From 03b5751d22fbe5e9b245e9e907ff92924043027a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Mon, 26 Sep 2016 11:50:47 +0200 Subject: [PATCH] Fixed buf.pl not to disclosure information through the filesystem Resolves: CVE-2016-7553 --- irssi-0.8.20-CVE-2016-7553.patch | 125 +++++++++++++++++++++++++++++++ irssi.spec | 8 +- 2 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 irssi-0.8.20-CVE-2016-7553.patch diff --git a/irssi-0.8.20-CVE-2016-7553.patch b/irssi-0.8.20-CVE-2016-7553.patch new file mode 100644 index 0000000..c3bf88f --- /dev/null +++ b/irssi-0.8.20-CVE-2016-7553.patch @@ -0,0 +1,125 @@ +From f1b1eb154baa684fad5d65bf4dff79c8ded8b65a Mon Sep 17 00:00:00 2001 +From: Juerd Waalboer +Date: Thu, 22 Sep 2016 02:26:09 +0200 +Subject: [PATCH] Fix disclosure via filesystem + +buf.pl restores the scrollbuffer between "/upgrade"s by writing the +contents to a file, and reading that after the new process was spawned. +Through that file, the contents of (private) chat conversations may leak to +other users. + +Careful users with a limited umask (e.g. 077) are not affected by this bug. +However, most Linux systems default to a umask of 022, meaning that files +written without further restricting the permissions, are readable by any +user. + +This patch sets a safer umask of 077 for the scrollbuffer dump, and will +remove the temporary file after use to further reduce the attack surface. +Additionally, it will remove any remaining temporary scrollbuffer file left +in place, like those written by previous versions of the script. +--- + scripts/buf.pl | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +diff --git a/scripts/buf.pl b/scripts/buf.pl +index da50e82..6d907f1 100644 +--- a/scripts/buf.pl ++++ b/scripts/buf.pl +@@ -5,7 +5,7 @@ + settings_get_str settings_get_bool channels windows + settings_add_str settings_add_bool get_irssi_dir + window_find_refnum signal_stop); +-$VERSION = '2.13'; ++$VERSION = '2.20'; + %IRSSI = ( + authors => 'Juerd', + contact => 'juerd@juerd.nl', +@@ -13,10 +13,8 @@ + description => 'Saves the buffer for /upgrade, so that no information is lost', + license => 'Public Domain', + url => 'http://juerd.nl/irssi/', +- changed => 'Mon May 13 19:41 CET 2002', +- changes => 'Severe formatting bug removed * oops, I ' . +- 'exposed Irssi to ircII foolishness * sorry ' . +- '** removed logging stuff (this is a fix)', ++ changed => 'Thu Sep 22 01:37 CEST 2016', ++ changes => 'Fixed file permissions (leaked everything via filesystem)', + note1 => 'This script HAS TO BE in your scripts/autorun!', + note2 => 'Perl support must be static or in startup', + ); +@@ -39,9 +37,15 @@ + + my %suppress; + ++sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } ++ + sub upgrade { +- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; ++ my $fn = _filename; ++ my $old_umask = umask 0077; ++ open my $fh, q{>}, $fn or die "open $fn: $!"; ++ umask $old_umask; ++ ++ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; + for my $window (windows) { + next unless defined $window; + next if $window->{name} eq 'status'; +@@ -57,36 +61,39 @@ sub upgrade { + redo if defined $line; + } + } +- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; ++ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; + } +- close BUF; ++ close $fh; + unlink sprintf("%s/sessionconfig", get_irssi_dir); + command 'layout save'; + command 'save'; + } + + sub restore { +- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- my @suppress = split /\0/, ; ++ my $fn = _filename; ++ open my $fh, q{<}, $fn or die "open $fn: $!"; ++ unlink $fn or warn "unlink $fn: $!"; ++ ++ my @suppress = split /\0/, readline $fh; + if (settings_get_bool 'upgrade_suppress_join') { + chomp $suppress[-1]; + @suppress{@suppress} = (2) x @suppress; + } + active_win->command('^window scroll off'); +- while (my $bla = ){ ++ while (my $bla = readline $fh){ + chomp $bla; + my ($refnum, $lines) = split /:/, $bla; + next unless $lines; + my $window = window_find_refnum $refnum; + unless (defined $window){ +- for 1..$lines; ++ readline $fh for 1..$lines; + next; + } + my $view = $window->view; + $view->remove_all_lines(); + $view->redraw(); + my $buf = ''; +- $buf .= for 1..$lines; ++ $buf .= readline $fh for 1..$lines; + my $sep = settings_get_str 'upgrade_separator'; + $sep .= "\n" if $sep ne ''; + $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); +@@ -119,3 +126,10 @@ sub suppress { + unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { + Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!'); + } ++ ++# Remove any left-over file. If 'session' doesn't exist (created by irssi ++# during /UPGRADE), neither should our file. ++unless (-e sprintf('%s/session', get_irssi_dir)) { ++ my $fn = _filename; ++ unlink $fn or warn "unlink $fn: $!" if -e $fn; ++} diff --git a/irssi.spec b/irssi.spec index 3cb2129..bc95f02 100644 --- a/irssi.spec +++ b/irssi.spec @@ -3,7 +3,7 @@ Summary: Modular text mode IRC client with Perl scripting Name: irssi Version: 0.8.20 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: Applications/Communications @@ -15,6 +15,7 @@ BuildRequires: ncurses-devel openssl-devel zlib-devel BuildRequires: pkgconfig glib2-devel perl-devel perl-generators perl(ExtUtils::Embed) BuildRequires: autoconf automake libtool Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Patch0: irssi-0.8.20-CVE-2016-7553.patch %package devel Summary: Development package for irssi @@ -36,6 +37,7 @@ being maintained. %prep %setup -q +%patch0 -p1 -b .CVE-2016-7553 %build autoreconf -i @@ -87,6 +89,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Sep 26 2016 Jaroslav Škarvada - 0.8.20-2 +- Fixed buf.pl not to disclosure information through the filesystem + Resolves: CVE-2016-7553 + * Thu Sep 22 2016 Jaroslav Škarvada - 0.8.20-1 - New version Resolves: rhbz#1378261