@
+v1.0.6 2018-01-07 The Irssi team <st...@irssi.org>
+ - Fix invalid memory access when reading hilight configuration
+ (#787, #788).
+ - Fix null pointer dereference when the channel topic is set
+ without specifying a sender (GL#20, GL!25).
+ - Fix return of random memory when using incomplete escape
+ codes (GL#21, GL!26).
+ - Fix heap buffer overflow when completing certain strings
+ (GL#19, GL!27).
+ - Fix return of random memory when using an incomplete
+ variable argument (GL#18, GL!28).
+
v1.0.5 2017-10-23 The Irssi team <st...@irssi.org>
- Fix missing -sasl_method '' in /NETWORK (#718, #719).
- Fix incorrect restoration of term state when hitting SUSP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/configure new/irssi-1.0.6/configure
--- old/irssi-1.0.5/configure 2017-10-20 17:16:55.000000000 +0200
+++ new/irssi-1.0.6/configure 2018-01-05 00:07:50.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for irssi 1.0.5.
+# Generated by GNU Autoconf 2.69 for irssi 1.0.6.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='irssi'
PACKAGE_TARNAME='irssi'
-PACKAGE_VERSION='1.0.5'
-PACKAGE_STRING='irssi 1.0.5'
+PACKAGE_VERSION='1.0.6'
+PACKAGE_STRING='irssi 1.0.6'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1371,7 +1371,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures irssi 1.0.5 to adapt to many kinds of systems.
+\`configure' configures irssi 1.0.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1441,7 +1441,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of irssi 1.0.5:";;
+ short | recursive ) echo "Configuration of irssi 1.0.6:";;
esac
cat <<\_ACEOF
@@ -1579,7 +1579,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-irssi configure 1.0.5
+irssi configure 1.0.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2181,7 +2181,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by irssi $as_me 1.0.5, which was
+It was created by irssi $as_me 1.0.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3050,7 +3050,7 @@
# Define the identity of the package.
PACKAGE='irssi'
- VERSION='1.0.5'
+ VERSION='1.0.6'
# Some tools Automake needs.
@@ -14614,7 +14614,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by irssi $as_me 1.0.5, which was
+This file was extended by irssi $as_me 1.0.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14680,7 +14680,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-irssi config.status 1.0.5
+irssi config.status 1.0.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/configure.ac new/irssi-1.0.6/configure.ac
--- old/irssi-1.0.5/configure.ac 2017-10-20 17:16:43.000000000 +0200
+++ new/irssi-1.0.6/configure.ac 2018-01-05 00:07:25.000000000 +0100
@@ -1,4 +1,4 @@
-AC_INIT(irssi, 1.0.5)
+AC_INIT(irssi, 1.0.6)
AC_CONFIG_SRCDIR([src])
AC_CONFIG_AUX_DIR(build-aux)
AC_PREREQ(2.50)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/irssi-config.h
new/irssi-1.0.6/irssi-config.h
--- old/irssi-1.0.5/irssi-config.h 2017-10-20 17:16:59.000000000 +0200
+++ new/irssi-1.0.6/irssi-config.h 2018-01-05 00:07:55.000000000 +0100
@@ -71,7 +71,7 @@
#define PACKAGE_NAME "irssi"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "irssi 1.0.5"
+#define PACKAGE_STRING "irssi 1.0.6"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "irssi"
@@ -80,7 +80,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.0.5"
+#define PACKAGE_VERSION "1.0.6"
/* printf()-format for uoff_t, eg. "u" or "lu" or "llu" */
#define PRIuUOFF_T "lu"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/irssi-version.h
new/irssi-1.0.6/irssi-version.h
--- old/irssi-1.0.5/irssi-version.h 2017-10-20 17:17:05.000000000 +0200
+++ new/irssi-1.0.6/irssi-version.h 2018-01-05 00:07:59.000000000 +0100
@@ -1,2 +1,2 @@
-#define IRSSI_VERSION_DATE 20171020
-#define IRSSI_VERSION_TIME 1715
+#define IRSSI_VERSION_DATE 20180105
+#define IRSSI_VERSION_TIME 4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/src/core/misc.c
new/irssi-1.0.6/src/core/misc.c
--- old/irssi-1.0.5/src/core/misc.c 2017-10-20 17:16:43.000000000 +0200
+++ new/irssi-1.0.6/src/core/misc.c 2018-01-05 00:07:25.000000000 +0100
@@ -707,8 +707,11 @@
*data += 2;
return strtol(digit, NULL, 16);
case 'c':
- /* control character (\cA = ^A) */
- (*data)++;
+ /* check for end of string */
+ if ((*data)[1] == '\0')
+ return 0;
+ /* control character (\cA = ^A) */
+ (*data)++;
return i_toupper(**data) - 64;
case '0': case '1': case '2': case '3':
case '4': case '5': case '6': case '7':
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/src/core/special-vars.c
new/irssi-1.0.6/src/core/special-vars.c
--- old/irssi-1.0.5/src/core/special-vars.c 2017-10-20 17:16:34.000000000
+0200
+++ new/irssi-1.0.6/src/core/special-vars.c 2018-01-05 00:06:47.000000000
+0100
@@ -384,6 +384,7 @@
}
nest_free = FALSE; nest_value = NULL;
+#if 0 /* this code is disabled due to security issues until it is fixed */
if (**cmd == '(' && (*cmd)[1] != '\0') {
/* subvariable */
int toplevel = nested_orig_cmd == NULL;
@@ -412,6 +413,9 @@
if (toplevel) nested_orig_cmd = NULL;
}
+#else
+ if (nested_orig_cmd) nested_orig_cmd = NULL;
+#endif
if (**cmd != '{')
brackets = FALSE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/src/fe-common/core/completion.c
new/irssi-1.0.6/src/fe-common/core/completion.c
--- old/irssi-1.0.5/src/fe-common/core/completion.c 2017-10-20
17:16:43.000000000 +0200
+++ new/irssi-1.0.6/src/fe-common/core/completion.c 2018-01-05
00:07:25.000000000 +0100
@@ -186,12 +186,18 @@
char *old;
old = linestart;
- linestart = *linestart == '\0' ?
- g_strdup(word) :
- g_strdup_printf("%s%c%s",
- /* do not accidentally
duplicate the word separator */
- line == wordstart - 1 ? "" :
linestart,
- old_wordstart[-1], word);
+ /* we want to move word into linestart */
+ if (*linestart == '\0') {
+ linestart = g_strdup(word);
+ } else {
+ GString *str = g_string_new(linestart);
+ if (old_wordstart[-1] != str->str[str->len -
1]) {
+ /* do not accidentally duplicate the
word separator */
+ g_string_append_c(str,
old_wordstart[-1]);
+ }
+ g_string_append(str, word);
+ linestart = g_string_free(str, FALSE);
+ }
g_free(old);
g_free(word);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/src/fe-common/core/hilight-text.c
new/irssi-1.0.6/src/fe-common/core/hilight-text.c
--- old/irssi-1.0.5/src/fe-common/core/hilight-text.c 2017-10-20
17:16:43.000000000 +0200
+++ new/irssi-1.0.6/src/fe-common/core/hilight-text.c 2018-01-05
00:07:25.000000000 +0100
@@ -109,6 +109,7 @@
if (rec->channels != NULL) g_strfreev(rec->channels);
g_free_not_null(rec->color);
g_free_not_null(rec->act_color);
+ g_free_not_null(rec->servertag);
g_free(rec->text);
g_free(rec);
}
@@ -456,7 +457,7 @@
CONFIG_NODE *node;
HILIGHT_REC *rec;
GSList *tmp;
- char *text, *color;
+ char *text, *color, *servertag;
hilights_destroy_all();
@@ -499,7 +500,9 @@
rec->nickmask = config_node_get_bool(node, "mask", FALSE);
rec->fullword = config_node_get_bool(node, "fullword", FALSE);
rec->regexp = config_node_get_bool(node, "regexp", FALSE);
- rec->servertag = config_node_get_str(node, "servertag", NULL);
+ servertag = config_node_get_str(node, "servertag", NULL);
+ rec->servertag = servertag == NULL || *servertag == '\0' ? NULL
:
+ g_strdup(servertag);
hilight_init_rec(rec);
node = iconfig_node_section(node, "channels", -1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/irssi-1.0.5/src/irc/core/channel-events.c
new/irssi-1.0.6/src/irc/core/channel-events.c
--- old/irssi-1.0.5/src/irc/core/channel-events.c 2017-10-20
17:16:34.000000000 +0200
+++ new/irssi-1.0.6/src/irc/core/channel-events.c 2018-01-05
00:06:47.000000000 +0100
@@ -138,7 +138,13 @@
g_free_not_null(chanrec->topic_by);
chanrec->topic_by = g_strdup(setby);
- chanrec->topic_time = settime;
+ if (chanrec->topic_by == NULL) {
+ /* ensure invariant topic_time > 0 <=> topic_by != NULL.
+ this could be triggered by a topic command without sender */
+ chanrec->topic_time = 0;
+ } else {
+ chanrec->topic_time = settime;
+ }
signal_emit("channel topic changed", 1, chanrec);
}
