diff --git a/irssi-0.8.20-CVE-2016-7553.patch b/irssi-0.8.20-CVE-2016-7553.patch deleted file mode 100644 index c3bf88f..0000000 --- a/irssi-0.8.20-CVE-2016-7553.patch +++ /dev/null @@ -1,125 +0,0 @@ -From f1b1eb154baa684fad5d65bf4dff79c8ded8b65a Mon Sep 17 00:00:00 2001 -From: Juerd Waalboer -Date: Thu, 22 Sep 2016 02:26:09 +0200 -Subject: [PATCH] Fix disclosure via filesystem - -buf.pl restores the scrollbuffer between "/upgrade"s by writing the -contents to a file, and reading that after the new process was spawned. -Through that file, the contents of (private) chat conversations may leak to -other users. - -Careful users with a limited umask (e.g. 077) are not affected by this bug. -However, most Linux systems default to a umask of 022, meaning that files -written without further restricting the permissions, are readable by any -user. - -This patch sets a safer umask of 077 for the scrollbuffer dump, and will -remove the temporary file after use to further reduce the attack surface. -Additionally, it will remove any remaining temporary scrollbuffer file left -in place, like those written by previous versions of the script. ---- - scripts/buf.pl | 42 ++++++++++++++++++++++++++++-------------- - 1 file changed, 28 insertions(+), 14 deletions(-) - -diff --git a/scripts/buf.pl b/scripts/buf.pl -index da50e82..6d907f1 100644 ---- a/scripts/buf.pl -+++ b/scripts/buf.pl -@@ -5,7 +5,7 @@ - settings_get_str settings_get_bool channels windows - settings_add_str settings_add_bool get_irssi_dir - window_find_refnum signal_stop); --$VERSION = '2.13'; -+$VERSION = '2.20'; - %IRSSI = ( - authors => 'Juerd', - contact => 'juerd@juerd.nl', -@@ -13,10 +13,8 @@ - description => 'Saves the buffer for /upgrade, so that no information is lost', - license => 'Public Domain', - url => 'http://juerd.nl/irssi/', -- changed => 'Mon May 13 19:41 CET 2002', -- changes => 'Severe formatting bug removed * oops, I ' . -- 'exposed Irssi to ircII foolishness * sorry ' . -- '** removed logging stuff (this is a fix)', -+ changed => 'Thu Sep 22 01:37 CEST 2016', -+ changes => 'Fixed file permissions (leaked everything via filesystem)', - note1 => 'This script HAS TO BE in your scripts/autorun!', - note2 => 'Perl support must be static or in startup', - ); -@@ -39,9 +37,15 @@ - - my %suppress; - -+sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } -+ - sub upgrade { -- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; -- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; -+ my $fn = _filename; -+ my $old_umask = umask 0077; -+ open my $fh, q{>}, $fn or die "open $fn: $!"; -+ umask $old_umask; -+ -+ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; - for my $window (windows) { - next unless defined $window; - next if $window->{name} eq 'status'; -@@ -57,36 +61,39 @@ sub upgrade { - redo if defined $line; - } - } -- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; -+ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; - } -- close BUF; -+ close $fh; - unlink sprintf("%s/sessionconfig", get_irssi_dir); - command 'layout save'; - command 'save'; - } - - sub restore { -- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; -- my @suppress = split /\0/, ; -+ my $fn = _filename; -+ open my $fh, q{<}, $fn or die "open $fn: $!"; -+ unlink $fn or warn "unlink $fn: $!"; -+ -+ my @suppress = split /\0/, readline $fh; - if (settings_get_bool 'upgrade_suppress_join') { - chomp $suppress[-1]; - @suppress{@suppress} = (2) x @suppress; - } - active_win->command('^window scroll off'); -- while (my $bla = ){ -+ while (my $bla = readline $fh){ - chomp $bla; - my ($refnum, $lines) = split /:/, $bla; - next unless $lines; - my $window = window_find_refnum $refnum; - unless (defined $window){ -- for 1..$lines; -+ readline $fh for 1..$lines; - next; - } - my $view = $window->view; - $view->remove_all_lines(); - $view->redraw(); - my $buf = ''; -- $buf .= for 1..$lines; -+ $buf .= readline $fh for 1..$lines; - my $sep = settings_get_str 'upgrade_separator'; - $sep .= "\n" if $sep ne ''; - $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); -@@ -119,3 +126,10 @@ sub suppress { - unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { - Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!'); - } -+ -+# Remove any left-over file. If 'session' doesn't exist (created by irssi -+# during /UPGRADE), neither should our file. -+unless (-e sprintf('%s/session', get_irssi_dir)) { -+ my $fn = _filename; -+ unlink $fn or warn "unlink $fn: $!" if -e $fn; -+} diff --git a/irssi.spec b/irssi.spec index bc95f02..33cd204 100644 --- a/irssi.spec +++ b/irssi.spec @@ -2,8 +2,8 @@ Summary: Modular text mode IRC client with Perl scripting Name: irssi -Version: 0.8.20 -Release: 2%{?dist} +Version: 0.8.21 +Release: 1%{?dist} License: GPLv2+ Group: Applications/Communications @@ -15,7 +15,6 @@ BuildRequires: ncurses-devel openssl-devel zlib-devel BuildRequires: pkgconfig glib2-devel perl-devel perl-generators perl(ExtUtils::Embed) BuildRequires: autoconf automake libtool Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) -Patch0: irssi-0.8.20-CVE-2016-7553.patch %package devel Summary: Development package for irssi @@ -37,7 +36,6 @@ being maintained. %prep %setup -q -%patch0 -p1 -b .CVE-2016-7553 %build autoreconf -i @@ -89,6 +87,15 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Jan 19 2017 Jaroslav Škarvada - 0.8.21-1 +- New version + Resolves: CVE-2017-5193 + Resolves: CVE-2017-5194 + Resolves: CVE-2017-5195 + Resolves: CVE-2017-5196 + Resolves: CVE-2017-5356 +- Dropped CVE-2016-7553 patch (upstreamed) + * Mon Sep 26 2016 Jaroslav Škarvada - 0.8.20-2 - Fixed buf.pl not to disclosure information through the filesystem Resolves: CVE-2016-7553 diff --git a/sources b/sources index fdcb78e..f1da319 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -67d48c5feec2d3b949d088aa4abc3601 irssi-0.8.20.tar.xz +SHA512 (irssi-0.8.21.tar.xz) = 110934ab85c8574fc76bce367c58378e28603898e63a5014a72170ffe441ffe3dbda432531e899176f5c4126f47d929a3a01a2f87bcacbfe0ba4d6d8cb31e642