diff -Nru irssi-0.8.19/debian/changelog irssi-0.8.19/debian/changelog --- irssi-0.8.19/debian/changelog 2016-03-24 23:28:48.000000000 +0000 +++ irssi-0.8.19/debian/changelog 2017-01-25 17:58:14.000000000 +0000 @@ -1,3 +1,32 @@ +irssi (0.8.19-1ubuntu2.1) yakkety-security; urgency=medium + + * SECURITY UPDATE: local information disclosure via scrollbuffer dump + - debian/patches/CVE-2016-7553.patch: set proper permissions in + scripts/buf.pl. + - CVE-2016-7553 + * SECURITY UPDATE: multiple security issues + - debian/patches/CVE-2017-5xxx.patch: properly handle strings in + src/fe-common/core/formats.c, handle utf8 errors in + src/fe-text/term-terminfo.c, properly handle invalid nicks in + src/irc/core/irc-nicklist.c, make sure nick is valid in + src/irc/core/irc-queries.c. + - CVE-2017-5193 + - CVE-2017-5194 + - CVE-2017-5195 + - CVE-2017-5196 + - CVE-2017-5356 + + -- Marc Deslauriers Wed, 25 Jan 2017 12:58:14 -0500 + +irssi (0.8.19-1ubuntu2) yakkety; urgency=medium + + * SECURITY UPDATE: Fix color format decoding (LP: #1624068): + - Add debian/patches/91fix-color-formatting: + + fix unformat_24bit_color (CVE-2016-7044) + + fix format_send_to_gui (CVE-2016-7045) + + -- Kees Cook Thu, 15 Sep 2016 11:43:53 -0700 + irssi (0.8.19-1ubuntu1) xenial; urgency=medium * Merge from Debian. Remaining changes: diff -Nru irssi-0.8.19/debian/patches/91fix-color-formatting irssi-0.8.19/debian/patches/91fix-color-formatting --- irssi-0.8.19/debian/patches/91fix-color-formatting 1970-01-01 00:00:00.000000000 +0000 +++ irssi-0.8.19/debian/patches/91fix-color-formatting 2016-09-15 18:43:53.000000000 +0000 @@ -0,0 +1,26 @@ +Description: fixes CVE-2016-7044 and CVE-2016-7045. +Origin: upstream irssi-0.8.17_fix.diff + +Index: irssi-0.8.19/src/fe-common/core/formats.c +=================================================================== +--- irssi-0.8.19.orig/src/fe-common/core/formats.c 2016-03-20 14:18:46.000000000 -0700 ++++ irssi-0.8.19/src/fe-common/core/formats.c 2016-09-15 11:47:24.766979985 -0700 +@@ -131,6 +131,8 @@ + unsigned char rgbx[4]; + unsigned int i; + for (i = 0; i < 4; ++i) { ++ if ((*ptr)[i + off] == '\0') ++ return; + rgbx[i] = (*ptr)[i + off]; + } + rgbx[3] -= 0x20; +@@ -1357,6 +1359,9 @@ + bgcolor = *ptr==(char)0xff ? -1 : *ptr-'0'; + } + } ++ if (*ptr == '\0') ++ break; ++ + ptr++; + break; + case 6: diff -Nru irssi-0.8.19/debian/patches/CVE-2016-7553.patch irssi-0.8.19/debian/patches/CVE-2016-7553.patch --- irssi-0.8.19/debian/patches/CVE-2016-7553.patch 1970-01-01 00:00:00.000000000 +0000 +++ irssi-0.8.19/debian/patches/CVE-2016-7553.patch 2017-01-25 17:58:04.000000000 +0000 @@ -0,0 +1,125 @@ +From f1b1eb154baa684fad5d65bf4dff79c8ded8b65a Mon Sep 17 00:00:00 2001 +From: Juerd Waalboer +Date: Thu, 22 Sep 2016 02:26:09 +0200 +Subject: [PATCH] Fix disclosure via filesystem + +buf.pl restores the scrollbuffer between "/upgrade"s by writing the +contents to a file, and reading that after the new process was spawned. +Through that file, the contents of (private) chat conversations may leak to +other users. + +Careful users with a limited umask (e.g. 077) are not affected by this bug. +However, most Linux systems default to a umask of 022, meaning that files +written without further restricting the permissions, are readable by any +user. + +This patch sets a safer umask of 077 for the scrollbuffer dump, and will +remove the temporary file after use to further reduce the attack surface. +Additionally, it will remove any remaining temporary scrollbuffer file left +in place, like those written by previous versions of the script. +--- + scripts/buf.pl | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +diff --git a/scripts/buf.pl b/scripts/buf.pl +index da50e82..6d907f1 100644 +--- a/scripts/buf.pl ++++ b/scripts/buf.pl +@@ -5,7 +5,7 @@ + settings_get_str settings_get_bool channels windows + settings_add_str settings_add_bool get_irssi_dir + window_find_refnum signal_stop); +-$VERSION = '2.13'; ++$VERSION = '2.20'; + %IRSSI = ( + authors => 'Juerd', + contact => 'juerd@juerd.nl', +@@ -13,10 +13,8 @@ + description => 'Saves the buffer for /upgrade, so that no information is lost', + license => 'Public Domain', + url => 'http://juerd.nl/irssi/', +- changed => 'Mon May 13 19:41 CET 2002', +- changes => 'Severe formatting bug removed * oops, I ' . +- 'exposed Irssi to ircII foolishness * sorry ' . +- '** removed logging stuff (this is a fix)', ++ changed => 'Thu Sep 22 01:37 CEST 2016', ++ changes => 'Fixed file permissions (leaked everything via filesystem)', + note1 => 'This script HAS TO BE in your scripts/autorun!', + note2 => 'Perl support must be static or in startup', + ); +@@ -39,9 +37,15 @@ + + my %suppress; + ++sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } ++ + sub upgrade { +- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; ++ my $fn = _filename; ++ my $old_umask = umask 0077; ++ open my $fh, q{>}, $fn or die "open $fn: $!"; ++ umask $old_umask; ++ ++ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; + for my $window (windows) { + next unless defined $window; + next if $window->{name} eq 'status'; +@@ -57,36 +61,39 @@ sub upgrade { + redo if defined $line; + } + } +- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; ++ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; + } +- close BUF; ++ close $fh; + unlink sprintf("%s/sessionconfig", get_irssi_dir); + command 'layout save'; + command 'save'; + } + + sub restore { +- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- my @suppress = split /\0/, ; ++ my $fn = _filename; ++ open my $fh, q{<}, $fn or die "open $fn: $!"; ++ unlink $fn or warn "unlink $fn: $!"; ++ ++ my @suppress = split /\0/, readline $fh; + if (settings_get_bool 'upgrade_suppress_join') { + chomp $suppress[-1]; + @suppress{@suppress} = (2) x @suppress; + } + active_win->command('^window scroll off'); +- while (my $bla = ){ ++ while (my $bla = readline $fh){ + chomp $bla; + my ($refnum, $lines) = split /:/, $bla; + next unless $lines; + my $window = window_find_refnum $refnum; + unless (defined $window){ +- for 1..$lines; ++ readline $fh for 1..$lines; + next; + } + my $view = $window->view; + $view->remove_all_lines(); + $view->redraw(); + my $buf = ''; +- $buf .= for 1..$lines; ++ $buf .= readline $fh for 1..$lines; + my $sep = settings_get_str 'upgrade_separator'; + $sep .= "\n" if $sep ne ''; + $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); +@@ -119,3 +126,10 @@ sub suppress { + unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { + Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!'); + } ++ ++# Remove any left-over file. If 'session' doesn't exist (created by irssi ++# during /UPGRADE), neither should our file. ++unless (-e sprintf('%s/session', get_irssi_dir)) { ++ my $fn = _filename; ++ unlink $fn or warn "unlink $fn: $!" if -e $fn; ++} diff -Nru irssi-0.8.19/debian/patches/CVE-2017-5xxx.patch irssi-0.8.19/debian/patches/CVE-2017-5xxx.patch --- irssi-0.8.19/debian/patches/CVE-2017-5xxx.patch 1970-01-01 00:00:00.000000000 +0000 +++ irssi-0.8.19/debian/patches/CVE-2017-5xxx.patch 2017-01-25 17:58:10.000000000 +0000 @@ -0,0 +1,116 @@ +From 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d Mon Sep 17 00:00:00 2001 +From: ailin-nemui +Date: Tue, 3 Jan 2017 13:44:58 +0100 +Subject: [PATCH] Merge branch 'security' into 'master' + +See merge request !7 +--- + src/fe-common/core/formats.c | 10 +++++++++- + src/fe-text/term-terminfo.c | 13 ++++++++++--- + src/irc/core/irc-nicklist.c | 6 +++++- + src/irc/core/irc-queries.c | 2 ++ + 4 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/src/fe-common/core/formats.c b/src/fe-common/core/formats.c +index d9a5120..738239a 100644 +--- a/src/fe-common/core/formats.c ++++ b/src/fe-common/core/formats.c +@@ -68,7 +68,7 @@ static void format_expand_code(const char **format, GString *out, int *flags) + + if (flags == NULL) { + /* flags are being ignored - skip the code */ +- while (**format != ']') ++ while (**format != ']' && **format != '\0') + (*format)++; + return; + } +@@ -246,6 +246,10 @@ int format_expand_styles(GString *out, const char **format, int *flags) + case '[': + /* code */ + format_expand_code(format, out, flags); ++ if ((*format)[0] == '\0') ++ /* oops, reached end prematurely */ ++ (*format)--; ++ + break; + case 'x': + case 'X': +@@ -972,6 +976,7 @@ static const char *get_ansi_color(THEME_REC *theme, const char *str, + str++; + for (num2 = 0; i_isdigit(*str); str++) + num2 = num2*10 + (*str-'0'); ++ if (*str == '\0') return start; + + switch (num2) { + case 2: +@@ -989,6 +994,8 @@ static const char *get_ansi_color(THEME_REC *theme, const char *str, + for (; i_isdigit(*str); str++) + num2 = (num2&~0xff) | + (((num2&0xff) * 10 + (*str-'0'))&0xff); ++ ++ if (*str == '\0') return start; + } + + if (i == -1) break; +@@ -1017,6 +1024,7 @@ static const char *get_ansi_color(THEME_REC *theme, const char *str, + str++; + for (num2 = 0; i_isdigit(*str); str++) + num2 = num2*10 + (*str-'0'); ++ if (*str == '\0') return start; + + if (num == 38) { + flags &= ~GUI_PRINT_FLAG_COLOR_24_FG; +diff --git a/src/fe-text/term-terminfo.c b/src/fe-text/term-terminfo.c +index 27be904..8fac76b 100644 +--- a/src/fe-text/term-terminfo.c ++++ b/src/fe-text/term-terminfo.c +@@ -539,9 +539,16 @@ int term_addstr(TERM_WINDOW *window, const char *str) + + if (term_type == TERM_TYPE_UTF8) { + while (*ptr != '\0') { +- tmp = g_utf8_get_char(ptr); +- len += unichar_isprint(tmp) ? mk_wcwidth(tmp) : 1; +- ptr = g_utf8_next_char(ptr); ++ tmp = g_utf8_get_char_validated(ptr, -1); ++ /* On utf8 error, treat as single byte and try to ++ continue interpretting rest of string as utf8 */ ++ if (tmp == (gunichar)-1 || tmp == (gunichar)-2) { ++ len++; ++ ptr++; ++ } else { ++ len += unichar_isprint(tmp) ? mk_wcwidth(tmp) : 1; ++ ptr = g_utf8_next_char(ptr); ++ } + } + } else + len = raw_len; +diff --git a/src/irc/core/irc-nicklist.c b/src/irc/core/irc-nicklist.c +index bcb9d1f..f049fe7 100644 +--- a/src/irc/core/irc-nicklist.c ++++ b/src/irc/core/irc-nicklist.c +@@ -314,7 +314,11 @@ static void event_whois_ircop(SERVER_REC *server, const char *data) + static void event_nick_invalid(IRC_SERVER_REC *server, const char *data) + { + if (!server->connected) +- server_disconnect((SERVER_REC *) server); ++ /* we used to call server_disconnect but that crashes ++ irssi because of undefined memory access. instead, ++ indicate that the connection should be dropped and ++ let the irc method to the clean-up. */ ++ server->connection_lost = server->no_reconnect = TRUE; + } + + static void event_nick_in_use(IRC_SERVER_REC *server, const char *data) +diff --git a/src/irc/core/irc-queries.c b/src/irc/core/irc-queries.c +index 1286174..77a5289 100644 +--- a/src/irc/core/irc-queries.c ++++ b/src/irc/core/irc-queries.c +@@ -45,6 +45,8 @@ QUERY_REC *irc_query_find(IRC_SERVER_REC *server, const char *nick) + { + GSList *tmp; + ++ g_return_val_if_fail(nick != NULL, NULL); ++ + for (tmp = server->queries; tmp != NULL; tmp = tmp->next) { + QUERY_REC *rec = tmp->data; + diff -Nru irssi-0.8.19/debian/patches/series irssi-0.8.19/debian/patches/series --- irssi-0.8.19/debian/patches/series 2016-03-24 23:29:52.000000000 +0000 +++ irssi-0.8.19/debian/patches/series 2017-01-25 17:58:10.000000000 +0000 @@ -7,3 +7,6 @@ 20fix_ssl_proxy_hostname_check 22fix-perl-hardening 90irc-ubuntu-com +91fix-color-formatting +CVE-2016-7553.patch +CVE-2017-5xxx.patch