Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: haavard_aa...@yahoo.no
Please unblock package ircii I reverted all changes made for the current 20210314 release and added a patch to fix CVE-2020-29376 which also Closes: #986214 The patch has been sourced from upstream, and is also approved for buster. [ Reason ] fix denial of service issue [CVE-2021-29376] [ Impact ] The CVE's description is: allows remote attackers to cause a denial of service (segmentation fault and client crash, disconnecting the victim from an IRC server) via a crafted CTCP UTC message. [ Tests ] I did test these changes and can confirm that this patch fix CVE-2021-29376 [ Risks ] Minimal. The code is taken from upstream. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] No unblock ircii/20210314+really20190117-1 Håvard
diff -Nru ircii-20190117/debian/changelog ircii-20210314+really20190117/debian/changelog --- ircii-20190117/debian/changelog 2019-02-21 05:35:56.000000000 +0100 +++ ircii-20210314+really20190117/debian/changelog 2021-05-30 22:39:28.000000000 +0200 @@ -1,3 +1,38 @@ +ircii (20210314+really20190117-1) unstable; urgency=medium + + * QA upload. + * Revert to previous release, because of freeze. + * Add patch to Fix CVE-2021-29376 Closes: #986214 + + -- Håvard Flaget Aasen <haavard_aa...@yahoo.no> Sun, 30 May 2021 22:39:28 +0200 + +ircii (20210314-1) unstable; urgency=medium + + * QA Upload. + [ Debian Janitor ] + * Set debhelper-compat version in Build-Depends. + * Changes Urgency by urgency in changelog file. + + * New upstream release. + Fix (CVE-2021-29376). (Closes: #986214). + * debian/control + + Bump Standards-Version to 4.5.1. (no changes). + + Bump Debhelper-compat to 13. + + Add Rules-Requires-Root: no. + * debian/patches + + Refresh: + + 0008-fix-spelling-error.diff + + 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch + + 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch + + 0006-fix-some-spelling-errors.patch + * debian/rules + + Remove --as-needed linker flag. + * debian/watch + + Update to version 4. + * Update copyright file. + + -- Daniel Echeverri <epsi...@debian.org> Sun, 11 Apr 2021 11:19:42 -0500 + ircii (20190117-1) unstable; urgency=medium * QA upload. diff -Nru ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch --- ircii-20190117/debian/patches/0009-Fix-CVE-2021-29376.patch 1970-01-01 01:00:00.000000000 +0100 +++ ircii-20210314+really20190117/debian/patches/0009-Fix-CVE-2021-29376.patch 2021-05-30 22:39:28.000000000 +0200 @@ -0,0 +1,44 @@ +From: Håvard Flaget Aasen <haavard_aa...@yahoo.no> +Date: Thu, 13 May 2021 21:39:51 +0200 +Subject: Fix CVE-2021-29376 + +CVE-2021-29376 allows remote attackers to cause a denial of service +(segmentation fault and client crash, disconnecting the victim from an IRC +server) via a crafted CTCP UTC message. + +Bug-Debian: https://bugs.debian.org/#986214 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-29376 +--- + source/ctcp.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/source/ctcp.c b/source/ctcp.c +index 1a714c6..c5ddde0 100644 +--- a/source/ctcp.c ++++ b/source/ctcp.c +@@ -536,12 +536,23 @@ do_utc(CtcpEntry *ctcp, u_char *from, u_char *to, u_char *args) + { + time_t tm; + u_char *date = NULL; ++ char *curtime; + + if (!args || !*args) + return NULL; + tm = my_atol(args); +- malloc_strcpy(&date, UP(ctime(&tm))); +- date[my_strlen(date)-1] = '\0'; ++ curtime = ctime(&tm); ++ if (curtime) ++ { ++ u_char *s = my_index(curtime, '\n'); ++ if (s) ++ *s = '\0'; ++ ++ malloc_strcpy(&date, UP(curtime)); ++ } ++ else ++ /* if we can't find a time, just return the number */ ++ malloc_strcpy(&date, args); + return date; + } + diff -Nru ircii-20190117/debian/patches/series ircii-20210314+really20190117/debian/patches/series --- ircii-20190117/debian/patches/series 2019-02-20 03:07:03.000000000 +0100 +++ ircii-20210314+really20190117/debian/patches/series 2021-05-30 22:39:28.000000000 +0200 @@ -3,3 +3,4 @@ 0003-Add-ioption-to-local-include-paths-so-they-do-not-co.patch 0004-absolute-path-for-motd-and-servers-file-and-other-de.patch 0006-fix-some-spelling-errors.patch +0009-Fix-CVE-2021-29376.patch