New version

Resolves: CVE-2017-5193
  Resolves: CVE-2017-5194
  Resolves: CVE-2017-5195
  Resolves: CVE-2017-5196
  Resolves: CVE-2017-5356
Dropped CVE-2016-7553 patch (upstreamed)
This commit is contained in:
Jaroslav Škarvada 2017-01-19 17:42:53 +01:00
parent 03b5751d22
commit d6a772ffd1
3 changed files with 12 additions and 130 deletions

View File

@ -1,125 +0,0 @@
From f1b1eb154baa684fad5d65bf4dff79c8ded8b65a Mon Sep 17 00:00:00 2001
From: Juerd Waalboer <juerd@tnx.nl>
Date: Thu, 22 Sep 2016 02:26:09 +0200
Subject: [PATCH] Fix disclosure via filesystem
buf.pl restores the scrollbuffer between "/upgrade"s by writing the
contents to a file, and reading that after the new process was spawned.
Through that file, the contents of (private) chat conversations may leak to
other users.
Careful users with a limited umask (e.g. 077) are not affected by this bug.
However, most Linux systems default to a umask of 022, meaning that files
written without further restricting the permissions, are readable by any
user.
This patch sets a safer umask of 077 for the scrollbuffer dump, and will
remove the temporary file after use to further reduce the attack surface.
Additionally, it will remove any remaining temporary scrollbuffer file left
in place, like those written by previous versions of the script.
---
scripts/buf.pl | 42 ++++++++++++++++++++++++++++--------------
1 file changed, 28 insertions(+), 14 deletions(-)
diff --git a/scripts/buf.pl b/scripts/buf.pl
index da50e82..6d907f1 100644
--- a/scripts/buf.pl
+++ b/scripts/buf.pl
@@ -5,7 +5,7 @@
settings_get_str settings_get_bool channels windows
settings_add_str settings_add_bool get_irssi_dir
window_find_refnum signal_stop);
-$VERSION = '2.13';
+$VERSION = '2.20';
%IRSSI = (
authors => 'Juerd',
contact => 'juerd@juerd.nl',
@@ -13,10 +13,8 @@
description => 'Saves the buffer for /upgrade, so that no information is lost',
license => 'Public Domain',
url => 'http://juerd.nl/irssi/',
- changed => 'Mon May 13 19:41 CET 2002',
- changes => 'Severe formatting bug removed * oops, I ' .
- 'exposed Irssi to ircII foolishness * sorry ' .
- '** removed logging stuff (this is a fix)',
+ changed => 'Thu Sep 22 01:37 CEST 2016',
+ changes => 'Fixed file permissions (leaked everything via filesystem)',
note1 => 'This script HAS TO BE in your scripts/autorun!',
note2 => 'Perl support must be static or in startup',
);
@@ -39,9 +37,15 @@
my %suppress;
+sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir }
+
sub upgrade {
- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!;
- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n";
+ my $fn = _filename;
+ my $old_umask = umask 0077;
+ open my $fh, q{>}, $fn or die "open $fn: $!";
+ umask $old_umask;
+
+ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n";
for my $window (windows) {
next unless defined $window;
next if $window->{name} eq 'status';
@@ -57,36 +61,39 @@ sub upgrade {
redo if defined $line;
}
}
- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf;
+ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf;
}
- close BUF;
+ close $fh;
unlink sprintf("%s/sessionconfig", get_irssi_dir);
command 'layout save';
command 'save';
}
sub restore {
- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!;
- my @suppress = split /\0/, <BUF>;
+ my $fn = _filename;
+ open my $fh, q{<}, $fn or die "open $fn: $!";
+ unlink $fn or warn "unlink $fn: $!";
+
+ my @suppress = split /\0/, readline $fh;
if (settings_get_bool 'upgrade_suppress_join') {
chomp $suppress[-1];
@suppress{@suppress} = (2) x @suppress;
}
active_win->command('^window scroll off');
- while (my $bla = <BUF>){
+ while (my $bla = readline $fh){
chomp $bla;
my ($refnum, $lines) = split /:/, $bla;
next unless $lines;
my $window = window_find_refnum $refnum;
unless (defined $window){
- <BUF> for 1..$lines;
+ readline $fh for 1..$lines;
next;
}
my $view = $window->view;
$view->remove_all_lines();
$view->redraw();
my $buf = '';
- $buf .= <BUF> for 1..$lines;
+ $buf .= readline $fh for 1..$lines;
my $sep = settings_get_str 'upgrade_separator';
$sep .= "\n" if $sep ne '';
$window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep");
@@ -119,3 +126,10 @@ sub suppress {
unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) {
Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!');
}
+
+# Remove any left-over file. If 'session' doesn't exist (created by irssi
+# during /UPGRADE), neither should our file.
+unless (-e sprintf('%s/session', get_irssi_dir)) {
+ my $fn = _filename;
+ unlink $fn or warn "unlink $fn: $!" if -e $fn;
+}

View File

@ -2,8 +2,8 @@
Summary: Modular text mode IRC client with Perl scripting
Name: irssi
Version: 0.8.20
Release: 2%{?dist}
Version: 0.8.21
Release: 1%{?dist}
License: GPLv2+
Group: Applications/Communications
@ -15,7 +15,6 @@ BuildRequires: ncurses-devel openssl-devel zlib-devel
BuildRequires: pkgconfig glib2-devel perl-devel perl-generators perl(ExtUtils::Embed)
BuildRequires: autoconf automake libtool
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Patch0: irssi-0.8.20-CVE-2016-7553.patch
%package devel
Summary: Development package for irssi
@ -37,7 +36,6 @@ being maintained.
%prep
%setup -q
%patch0 -p1 -b .CVE-2016-7553
%build
autoreconf -i
@ -89,6 +87,15 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Thu Jan 19 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 0.8.21-1
- New version
Resolves: CVE-2017-5193
Resolves: CVE-2017-5194
Resolves: CVE-2017-5195
Resolves: CVE-2017-5196
Resolves: CVE-2017-5356
- Dropped CVE-2016-7553 patch (upstreamed)
* Mon Sep 26 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 0.8.20-2
- Fixed buf.pl not to disclosure information through the filesystem
Resolves: CVE-2016-7553

View File

@ -1 +1 @@
67d48c5feec2d3b949d088aa4abc3601 irssi-0.8.20.tar.xz
SHA512 (irssi-0.8.21.tar.xz) = 110934ab85c8574fc76bce367c58378e28603898e63a5014a72170ffe441ffe3dbda432531e899176f5c4126f47d929a3a01a2f87bcacbfe0ba4d6d8cb31e642