Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected], Emmanuel Bouthenot <[email protected]> Control: affects -1 + src:weechat User: [email protected] Usertags: unblock
Please unblock package weechat [ Reason ] multiple CVEs [ Impact ] integer and buffer overflows, memory leak. [ Tests ] I am running the new version without problems. [ Risks ] Low, I read the diff and it is really only security updates. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] I am filling this to get this into trixie, @Emmanuel hope that is fine. unblock weechat/4.6.3-1
diff -Nru weechat-4.6.1/CHANGELOG.md weechat-4.6.3/CHANGELOG.md --- weechat-4.6.1/CHANGELOG.md 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/CHANGELOG.md 2025-05-11 11:22:11.000000000 +0200 @@ -1,5 +1,25 @@ # WeeChat ChangeLog +## Version 4.6.3 (2025-05-11) + +### Fixed + +- core: fix integer overflow with decimal numbers in calculation of expression +- core: fix integer overflow in base32 encoding/decoding +- core: fix integer overflow in function util_version_number +- core: fix buffer overflow in function util_parse_time +- core: fix buffer overflow in function eval_syntax_highlight_colorize +- core: fix buffer overflow in function eval_string_base_encode +- core: fix buffer overflow in function eval_string_range_chars +- core: fix memory leak in function util_parse_delay + +## Version 4.6.2 (2025-04-18) + +### Fixed + +- core: fix write of weechat.log to stdout with `weechat-headless --stdout` ([#2247](https://github.com/weechat/weechat/issues/2247)) +- core: add refresh of window title on buffer switch, when option weechat.look.window_title is set + ## Version 4.6.1 (2025-04-09) ### Fixed diff -Nru weechat-4.6.1/debian/changelog weechat-4.6.3/debian/changelog --- weechat-4.6.1/debian/changelog 2025-04-16 22:31:07.000000000 +0200 +++ weechat-4.6.3/debian/changelog 2025-05-17 07:49:46.000000000 +0200 @@ -1,3 +1,10 @@ +weechat (4.6.3-1) unstable; urgency=medium + + * New upstream release + - fixes multiple security vulnerabilities (Closes: #1104554) + + -- Emmanuel Bouthenot <[email protected]> Sat, 17 May 2025 05:49:46 +0000 + weechat (4.6.1-1) unstable; urgency=medium * New upstream release (Closes: #1102450, #1098090) diff -Nru weechat-4.6.1/doc/en/weechat_plugin_api.en.adoc weechat-4.6.3/doc/en/weechat_plugin_api.en.adoc --- weechat-4.6.1/doc/en/weechat_plugin_api.en.adoc 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/doc/en/weechat_plugin_api.en.adoc 2025-05-11 11:22:11.000000000 +0200 @@ -15528,8 +15528,8 @@ Arguments: -* _title_: new title for terminal (NULL to reset title); string is evaluated, - so variables like `${info:version}` can be used +* _title_: new title for terminal; string is evaluated, so variables like + `${info:version}` can be used (see <<_string_eval_expression,string_eval_expression>>) C example: diff -Nru weechat-4.6.1/doc/fr/weechat_plugin_api.fr.adoc weechat-4.6.3/doc/fr/weechat_plugin_api.fr.adoc --- weechat-4.6.1/doc/fr/weechat_plugin_api.fr.adoc 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/doc/fr/weechat_plugin_api.fr.adoc 2025-05-11 11:22:11.000000000 +0200 @@ -15869,9 +15869,9 @@ Paramètres : -* _title_ : nouveau titre pour le terminal (NULL pour réinitialiser le titre) ; - la chaîne est évaluée, donc les variables comme `${info:version}` peuvent - être utilisées (voir <<_string_eval_expression,string_eval_expression>>) +* _title_ : nouveau titre pour le terminal ; la chaîne est évaluée, donc les variables + comme `${info:version}` peuvent être utilisées + (voir <<_string_eval_expression,string_eval_expression>>) Exemple en C : diff -Nru weechat-4.6.1/doc/it/weechat_plugin_api.it.adoc weechat-4.6.3/doc/it/weechat_plugin_api.it.adoc --- weechat-4.6.1/doc/it/weechat_plugin_api.it.adoc 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/doc/it/weechat_plugin_api.it.adoc 2025-05-11 11:22:11.000000000 +0200 @@ -16302,8 +16302,8 @@ Argomenti: // TRANSLATION MISSING -* _title_: nuovo titolo per il terminale (NULL per resettarlo); - string is evaluated, so variables like `${info:version}` can be used +* _title_: nuovo titolo per il terminale; string is evaluated, so variables + like `${info:version}` can be used (see <<_string_eval_expression,string_eval_expression>>) Esempio in C: diff -Nru weechat-4.6.1/doc/ja/weechat_plugin_api.ja.adoc weechat-4.6.3/doc/ja/weechat_plugin_api.ja.adoc --- weechat-4.6.1/doc/ja/weechat_plugin_api.ja.adoc 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/doc/ja/weechat_plugin_api.ja.adoc 2025-05-11 11:22:11.000000000 +0200 @@ -15797,8 +15797,8 @@ 引数: -* _title_: 端末の新しいタイトル (タイトルをリセットする場合は NULL); - この文字列は評価されるため、文字列内に `${info:version}` などの変数を含めることが可能です +* _title_: 端末の新しいタイトル; この文字列は評価されるため、文字列内に + `${info:version}` などの変数を含めることが可能です (<<_string_eval_expression,string_eval_expression>> を参照) C 言語での使用例: diff -Nru weechat-4.6.1/doc/sr/weechat_plugin_api.sr.adoc weechat-4.6.3/doc/sr/weechat_plugin_api.sr.adoc --- weechat-4.6.1/doc/sr/weechat_plugin_api.sr.adoc 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/doc/sr/weechat_plugin_api.sr.adoc 2025-05-11 11:22:11.000000000 +0200 @@ -15104,7 +15104,9 @@ Аргументи: -* _title_: нови наслов за терминал (NULL ако желите да ресетујете наслов); стринг се израчунава, тако да је могуће коришћење променљивих као што је `${info:version}` (погледајте <<_string_eval_expression,string_eval_expression>>) +* _title_: нови наслов за терминал; стринг се израчунава, тако да је могуће + коришћење променљивих као што је `${info:version}` + (погледајте <<_string_eval_expression,string_eval_expression>>) C пример: diff -Nru weechat-4.6.1/src/core/core-calc.c weechat-4.6.3/src/core/core-calc.c --- weechat-4.6.1/src/core/core-calc.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/core/core-calc.c 2025-05-11 11:22:11.000000000 +0200 @@ -336,9 +336,9 @@ struct t_arraylist *list_values, *list_ops; const char *ptr_expr, *ptr_expr2; char str_result[64], *ptr_operator, *operator; - int index_op, decimals; + int index_op; enum t_calc_symbol last_symbol; - double value, factor, *ptr_value; + double value, factor, decimals, *ptr_value; list_values = NULL; list_ops = NULL; diff -Nru weechat-4.6.1/src/core/core-config.c weechat-4.6.3/src/core/core-config.c --- weechat-4.6.1/src/core/core-config.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/core/core-config.c 2025-05-11 11:22:11.000000000 +0200 @@ -498,12 +498,8 @@ (void) data; (void) option; - if (gui_init_ok - || (CONFIG_STRING(config_look_window_title) - && CONFIG_STRING(config_look_window_title)[0])) - { + if (gui_init_ok) gui_window_set_title (CONFIG_STRING(config_look_window_title)); - } } /* diff -Nru weechat-4.6.1/src/core/core-eval.c weechat-4.6.3/src/core/core-eval.c --- weechat-4.6.1/src/core/core-eval.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/core/core-eval.c 2025-05-11 11:22:11.000000000 +0200 @@ -300,6 +300,9 @@ string = NULL; result = NULL; + if (!range || !range[0]) + goto end; + for (i = 0; eval_range_chars[i][0]; i++) { if (strcmp (range, eval_range_chars[i][0]) == 0) @@ -309,11 +312,15 @@ char1 = utf8_char_int (range); /* next char must be '-' */ + if (!range[0]) + goto end; ptr_char = utf8_next_char (range); if (!ptr_char || !ptr_char[0] || (ptr_char[0] != '-')) goto end; /* next char is the char2 */ + if (!range[0]) + goto end; ptr_char = utf8_next_char (ptr_char); if (!ptr_char || !ptr_char[0]) goto end; @@ -894,7 +901,7 @@ ptr_string++; length = strlen (ptr_string); - result = malloc ((length * 4) + 1); + result = malloc ((length * 4) + 8 + 1); if (!result) goto end; @@ -1572,7 +1579,8 @@ else if (ptr_value[0] == '-') color--; } - ptr_value++; + if (ptr_value[0]) + ptr_value++; if (config_num_eval_syntax_colors > 0) { string_dyn_concat ( diff -Nru weechat-4.6.1/src/core/core-log.c weechat-4.6.3/src/core/core-log.c --- weechat-4.6.1/src/core/core-log.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/core/core-log.c 2025-05-11 11:22:11.000000000 +0200 @@ -70,21 +70,22 @@ { weechat_log_file = stdout; } - else if (filename) - { - weechat_log_filename = strdup (filename); - } else { - string_asprintf (&weechat_log_filename, - "%s/%s", weechat_state_dir, WEECHAT_LOG_NAME); + if (filename) + { + weechat_log_filename = strdup (filename); + } + else + { + string_asprintf (&weechat_log_filename, + "%s/%s", weechat_state_dir, WEECHAT_LOG_NAME); + } + if (!weechat_log_filename) + return 0; + weechat_log_file = fopen (weechat_log_filename, mode); } - if (!weechat_log_filename) - return 0; - - weechat_log_file = fopen (weechat_log_filename, mode); - if (!weechat_log_file) { if (weechat_log_filename) diff -Nru weechat-4.6.1/src/core/core-string.c weechat-4.6.3/src/core/core-string.c --- weechat-4.6.1/src/core/core-string.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/core/core-string.c 2025-05-11 11:22:11.000000000 +0200 @@ -3570,7 +3570,8 @@ string_base32_encode (const char *from, int length, char *to) { unsigned char base32_table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; - int count, value, next, bits_left, pad, index; + unsigned int value; + int count, next, bits_left, pad, index; int length_padding[8] = { 0, 0, 6, 0, 4, 3, 0, 2 }; if (!from || !to) @@ -3648,7 +3649,8 @@ string_base32_decode (const char *from, char *to) { const char *ptr_from; - int value, bits_left, count; + int bits_left, count; + unsigned int value; unsigned char c; if (!from || !to) diff -Nru weechat-4.6.1/src/core/core-util.c weechat-4.6.3/src/core/core-util.c --- weechat-4.6.1/src/core/core-util.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/core/core-util.c 2025-05-11 11:22:11.000000000 +0200 @@ -285,7 +285,8 @@ int util_parse_time (const char *datetime, struct timeval *tv) { - char *string, *pos, *pos2, str_usec[16], *error, str_date[128]; + char *string, *pos, *pos2, str_usec[16], *error; + char str_date[128], str_date2[256]; struct tm tm_date, tm_date_gm, tm_date_local, *local_time; time_t time_now, time_gm, time_local; long long value; @@ -445,10 +446,10 @@ local_time = localtime (&time_now); strftime (str_date, sizeof (str_date), "%Y-%m-%dT", local_time); - strcat (str_date, string); + snprintf (str_date2, sizeof (str_date2), "%s%s", str_date, string); /* initialize structure, because strptime does not do it */ memset (&tm_date, 0, sizeof (struct tm)); - pos = strptime (str_date, "%Y-%m-%dT%H:%M:%S", &tm_date); + pos = strptime (str_date2, "%Y-%m-%dT%H:%M:%S", &tm_date); if (pos) { if (use_local_time) @@ -571,7 +572,6 @@ if ((pos > string_delay) && pos[0]) { - str_number = string_strndup (string_delay, pos - string_delay); if (strcmp (pos, "us") == 0) factor = 1ULL; else if (strcmp (pos, "ms") == 0) @@ -584,6 +584,7 @@ factor = 1000ULL * 1000ULL * 60ULL * 60ULL; else return 0; + str_number = string_strndup (string_delay, pos - string_delay); } else { @@ -670,7 +671,9 @@ { if (number < 0) number = 0; - else if (number > 0xFF) + else if ((i == 0) && (number > 0x7F)) + number = 0x7F; + else if ((i > 0) && (number > 0xFF)) number = 0xFF; version_int[i] = number; } diff -Nru weechat-4.6.1/src/gui/curses/gui-curses-main.c weechat-4.6.3/src/gui/curses/gui-curses-main.c --- weechat-4.6.1/src/gui/curses/gui-curses-main.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/gui/curses/gui-curses-main.c 2025-05-11 11:22:11.000000000 +0200 @@ -231,12 +231,7 @@ gui_term_cols, gui_term_lines, 100, 100)) { gui_current_window = gui_windows; - - if (CONFIG_STRING(config_look_window_title) - && CONFIG_STRING(config_look_window_title)[0]) - { - gui_window_set_title (CONFIG_STRING(config_look_window_title)); - } + gui_window_set_title (CONFIG_STRING(config_look_window_title)); } /* switch to buffer */ @@ -526,13 +521,6 @@ /* delete global history */ gui_history_global_free (); - /* reset title */ - if (CONFIG_STRING(config_look_window_title) - && CONFIG_STRING(config_look_window_title)[0]) - { - gui_window_set_title (NULL); - } - /* end color */ gui_color_end (); diff -Nru weechat-4.6.1/src/gui/curses/gui-curses-window.c weechat-4.6.3/src/gui/curses/gui-curses-window.c --- weechat-4.6.1/src/gui/curses/gui-curses-window.c 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/src/gui/curses/gui-curses-window.c 2025-05-11 11:22:11.000000000 +0200 @@ -2479,13 +2479,11 @@ refresh (); gui_window_read_terminal_size (); refresh (); - gui_window_set_title ( - (CONFIG_STRING(config_look_window_title) - && CONFIG_STRING(config_look_window_title)[0]) ? - CONFIG_STRING(config_look_window_title) : NULL); } gui_window_refresh_windows (); + + gui_window_set_title (CONFIG_STRING(config_look_window_title)); } /* @@ -2573,15 +2571,17 @@ { char *new_title, *envterm, *envshell, *shell, *shellname; - envterm = getenv ("TERM"); - if (!envterm) + if (!title || !title[0]) return; - new_title = (title && title[0]) ? - eval_expression (title, NULL, NULL, NULL) : NULL; + new_title = eval_expression (title, NULL, NULL, NULL); if (!new_title) return; + envterm = getenv ("TERM"); + if (!envterm) + return; + if (strcmp (envterm, "sun-cmd") == 0) { printf ("\033]l%s\033\\", new_title); diff -Nru weechat-4.6.1/tests/unit/core/test-core-util.cpp weechat-4.6.3/tests/unit/core/test-core-util.cpp --- weechat-4.6.1/tests/unit/core/test-core-util.cpp 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/tests/unit/core/test-core-util.cpp 2025-05-11 11:22:11.000000000 +0200 @@ -537,4 +537,9 @@ LONGS_EQUAL(0x01010100, util_version_number ("1.1.1")); LONGS_EQUAL(0x01010200, util_version_number ("1.1.2")); LONGS_EQUAL(0x01020304, util_version_number ("1.2.3.4")); + LONGS_EQUAL(0x7EFFFFFF, util_version_number ("126.255.255.255")); + LONGS_EQUAL(0x7FFFFFFF, util_version_number ("127.255.255.255")); + LONGS_EQUAL(0x7FFFFFFF, util_version_number ("128.255.255.255")); + LONGS_EQUAL(0x7FFFFFFF, util_version_number ("255.255.255.255")); + LONGS_EQUAL(0x7FFFFFFF, util_version_number ("999999999.999999999.999999999.999999999"));; } diff -Nru weechat-4.6.1/UPGRADING.md weechat-4.6.3/UPGRADING.md --- weechat-4.6.1/UPGRADING.md 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/UPGRADING.md 2025-05-11 11:22:11.000000000 +0200 @@ -7,6 +7,14 @@ For a list of all changes in each version, please see [CHANGELOG.md](CHANGELOG.md). +## Version 4.6.3 + +### API function util_version_number + +An integer overflow has been fixed in the function +[util_version_number](https://weechat.org/doc/weechat/plugin/#_util_version_number) +which now returns a version up to "127.255.255.255" (0x7FFFFFFF). + ## Version 4.6.0 ### Relay remote commands diff -Nru weechat-4.6.1/version.sh weechat-4.6.3/version.sh --- weechat-4.6.1/version.sh 2025-04-09 13:33:19.000000000 +0200 +++ weechat-4.6.3/version.sh 2025-05-11 11:22:11.000000000 +0200 @@ -39,8 +39,8 @@ # devel-number the devel version as hex number ("0x04010000" for "4.1.0-dev") # -weechat_stable="4.6.1" -weechat_devel="4.6.1" +weechat_stable="4.6.3" +weechat_devel="4.6.3" stable_major=$(echo "${weechat_stable}" | cut -d"." -f1) stable_minor=$(echo "${weechat_stable}" | cut -d"." -f2)
