Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Hi weechat in stretch is affected by CVE-2017-14727, tracked as #876553. > * logger: call strftime before replacing buffer local variables > (CVE-2017-14727) (Closes: #876553) https://weechat.org/news/98/20170923-Version-1.9.1-security-release/ Attached proposed debdiff for the stretch point release. Regards, Salvatore
diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog --- weechat-1.6/debian/changelog 2017-04-29 16:31:58.000000000 +0200 +++ weechat-1.6/debian/changelog 2017-09-27 20:53:31.000000000 +0200 @@ -1,3 +1,11 @@ +weechat (1.6-1+deb9u2) stretch; urgency=medium + + * Non-maintainer upload. + * logger: call strftime before replacing buffer local variables + (CVE-2017-14727) (Closes: #876553) + + -- Salvatore Bonaccorso <[email protected]> Wed, 27 Sep 2017 20:53:31 +0200 + weechat (1.6-1+deb9u1) stretch; urgency=medium * Non-maintainer upload. diff -Nru weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch --- weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch 1970-01-01 01:00:00.000000000 +0100 +++ weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch 2017-09-27 20:53:31.000000000 +0200 @@ -0,0 +1,158 @@ +From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <[email protected]> +Date: Sat, 23 Sep 2017 09:36:09 +0200 +Subject: logger: call strftime before replacing buffer local variables +Origin: https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 +Bug-Debian: https://bugs.debian.org/876553 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14727 + +--- + src/plugins/logger/logger.c | 88 ++++++++++++++++++++++----------------------- + 2 files changed, 51 insertions(+), 44 deletions(-) + + +diff --git a/src/plugins/logger/logger.c b/src/plugins/logger/logger.c +index 1abc3efc7..347f1d5a6 100644 +--- a/src/plugins/logger/logger.c ++++ b/src/plugins/logger/logger.c +@@ -295,71 +295,71 @@ logger_get_mask_for_buffer (struct t_gui_buffer *buffer) + char * + logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask) + { +- char *mask2, *mask_decoded, *mask_decoded2, *mask_decoded3, *mask_decoded4; +- char *mask_decoded5; ++ char *mask2, *mask3, *mask4, *mask5, *mask6, *mask7; + const char *dir_separator; + int length; + time_t seconds; + struct tm *date_tmp; + + mask2 = NULL; +- mask_decoded = NULL; +- mask_decoded2 = NULL; +- mask_decoded3 = NULL; +- mask_decoded4 = NULL; +- mask_decoded5 = NULL; ++ mask3 = NULL; ++ mask4 = NULL; ++ mask5 = NULL; ++ mask6 = NULL; ++ mask7 = NULL; + + dir_separator = weechat_info_get ("dir_separator", ""); + if (!dir_separator) + return NULL; + ++ /* replace date/time specifiers in mask */ ++ length = strlen (mask) + 256 + 1; ++ mask2 = malloc (length); ++ if (!mask2) ++ goto end; ++ seconds = time (NULL); ++ date_tmp = localtime (&seconds); ++ mask2[0] = '\0'; ++ if (strftime (mask2, length - 1, mask, date_tmp) == 0) ++ mask2[0] = '\0'; ++ + /* + * we first replace directory separator (commonly '/') by \01 because + * buffer mask can contain this char, and will be replaced by replacement + * char ('_' by default) + */ +- mask2 = weechat_string_replace (mask, dir_separator, "\01"); +- if (!mask2) ++ mask3 = weechat_string_replace (mask2, dir_separator, "\01"); ++ if (!mask3) + goto end; + +- mask_decoded = weechat_buffer_string_replace_local_var (buffer, mask2); +- if (!mask_decoded) ++ mask4 = weechat_buffer_string_replace_local_var (buffer, mask3); ++ if (!mask4) + goto end; + +- mask_decoded2 = weechat_string_replace (mask_decoded, +- dir_separator, +- weechat_config_string (logger_config_file_replacement_char)); +- if (!mask_decoded2) ++ mask5 = weechat_string_replace (mask4, ++ dir_separator, ++ weechat_config_string (logger_config_file_replacement_char)); ++ if (!mask5) + goto end; + + #ifdef __CYGWIN__ +- mask_decoded3 = weechat_string_replace (mask_decoded2, "\\", +- weechat_config_string (logger_config_file_replacement_char)); ++ mask6 = weechat_string_replace (mask5, "\\", ++ weechat_config_string (logger_config_file_replacement_char)); + #else +- mask_decoded3 = strdup (mask_decoded2); ++ mask6 = strdup (mask5); + #endif /* __CYGWIN__ */ +- if (!mask_decoded3) ++ if (!mask6) + goto end; + + /* restore directory separator */ +- mask_decoded4 = weechat_string_replace (mask_decoded3, +- "\01", dir_separator); +- if (!mask_decoded4) +- goto end; +- +- /* replace date/time specifiers in mask */ +- length = strlen (mask_decoded4) + 256 + 1; +- mask_decoded5 = malloc (length); +- if (!mask_decoded5) ++ mask7 = weechat_string_replace (mask6, ++ "\01", dir_separator); ++ if (!mask7) + goto end; +- seconds = time (NULL); +- date_tmp = localtime (&seconds); +- mask_decoded5[0] = '\0'; +- strftime (mask_decoded5, length - 1, mask_decoded4, date_tmp); + + /* convert to lower case? */ + if (weechat_config_boolean (logger_config_file_name_lower_case)) +- weechat_string_tolower (mask_decoded5); ++ weechat_string_tolower (mask7); + + if (weechat_logger_plugin->debug) + { +@@ -368,22 +368,22 @@ logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask) + "decoded mask = \"%s\"", + LOGGER_PLUGIN_NAME, + weechat_buffer_get_string (buffer, "name"), +- mask, mask_decoded5); ++ mask, mask7); + } + + end: + if (mask2) + free (mask2); +- if (mask_decoded) +- free (mask_decoded); +- if (mask_decoded2) +- free (mask_decoded2); +- if (mask_decoded3) +- free (mask_decoded3); +- if (mask_decoded4) +- free (mask_decoded4); +- +- return mask_decoded5; ++ if (mask3) ++ free (mask3); ++ if (mask4) ++ free (mask4); ++ if (mask5) ++ free (mask5); ++ if (mask6) ++ free (mask6); ++ ++ return mask7; + } + + /* +-- +2.14.2 + diff -Nru weechat-1.6/debian/patches/series weechat-1.6/debian/patches/series --- weechat-1.6/debian/patches/series 2017-04-29 16:31:58.000000000 +0200 +++ weechat-1.6/debian/patches/series 2017-09-27 20:53:31.000000000 +0200 @@ -1,2 +1,3 @@ 01_fix_asciidoctor_options.patch 02_CVE-2017-8073.patch +03_logger-call-strftime-before-replacing-buffer-local-v.patch
