[PATCH] irssi: security bump to version 1.0.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] irssi: security bump to version 1.0.3

Peter Korsgaard-2
Fixes:

CVE-2017-9468 - Joseph Bisch discovered that Irssi does not properly handle
DCC messages without source nick/host.  A malicious IRC server can take
advantage of this flaw to cause Irssi to crash, resulting in a  denial of
service.

CVE-2017-9469 - Joseph Bisch discovered that Irssi does not properly handle
receiving incorrectly quoted DCC files.  A remote attacker can take
advantage of this flaw to cause Irssi to crash, resulting in a denial of
service.

See https://irssi.org/security/irssi_sa_2017_06.txt for more details.

Remove 0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch as it
applied upstream and drop autoreconf as configure.ac is no longer patched.

Signed-off-by: Peter Korsgaard <[hidden email]>
---
 ...-to-using-pkg-config-to-check-for-OpenSSL.patch | 77 ----------------------
 package/irssi/irssi.hash                           |  2 +-
 package/irssi/irssi.mk                             |  5 +-
 3 files changed, 2 insertions(+), 82 deletions(-)
 delete mode 100644 package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch

diff --git a/package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch b/package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch
deleted file mode 100644
index 0ce44f9354..0000000000
--- a/package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From ed0c2c1b9504a99a6dcc3c0f5de3b3a1c0232758 Mon Sep 17 00:00:00 2001
-From: Rodrigo Rebello <[hidden email]>
-Date: Mon, 20 Mar 2017 13:17:42 -0300
-Subject: [PATCH] Get back to using pkg-config to check for OpenSSL
-
-Commit 6300dfec7 removed the option to disable SSL support from the
-configure script since it became a requirement, but it also removed the
-use of pkg-config for finding the OpenSSL library and its dependencies.
-
-This had the unfortunate consequence of breaking the correct detection
-of library flags in many static linking scenarios. In some cases, for
-example, OpenSSL might have been built with zlib, which requires `-lz`
-to be passed to the linker when doing a static link of the irssi
-executable. Thus, pkg-config becomes an invaluable tool in such
-situations, since no guessing work is needed as the OpenSSL .pc file
-provides all the necessary flags.
-
-So, this patch re-inserts the PKG_CHECK_MODULES macro in the configure
-script when looking for OpenSSL. The test using AC_CHECK_LIB remains,
-but only as a last resort in case the one using pkg-config fails.
-
-Also, because the macro AM_PATH_GLIB_2_0 contains an unconditional call
-to PKG_PROG_PKG_CONFIG, the OpenSSL checks are moved so that they come
-after the Glib ones in order to avoid doubly checking for the pkg-config
-binary (PKG_CHECK_MODULES skips that check if it has been performed
-before, but PKG_PROG_PKG_CONFIG does not).
-
-Upstream status: submitted
-https://github.com/irssi/irssi/pull/677
-
-Signed-off-by: Rodrigo Rebello <[hidden email]>
----
- configure.ac | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 02b33497..9f191d3f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -231,11 +231,6 @@ if test "x$want_socks" = "xyes"; then
- fi
-
- dnl **
--dnl ** OpenSSL checks
--dnl **
--AC_CHECK_LIB([ssl], [SSL_library_init])
--
--dnl **
- dnl ** fe-text checks
- dnl **
-
-@@ -276,7 +271,21 @@ if test -z "$GLIB_LIBS"; then
-   AC_ERROR([GLIB is required to build irssi.])
- fi
-
--LIBS="$LIBS $GLIB_LIBS -lssl -lcrypto"
-+LIBS="$LIBS $GLIB_LIBS"
-+
-+dnl **
-+dnl ** OpenSSL checks
-+dnl **
-+PKG_CHECK_MODULES([OPENSSL], [openssl], [
-+ CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
-+ LIBS="$LIBS $OPENSSL_LIBS"
-+], [
-+ AC_CHECK_LIB([ssl], [SSL_library_init], [
-+ LIBS="$LIBS -lssl -lcrypto"
-+ ], [
-+ AC_MSG_ERROR([The OpenSSL library was not found])
-+ ])
-+])
-
- dnl **
- dnl ** curses checks
---
-2.11.0
-
diff --git a/package/irssi/irssi.hash b/package/irssi/irssi.hash
index f1472e04bf..abb421998c 100644
--- a/package/irssi/irssi.hash
+++ b/package/irssi/irssi.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 5c1c3cc2caf103aad073fadeb000e0f8cb3b416833a7f43ceb8bd9fcf275fbe9 irssi-1.0.2.tar.xz
+sha256 838220297dcbe7c8c42d01005059779a82f5b7b7e7043db37ad13f5966aff581 irssi-1.0.3.tar.xz
diff --git a/package/irssi/irssi.mk b/package/irssi/irssi.mk
index 1fe4de83cd..ae7986ce98 100644
--- a/package/irssi/irssi.mk
+++ b/package/irssi/irssi.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-IRSSI_VERSION = 1.0.2
+IRSSI_VERSION = 1.0.3
 IRSSI_SOURCE = irssi-$(IRSSI_VERSION).tar.xz
 # Do not use the github helper here. The generated tarball is *NOT* the
 # same as the one uploaded by upstream for the release.
@@ -13,9 +13,6 @@ IRSSI_LICENSE = GPL-2.0+
 IRSSI_LICENSE_FILES = COPYING
 IRSSI_DEPENDENCIES = host-pkgconf libglib2 ncurses openssl
 
-# We're patching configure.ac, so we need to autoreconf
-IRSSI_AUTORECONF = YES
-
 IRSSI_CONF_OPTS = \
  --disable-glibtest \
  --with-ncurses=$(STAGING_DIR)/usr \
--
2.11.0

_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] irssi: security bump to version 1.0.3

Thomas Petazzoni-2
Hello,

On Sun, 18 Jun 2017 23:35:02 +0200, Peter Korsgaard wrote:

> Fixes:
>
> CVE-2017-9468 - Joseph Bisch discovered that Irssi does not properly handle
> DCC messages without source nick/host.  A malicious IRC server can take
> advantage of this flaw to cause Irssi to crash, resulting in a  denial of
> service.
>
> CVE-2017-9469 - Joseph Bisch discovered that Irssi does not properly handle
> receiving incorrectly quoted DCC files.  A remote attacker can take
> advantage of this flaw to cause Irssi to crash, resulting in a denial of
> service.
>
> See https://irssi.org/security/irssi_sa_2017_06.txt for more details.
>
> Remove 0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch as it
> applied upstream and drop autoreconf as configure.ac is no longer patched.
>
> Signed-off-by: Peter Korsgaard <[hidden email]>
> ---
>  ...-to-using-pkg-config-to-check-for-OpenSSL.patch | 77 ----------------------
>  package/irssi/irssi.hash                           |  2 +-
>  package/irssi/irssi.mk                             |  5 +-
>  3 files changed, 2 insertions(+), 82 deletions(-)
>  delete mode 100644 package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch

Applied to master, thanks.

Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] irssi: security bump to version 1.0.3

Peter Korsgaard-2
In reply to this post by Peter Korsgaard-2
>>>>> "Peter" == Peter Korsgaard <[hidden email]> writes:

 > Fixes:
 > CVE-2017-9468 - Joseph Bisch discovered that Irssi does not properly handle
 > DCC messages without source nick/host.  A malicious IRC server can take
 > advantage of this flaw to cause Irssi to crash, resulting in a  denial of
 > service.

 > CVE-2017-9469 - Joseph Bisch discovered that Irssi does not properly handle
 > receiving incorrectly quoted DCC files.  A remote attacker can take
 > advantage of this flaw to cause Irssi to crash, resulting in a denial of
 > service.

 > See https://irssi.org/security/irssi_sa_2017_06.txt for more details.

 > Remove 0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch as it
 > applied upstream and drop autoreconf as configure.ac is no longer patched.

 > Signed-off-by: Peter Korsgaard <[hidden email]>

Committed to 2017.02.x and 2017.05.x, thanks.

--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot