Bug#861481: unblock: weechat/1.6-1+deb9u1

Sat, 29 Apr 2017 08:03:59 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hi

Disclaimer: please note, not the maintainer here, but Emmanuel is
X-Debbug-CC'ed.

Please unblock package weechat

I guess 1.7-3 as in unstable, fixing CVE-2017-8073, #861121 cannot be
unblocked, since the changes to 1.6-1 are way to much (if yes, though,
that would great). If not, I propose a targeted fix to fix this CVE:

+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200

The issue is as well fixed already in stable via a DSA.

unblock weechat/1.6-1+deb9u1

Regards
Salvatore

diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog
--- weechat-1.6/debian/changelog        2016-10-06 13:55:35.000000000 +0200
+++ weechat-1.6/debian/changelog        2017-04-29 16:31:58.000000000 +0200
@@ -1,3 +1,10 @@
+weechat (1.6-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 29 Apr 2017 16:31:58 +0200
+
 weechat (1.6-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru weechat-1.6/debian/patches/02_CVE-2017-8073.patch 
weechat-1.6/debian/patches/02_CVE-2017-8073.patch
--- weechat-1.6/debian/patches/02_CVE-2017-8073.patch   1970-01-01 
01:00:00.000000000 +0100
+++ weechat-1.6/debian/patches/02_CVE-2017-8073.patch   2017-04-29 
16:31:58.000000000 +0200
@@ -0,0 +1,27 @@
+Description: irc: fix parsing of DCC filename (CVE-2017-8073)
+Origin: upstream, 
https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b
+Bug-Debian: https://bugs.debian.org/861121
+Forwarded: not-needed
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2017-04-29
+---
+ src/plugins/irc/irc-ctcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c
+index e62832b..8afee68 100644
+--- a/src/plugins/irc/irc-ctcp.c
++++ b/src/plugins/irc/irc-ctcp.c
+@@ -512,7 +512,7 @@ irc_ctcp_dcc_filename_without_quotes (const char *filename)
+     int length;
+ 
+     length = strlen (filename);
+-    if (length > 0)
++    if (length > 1)
+     {
+         if ((filename[0] == '\"') && (filename[length - 1] == '\"'))
+             return weechat_strndup (filename + 1, length - 2);
+-- 
+2.1.4
+
diff -Nru weechat-1.6/debian/patches/series weechat-1.6/debian/patches/series
--- weechat-1.6/debian/patches/series   2016-10-06 10:17:33.000000000 +0200
+++ weechat-1.6/debian/patches/series   2017-04-29 16:31:58.000000000 +0200
@@ -1 +1,2 @@
 01_fix_asciidoctor_options.patch
+02_CVE-2017-8073.patch

Reply via email to