Package: release.debian.org Severity: important Tags: buster User: release.debian....@packages.debian.org Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] This update fixes CVE-2019-13045 for buster by pulling in the upstream commit that is included in newer versions of the package. [ Impact ] May affect the stability of Irssi. SASL logins may fail, especially during (manual and automated) reconnect. [ Tests ] It is the fix that got applied in other distributions and been used by lots of folks for quite a while now. [ Risks ] The changes are quite straight forward. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] It's just the upstream patch pulled in. So long, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los |
diff -Nru irssi-1.2.0/debian/changelog irssi-1.2.0/debian/changelog --- irssi-1.2.0/debian/changelog 2019-02-12 21:59:00.000000000 +0100 +++ irssi-1.2.0/debian/changelog 2021-07-29 14:11:39.000000000 +0200 @@ -1,3 +1,9 @@ +irssi (1.2.0-2+deb10u1) buster; urgency=medium + + * Import upstream security fix for CVE-2019-13045 (closes: #931264) + + -- Rhonda D'Vine <rho...@debian.org> Thu, 29 Jul 2021 14:11:39 +0200 + irssi (1.2.0-2) unstable; urgency=medium [ Rhonda D'Vine ] diff -Nru irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values --- irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values 1970-01-01 01:00:00.000000000 +0100 +++ irssi-1.2.0/debian/patches/98copy-sasl-username-and-password-values 2021-07-29 14:11:39.000000000 +0200 @@ -0,0 +1,41 @@ +Description: copy sasl username and password values +Origin: Upstream, https://github.com/irssi/irssi/pull/1058 +Author: ailin-nemui + +--- a/src/irc/core/irc-core.c ++++ b/src/irc/core/irc-core.c +@@ -75,6 +75,8 @@ + + g_free_not_null(ircconn->usermode); + g_free_not_null(ircconn->alternate_nick); ++ g_free_not_null(ircconn->sasl_username); ++ g_free_not_null(ircconn->sasl_password); + } + + void irc_core_init(void) +--- a/src/irc/core/irc-servers-reconnect.c ++++ b/src/irc/core/irc-servers-reconnect.c +@@ -49,8 +49,8 @@ + rec->usermode = g_strdup(src->usermode); + rec->alternate_nick = g_strdup(src->alternate_nick); + rec->sasl_mechanism = src->sasl_mechanism; +- rec->sasl_username = src->sasl_username; +- rec->sasl_password = src->sasl_password; ++ rec->sasl_username = g_strdup(src->sasl_username); ++ rec->sasl_password = g_strdup(src->sasl_password); + *dest = (SERVER_CONNECT_REC *) rec; + } + +--- a/src/irc/core/irc-servers-setup.c ++++ b/src/irc/core/irc-servers-setup.c +@@ -101,8 +101,8 @@ + conn->sasl_mechanism = SASL_MECHANISM_PLAIN; + if (ircnet->sasl_username != NULL && *ircnet->sasl_username && + ircnet->sasl_password != NULL && *ircnet->sasl_password) { +- conn->sasl_username = ircnet->sasl_username; +- conn->sasl_password = ircnet->sasl_password; ++ conn->sasl_username = g_strdup(ircnet->sasl_username); ++ conn->sasl_password = g_strdup(ircnet->sasl_password); + } else + g_warning("The fields sasl_username and sasl_password are either missing or empty"); + } diff -Nru irssi-1.2.0/debian/patches/series irssi-1.2.0/debian/patches/series --- irssi-1.2.0/debian/patches/series 2019-02-12 21:59:00.000000000 +0100 +++ irssi-1.2.0/debian/patches/series 2021-07-29 14:11:39.000000000 +0200 @@ -1,3 +1,4 @@ +98copy-sasl-username-and-password-values 01chanmode_expando_strip 02ctcp_version_reply 03firsttimer_text