Date: Sat, 10 Nov 2012 04:55:47 +0000 (UTC) From: Eitan Adler <eadler@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r307263 - in head: irc/weechat irc/weechat-devel irc/weechat-devel/files irc/weechat/files security/vuxml Message-ID: <201211100455.qAA4tlUs030553@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eadler Date: Sat Nov 10 04:55:47 2012 New Revision: 307263 URL: http://svnweb.freebsd.org/changeset/ports/307263 Log: Apply an upstream patch that fixes a security hole when receiving a special colored message. The maintainer was contacted but due to the nature of the issue apply the patch ASAP. Approved by: secteam-ports (swills) Security: e02c572f-2af0-11e2-bb44-003067b2972c Feature safe: yes Added: head/irc/weechat-devel/files/patch-src-plugins-irc-irc-color.c (contents, props changed) head/irc/weechat/files/patch-src-plugins-irc-irc-color.c (contents, props changed) Modified: head/irc/weechat-devel/Makefile head/irc/weechat/Makefile head/security/vuxml/vuln.xml Modified: head/irc/weechat-devel/Makefile ============================================================================== --- head/irc/weechat-devel/Makefile Sat Nov 10 04:21:18 2012 (r307262) +++ head/irc/weechat-devel/Makefile Sat Nov 10 04:55:47 2012 (r307263) @@ -2,6 +2,7 @@ PORTNAME= weechat PORTVERSION= 20121103 +PORTREVISION= 1 CATEGORIES= irc MASTER_SITES= http://perturb.me.uk/distfiles/ \ ${MASTER_SITE_LOCAL} Added: head/irc/weechat-devel/files/patch-src-plugins-irc-irc-color.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/irc/weechat-devel/files/patch-src-plugins-irc-irc-color.c Sat Nov 10 04:55:47 2012 (r307263) @@ -0,0 +1,133 @@ +From 9453e81baa7935db82a0b765a47cba772aba730d Mon Sep 17 00:00:00 2001 +--- src/plugins/irc/irc-color.c ++++ src/plugins/irc/irc-color.c +@@ -62,13 +62,15 @@ char *irc_color_to_weechat[IRC_NUM_COLORS] = + char * + irc_color_decode (const char *string, int keep_colors) + { +- unsigned char *out, *ptr_string; +- int out_length, length, out_pos; +- char str_fg[3], str_bg[3], str_color[128], str_key[128]; ++ unsigned char *out, *out2, *ptr_string; ++ int out_length, length, out_pos, length_to_add; ++ char str_fg[3], str_bg[3], str_color[128], str_key[128], str_to_add[128]; + const char *remapped_color; + int fg, bg, bold, reverse, italic, underline, rc; + + out_length = (strlen (string) * 2) + 1; ++ if (out_length < 128) ++ out_length = 128; + out = malloc (out_length); + if (!out) + return NULL; +@@ -80,20 +82,27 @@ irc_color_decode (const char *string, int keep_colors) + + ptr_string = (unsigned char *)string; + out[0] = '\0'; ++ out_pos = 0; + while (ptr_string && ptr_string[0]) + { ++ str_to_add[0] = '\0'; + switch (ptr_string[0]) + { + case IRC_COLOR_BOLD_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((bold) ? "-bold" : "bold")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((bold) ? "-bold" : "bold")); ++ } + bold ^= 1; + ptr_string++; + break; + case IRC_COLOR_RESET_CHAR: + if (keep_colors) +- strcat ((char *)out, weechat_color("reset")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ("reset")); ++ } + bold = 0; + reverse = 0; + italic = 0; +@@ -106,22 +115,28 @@ irc_color_decode (const char *string, int keep_colors) + case IRC_COLOR_REVERSE_CHAR: + case IRC_COLOR_REVERSE2_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((reverse) ? "-reverse" : "reverse")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((reverse) ? "-reverse" : "reverse")); ++ } + reverse ^= 1; + ptr_string++; + break; + case IRC_COLOR_ITALIC_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((italic) ? "-italic" : "italic")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((italic) ? "-italic" : "italic")); ++ } + italic ^= 1; + ptr_string++; + break; + case IRC_COLOR_UNDERLINE_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((underline) ? "-underline" : "underline")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((underline) ? "-underline" : "underline")); ++ } + underline ^= 1; + ptr_string++; + break; +@@ -194,22 +209,39 @@ irc_color_decode (const char *string, int keep_colors) + (bg >= 0) ? "," : "", + (bg >= 0) ? irc_color_to_weechat[bg] : ""); + } +- strcat ((char *)out, weechat_color(str_color)); ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color (str_color)); + } + else +- strcat ((char *)out, weechat_color("resetcolor")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ("resetcolor")); ++ } + } + break; + default: + length = weechat_utf8_char_size ((char *)ptr_string); + if (length == 0) + length = 1; +- out_pos = strlen ((char *)out); +- memcpy (out + out_pos, ptr_string, length); +- out[out_pos + length] = '\0'; ++ memcpy (str_to_add, ptr_string, length); ++ str_to_add[length] = '\0'; + ptr_string += length; + break; + } ++ if (str_to_add[0]) ++ { ++ length_to_add = strlen (str_to_add); ++ if (out_pos + length_to_add >= out_length) ++ { ++ out_length *= 2; ++ out2 = realloc (out, out_length); ++ if (!out2) ++ return (char *)out; ++ out = out2; ++ } ++ memcpy (out + out_pos, str_to_add, length_to_add + 1); ++ out_pos += length_to_add; ++ } + } + + return (char *)out; Modified: head/irc/weechat/Makefile ============================================================================== --- head/irc/weechat/Makefile Sat Nov 10 04:21:18 2012 (r307262) +++ head/irc/weechat/Makefile Sat Nov 10 04:55:47 2012 (r307263) @@ -3,6 +3,7 @@ PORTNAME= weechat PORTVERSION= 0.3.9 +PORTREVISION= 1 CATEGORIES= irc MASTER_SITES= http://weechat.org/files/src/ Added: head/irc/weechat/files/patch-src-plugins-irc-irc-color.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/irc/weechat/files/patch-src-plugins-irc-irc-color.c Sat Nov 10 04:55:47 2012 (r307263) @@ -0,0 +1,133 @@ +From 9453e81baa7935db82a0b765a47cba772aba730d Mon Sep 17 00:00:00 2001 +--- src/plugins/irc/irc-color.c ++++ src/plugins/irc/irc-color.c +@@ -62,13 +62,15 @@ char *irc_color_to_weechat[IRC_NUM_COLORS] = + char * + irc_color_decode (const char *string, int keep_colors) + { +- unsigned char *out, *ptr_string; +- int out_length, length, out_pos; +- char str_fg[3], str_bg[3], str_color[128], str_key[128]; ++ unsigned char *out, *out2, *ptr_string; ++ int out_length, length, out_pos, length_to_add; ++ char str_fg[3], str_bg[3], str_color[128], str_key[128], str_to_add[128]; + const char *remapped_color; + int fg, bg, bold, reverse, italic, underline, rc; + + out_length = (strlen (string) * 2) + 1; ++ if (out_length < 128) ++ out_length = 128; + out = malloc (out_length); + if (!out) + return NULL; +@@ -80,20 +82,27 @@ irc_color_decode (const char *string, int keep_colors) + + ptr_string = (unsigned char *)string; + out[0] = '\0'; ++ out_pos = 0; + while (ptr_string && ptr_string[0]) + { ++ str_to_add[0] = '\0'; + switch (ptr_string[0]) + { + case IRC_COLOR_BOLD_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((bold) ? "-bold" : "bold")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((bold) ? "-bold" : "bold")); ++ } + bold ^= 1; + ptr_string++; + break; + case IRC_COLOR_RESET_CHAR: + if (keep_colors) +- strcat ((char *)out, weechat_color("reset")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ("reset")); ++ } + bold = 0; + reverse = 0; + italic = 0; +@@ -106,22 +115,28 @@ irc_color_decode (const char *string, int keep_colors) + case IRC_COLOR_REVERSE_CHAR: + case IRC_COLOR_REVERSE2_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((reverse) ? "-reverse" : "reverse")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((reverse) ? "-reverse" : "reverse")); ++ } + reverse ^= 1; + ptr_string++; + break; + case IRC_COLOR_ITALIC_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((italic) ? "-italic" : "italic")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((italic) ? "-italic" : "italic")); ++ } + italic ^= 1; + ptr_string++; + break; + case IRC_COLOR_UNDERLINE_CHAR: + if (keep_colors) +- strcat ((char *)out, +- weechat_color((underline) ? "-underline" : "underline")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ((underline) ? "-underline" : "underline")); ++ } + underline ^= 1; + ptr_string++; + break; +@@ -194,22 +209,39 @@ irc_color_decode (const char *string, int keep_colors) + (bg >= 0) ? "," : "", + (bg >= 0) ? irc_color_to_weechat[bg] : ""); + } +- strcat ((char *)out, weechat_color(str_color)); ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color (str_color)); + } + else +- strcat ((char *)out, weechat_color("resetcolor")); ++ { ++ snprintf (str_to_add, sizeof (str_to_add), "%s", ++ weechat_color ("resetcolor")); ++ } + } + break; + default: + length = weechat_utf8_char_size ((char *)ptr_string); + if (length == 0) + length = 1; +- out_pos = strlen ((char *)out); +- memcpy (out + out_pos, ptr_string, length); +- out[out_pos + length] = '\0'; ++ memcpy (str_to_add, ptr_string, length); ++ str_to_add[length] = '\0'; + ptr_string += length; + break; + } ++ if (str_to_add[0]) ++ { ++ length_to_add = strlen (str_to_add); ++ if (out_pos + length_to_add >= out_length) ++ { ++ out_length *= 2; ++ out2 = realloc (out, out_length); ++ if (!out2) ++ return (char *)out; ++ out = out2; ++ } ++ memcpy (out + out_pos, str_to_add, length_to_add + 1); ++ out_pos += length_to_add; ++ } + } + + return (char *)out; Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Nov 10 04:21:18 2012 (r307262) +++ head/security/vuxml/vuln.xml Sat Nov 10 04:55:47 2012 (r307263) @@ -51,6 +51,36 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="e02c572f-2af0-11e2-bb44-003067b2972c"> + <topic>weechat -- crash bug from specially crafted messages</topic> + <affects> + <package> + <name>weechat</name> + <range><le>0.3.9</le></range> + </package> + <package> + <name>weechat-devel</name> + <range><le>20121103</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Sebastien Helleu reports:</p> + <blockquote cite="https://savannah.nongnu.org/bugs/?37704">; + <p>weechat is vulnerable to a crash when sending a special coloured + message.</p> + </blockquote> + </body> + </description> + <references> + <freebsdpr>ports/173513</freebsdpr> + </references> + <dates> + <discovery>2012-11-09</discovery> + <entry>2012-11-10</entry> + </dates> + </vuln> + <vuln vid="5e647ca3-2aea-11e2-b745-001fd0af1a4c"> <topic>lang/ruby19 -- Hash-flooding DoS vulnerability for ruby 1.9</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211100455.qAA4tlUs030553>