Hi,
Weechat 1.9.1 was released to fix CVE-2017-14727:
Date/time conversion specifiers are expanded after replacing buffer
local variables in name of log files. In some cases, this can lead to
an error in function strftime and a crash caused by the use of an
uninitialized buffer.
Patch:
https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556
Patches for -current and -stable attached.
Comments? OK?
Cheers,
Daniel
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/weechat/Makefile,v
retrieving revision 1.30
diff -u -p -r1.30 Makefile
--- Makefile 14 Aug 2017 19:34:29 -0000 1.30
+++ Makefile 24 Sep 2017 14:59:54 -0000
@@ -6,7 +6,7 @@ COMMENT-python= Python bindings for weec
COMMENT-ruby= Ruby bindings for weechat
COMMENT-tcl= Tcl bindings for weechat
-V= 1.9
+V= 1.9.1
DISTNAME= weechat-${V}
PKGNAME-main= weechat-${V}
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/weechat/distinfo,v
retrieving revision 1.14
diff -u -p -r1.14 distinfo
--- distinfo 14 Aug 2017 19:34:29 -0000 1.14
+++ distinfo 24 Sep 2017 14:59:54 -0000
@@ -1,2 +1,2 @@
-SHA256 (weechat-1.9.tar.gz) = vI4KuFZjOQSR3x1PcUiXKXv8zYnpPPtxnySvwXzNKpc=
-SIZE (weechat-1.9.tar.gz) = 3749097
+SHA256 (weechat-1.9.1.tar.gz) = ObCqQSEoR7gtBwsAUPUl91HLpnFloPW43cvv9k4Pe30=
+SIZE (weechat-1.9.1.tar.gz) = 3749203
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/weechat/Makefile,v
retrieving revision 1.28.2.1
diff -u -p -r1.28.2.1 Makefile
--- Makefile 23 Apr 2017 14:35:55 -0000 1.28.2.1
+++ Makefile 24 Sep 2017 15:15:17 -0000
@@ -8,6 +8,7 @@ COMMENT-tcl= Tcl bindings for weechat
V= 1.7.1
DISTNAME= weechat-${V}
+REVISION= 0
PKGNAME-main= weechat-${V}
PKGNAME-lua= weechat-lua-${V}
Index: patches/patch-src_plugins_logger_logger_c
===================================================================
RCS file: patches/patch-src_plugins_logger_logger_c
diff -N patches/patch-src_plugins_logger_logger_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_plugins_logger_logger_c 24 Sep 2017 15:15:17 -0000
@@ -0,0 +1,145 @@
+$OpenBSD$
+
+Backport f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 fix CVE-2017-14727
+[PATCH] logger: call strftime before replacing buffer local variables
+
+--- src/plugins/logger/logger.c.orig Sat Apr 22 09:25:40 2017
++++ src/plugins/logger/logger.c Sun Sep 24 11:09:27 2017
+@@ -295,71 +295,71 @@ logger_get_mask_for_buffer (struct t_gui_buffer *buffe
+ char *
+ logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask)
+ {
+- char *mask2, *mask_decoded, *mask_decoded2, *mask_decoded3, *mask_decoded4;
+- char *mask_decoded5;
++ char *mask2, *mask3, *mask4, *mask5, *mask6, *mask7;
+ const char *dir_separator;
+ int length;
+ time_t seconds;
+ struct tm *date_tmp;
+
+ mask2 = NULL;
+- mask_decoded = NULL;
+- mask_decoded2 = NULL;
+- mask_decoded3 = NULL;
+- mask_decoded4 = NULL;
+- mask_decoded5 = NULL;
++ mask3 = NULL;
++ mask4 = NULL;
++ mask5 = NULL;
++ mask6 = NULL;
++ mask7 = NULL;
+
+ dir_separator = weechat_info_get ("dir_separator", "");
+ if (!dir_separator)
+ return NULL;
+
++ /* replace date/time specifiers in mask */
++ length = strlen (mask) + 256 + 1;
++ mask2 = malloc (length);
++ if (!mask2)
++ goto end;
++ seconds = time (NULL);
++ date_tmp = localtime (&seconds);
++ mask2[0] = '\0';
++ if (strftime (mask2, length - 1, mask, date_tmp) == 0)
++ mask2[0] = '\0';
++
+ /*
+ * we first replace directory separator (commonly '/') by \01 because
+ * buffer mask can contain this char, and will be replaced by replacement
+ * char ('_' by default)
+ */
+- mask2 = weechat_string_replace (mask, dir_separator, "\01");
+- if (!mask2)
++ mask3 = weechat_string_replace (mask2, dir_separator, "\01");
++ if (!mask3)
+ goto end;
+
+- mask_decoded = weechat_buffer_string_replace_local_var (buffer, mask2);
+- if (!mask_decoded)
++ mask4 = weechat_buffer_string_replace_local_var (buffer, mask3);
++ if (!mask4)
+ goto end;
+
+- mask_decoded2 = weechat_string_replace (mask_decoded,
+- dir_separator,
+- weechat_config_string (logger_config_file_replacement_char));
+- if (!mask_decoded2)
++ mask5 = weechat_string_replace (mask4,
++ dir_separator,
++ weechat_config_string (logger_config_file_replacement_char));
++ if (!mask5)
+ goto end;
+
+ #ifdef __CYGWIN__
+- mask_decoded3 = weechat_string_replace (mask_decoded2, "\\",
+- weechat_config_string (logger_config_file_replacement_char));
++ mask6 = weechat_string_replace (mask5, "\\",
++ weechat_config_string (logger_config_file_replacement_char));
+ #else
+- mask_decoded3 = strdup (mask_decoded2);
++ mask6 = strdup (mask5);
+ #endif /* __CYGWIN__ */
+- if (!mask_decoded3)
++ if (!mask6)
+ goto end;
+
+ /* restore directory separator */
+- mask_decoded4 = weechat_string_replace (mask_decoded3,
+- "\01", dir_separator);
+- if (!mask_decoded4)
++ mask7 = weechat_string_replace (mask6,
++ "\01", dir_separator);
++ if (!mask7)
+ goto end;
+
+- /* replace date/time specifiers in mask */
+- length = strlen (mask_decoded4) + 256 + 1;
+- mask_decoded5 = malloc (length);
+- if (!mask_decoded5)
+- goto end;
+- seconds = time (NULL);
+- date_tmp = localtime (&seconds);
+- mask_decoded5[0] = '\0';
+- strftime (mask_decoded5, length - 1, mask_decoded4, date_tmp);
+-
+ /* convert to lower case? */
+ if (weechat_config_boolean (logger_config_file_name_lower_case))
+- weechat_string_tolower (mask_decoded5);
++ weechat_string_tolower (mask7);
+
+ if (weechat_logger_plugin->debug)
+ {
+@@ -368,22 +368,22 @@ logger_get_mask_expanded (struct t_gui_buffer *buffer,
+ "decoded mask = \"%s\"",
+ LOGGER_PLUGIN_NAME,
+ weechat_buffer_get_string (buffer, "name"),
+- mask, mask_decoded5);
++ mask, mask7);
+ }
+
+ end:
+ if (mask2)
+ free (mask2);
+- if (mask_decoded)
+- free (mask_decoded);
+- if (mask_decoded2)
+- free (mask_decoded2);
+- if (mask_decoded3)
+- free (mask_decoded3);
+- if (mask_decoded4)
+- free (mask_decoded4);
++ if (mask3)
++ free (mask3);
++ if (mask4)
++ free (mask4);
++ if (mask5)
++ free (mask5);
++ if (mask6)
++ free (mask6);
+
+- return mask_decoded5;
++ return mask7;
+ }
+
+ /*
