New version

Resolves: rhbz#1468785 Resolves: CVE-2017-10965 Resolves: CVE-2017-10966 Dropped allow-negative-values-in-settings patch (not needed)
2017-07-10 15:56:04 +02:00 · 2017-07-10 15:56:04 +02:00 · be0821222c
commit be0821222c
parent b9c3613192
3 changed files with 9 additions and 109 deletions
--- a/irssi-1.0.3-allow-negative-values-in-settings.patch
+++ b/irssi-1.0.3-allow-negative-values-in-settings.patch
@ -1,103 +0,0 @@
 From 7354a74c654f1717d08a37c2b118141655974bc0 Mon Sep 17 00:00:00 2001
 From: dequis <dx@dxzone.com.ar>
 Date: Sat, 17 Jun 2017 14:30:37 -0300
 Subject: [PATCH] parse_time_interval: Allow negative time in settings
 This splits sign parsing out of parse_time_interval_uint() so that the
 negative sign is applied outside of the unsigned context where the
 number parsing is done, and after all the checks that it's lower than
 (1 << 31)
 This fixes issues with settings like `server_reconnect_time`,
 `server_connect_timeout` and `lag_max_before_disconnect`, which accepted
 -1 as a valid value.
 ---
 src/core/misc.c | 38 +++++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 13 deletions(-)
 diff --git a/src/core/misc.c b/src/core/misc.c
 index 0f038cbb5..ce49925b1 100644
 --- a/src/core/misc.c
 +++ b/src/core/misc.c
@@ -781,24 +781,35 @@ int parse_uint(const char *nptr, char **endptr, int base, guint *number)
 	return TRUE;
 }
 +static int parse_number_sign(const char *input, char **endptr, int *sign)
 +{
 +	int sign_ = 1;
 +
 +	while (i_isspace(*input))
 +		input++;
 +
 +	if (*input == '-') {
 +		sign_ = -sign_;
 +		input++;
 +	}
 +
 +	*sign = sign_;
 +	*endptr = (char *) input;
 +	return TRUE;
 +}
 +
 static int parse_time_interval_uint(const char *time, guint *msecs)
 {
 	const char *desc;
 	guint number;
 -	int sign, len, ret, digits;
 +	int len, ret, digits;
 	*msecs = 0;
 	/* max. return value is around 24 days */
 -	number = 0; sign = 1; ret = TRUE; digits = FALSE;
 +	number = 0; ret = TRUE; digits = FALSE;
 	while (i_isspace(*time))
 		time++;
 -	if (*time == '-') {
 -		sign = -sign;
 -		time++;
 -		while (i_isspace(*time))
 -			time++;
 -	}
 	for (;;) {
 		if (i_isdigit(*time)) {
 			char *endptr;
@@ -828,7 +839,6 @@ static int parse_time_interval_uint(const char *time, guint *msecs)
 			if (*time != '\0')
 				return FALSE;
 			*msecs += number * 1000; /* assume seconds */
 -			*msecs *= sign;
 			return TRUE;
 		}
@@ -866,7 +876,6 @@ static int parse_time_interval_uint(const char *time, guint *msecs)
 		digits = FALSE;
 	}
 -	*msecs *= sign;
 	return ret;
 }
@@ -960,15 +969,18 @@ int parse_size(const char *size, int *bytes)
 int parse_time_interval(const char *time, int *msecs)
 {
 	guint msecs_;
 -	int ret;
 +	char *number;
 +	int ret, sign;
 +
 +	parse_number_sign(time, &number, &sign);
 -	ret = parse_time_interval_uint(time, &msecs_);
 +	ret = parse_time_interval_uint(number, &msecs_);
 	if (msecs_ > (1U << 31)) {
 		return FALSE;
 	}
 -	*msecs = msecs_;
 +	*msecs = msecs_ * sign;
 	return ret;
 }
--- a/irssi.spec
+++ b/irssi.spec
@ -2,7 +2,7 @@
 Summary:	Modular text mode IRC client with Perl scripting
 Name:		irssi
-Version:	1.0.3
+Version:	1.0.4
 Release:	1%{?dist}
 License:	GPLv2+
@ -15,9 +15,6 @@ BuildRequires:	ncurses-devel openssl-devel zlib-devel
 BuildRequires:	pkgconfig glib2-devel perl-devel perl-generators perl(ExtUtils::Embed)
 BuildRequires:	autoconf automake libtool
 Requires:	perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 # Upstream patch to fix regression
 # https://github.com/irssi/irssi/issues/716
 Patch0:	irssi-1.0.3-allow-negative-values-in-settings.patch
 %package devel
 Summary:	Development package for irssi
@ -39,7 +36,6 @@ being maintained.
 %prep
 %setup -q
 %patch0 -p1 -b .allow-negative-values-in-settings
 %build
 autoreconf -i
@ -91,6 +87,13 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Mon Jul 10 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 1.0.4-1
 - New version
  Resolves: rhbz#1468785
  Resolves: CVE-2017-10965
  Resolves: CVE-2017-10966
 - Dropped allow-negative-values-in-settings patch (not needed)
 * Tue Jun 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 1.0.3-1
 - New version
  Resolves: rhbz#1459539
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (irssi-1.0.3.tar.xz) = 3a369d9bad4e2016a6a0395b35e3db1f1a6ff7ff6b8361fe5d828c29dd6f81c4b8d1bdfe0304cb05402eecddde97f6d369a5e98f215bfd177287f303d3d714eb
+SHA512 (irssi-1.0.4.tar.xz) = 8025c3b90275e5c0b910c08efcac80f56da4400662cd4a9f09cc6035ce23840fe6ed0ac5297b9631a5b28bd798b4ebca2bb5550f9e0e01aefc7a69e9f787195d
`@ -1 +1 @@`
	`SHA512 (irssi-1.0.3.tar.xz) = 3a369d9bad4e2016a6a0395b35e3db1f1a6ff7ff6b8361fe5d828c29dd6f81c4b8d1bdfe0304cb05402eecddde97f6d369a5e98f215bfd177287f303d3d714eb`	`SHA512 (irssi-1.0.4.tar.xz) = 8025c3b90275e5c0b910c08efcac80f56da4400662cd4a9f09cc6035ce23840fe6ed0ac5297b9631a5b28bd798b4ebca2bb5550f9e0e01aefc7a69e9f787195d`