From 2e19525f2f4904424caee7bc13be24163fd54216 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Sun, 18 Jun 2017 23:35:02 +0200 Subject: [PATCH] irssi: security bump to version 1.0.3 Fixes: CVE-2017-9468 - Joseph Bisch discovered that Irssi does not properly handle DCC messages without source nick/host. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. CVE-2017-9469 - Joseph Bisch discovered that Irssi does not properly handle receiving incorrectly quoted DCC files. A remote attacker can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. See https://irssi.org/security/irssi_sa_2017_06.txt for more details. Remove 0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch as it applied upstream and drop autoreconf as configure.ac is no longer patched. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni --- ...sing-pkg-config-to-check-for-OpenSSL.patch | 77 ------------------- package/irssi/irssi.hash | 2 +- package/irssi/irssi.mk | 5 +- 3 files changed, 2 insertions(+), 82 deletions(-) delete mode 100644 package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch diff --git a/package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch b/package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch deleted file mode 100644 index 0ce44f9354..0000000000 --- a/package/irssi/0001-Get-back-to-using-pkg-config-to-check-for-OpenSSL.patch +++ /dev/null @@ -1,77 +0,0 @@ -From ed0c2c1b9504a99a6dcc3c0f5de3b3a1c0232758 Mon Sep 17 00:00:00 2001 -From: Rodrigo Rebello -Date: Mon, 20 Mar 2017 13:17:42 -0300 -Subject: [PATCH] Get back to using pkg-config to check for OpenSSL - -Commit 6300dfec7 removed the option to disable SSL support from the -configure script since it became a requirement, but it also removed the -use of pkg-config for finding the OpenSSL library and its dependencies. - -This had the unfortunate consequence of breaking the correct detection -of library flags in many static linking scenarios. In some cases, for -example, OpenSSL might have been built with zlib, which requires `-lz` -to be passed to the linker when doing a static link of the irssi -executable. Thus, pkg-config becomes an invaluable tool in such -situations, since no guessing work is needed as the OpenSSL .pc file -provides all the necessary flags. - -So, this patch re-inserts the PKG_CHECK_MODULES macro in the configure -script when looking for OpenSSL. The test using AC_CHECK_LIB remains, -but only as a last resort in case the one using pkg-config fails. - -Also, because the macro AM_PATH_GLIB_2_0 contains an unconditional call -to PKG_PROG_PKG_CONFIG, the OpenSSL checks are moved so that they come -after the Glib ones in order to avoid doubly checking for the pkg-config -binary (PKG_CHECK_MODULES skips that check if it has been performed -before, but PKG_PROG_PKG_CONFIG does not). - -Upstream status: submitted -https://github.com/irssi/irssi/pull/677 - -Signed-off-by: Rodrigo Rebello ---- - configure.ac | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 02b33497..9f191d3f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -231,11 +231,6 @@ if test "x$want_socks" = "xyes"; then - fi - - dnl ** --dnl ** OpenSSL checks --dnl ** --AC_CHECK_LIB([ssl], [SSL_library_init]) -- --dnl ** - dnl ** fe-text checks - dnl ** - -@@ -276,7 +271,21 @@ if test -z "$GLIB_LIBS"; then - AC_ERROR([GLIB is required to build irssi.]) - fi - --LIBS="$LIBS $GLIB_LIBS -lssl -lcrypto" -+LIBS="$LIBS $GLIB_LIBS" -+ -+dnl ** -+dnl ** OpenSSL checks -+dnl ** -+PKG_CHECK_MODULES([OPENSSL], [openssl], [ -+ CFLAGS="$CFLAGS $OPENSSL_CFLAGS" -+ LIBS="$LIBS $OPENSSL_LIBS" -+], [ -+ AC_CHECK_LIB([ssl], [SSL_library_init], [ -+ LIBS="$LIBS -lssl -lcrypto" -+ ], [ -+ AC_MSG_ERROR([The OpenSSL library was not found]) -+ ]) -+]) - - dnl ** - dnl ** curses checks --- -2.11.0 - diff --git a/package/irssi/irssi.hash b/package/irssi/irssi.hash index f1472e04bf..abb421998c 100644 --- a/package/irssi/irssi.hash +++ b/package/irssi/irssi.hash @@ -1,2 +1,2 @@ # Locally calculated after checking pgp signature -sha256 5c1c3cc2caf103aad073fadeb000e0f8cb3b416833a7f43ceb8bd9fcf275fbe9 irssi-1.0.2.tar.xz +sha256 838220297dcbe7c8c42d01005059779a82f5b7b7e7043db37ad13f5966aff581 irssi-1.0.3.tar.xz diff --git a/package/irssi/irssi.mk b/package/irssi/irssi.mk index 1fe4de83cd..ae7986ce98 100644 --- a/package/irssi/irssi.mk +++ b/package/irssi/irssi.mk @@ -4,7 +4,7 @@ # ################################################################################ -IRSSI_VERSION = 1.0.2 +IRSSI_VERSION = 1.0.3 IRSSI_SOURCE = irssi-$(IRSSI_VERSION).tar.xz # Do not use the github helper here. The generated tarball is *NOT* the # same as the one uploaded by upstream for the release. @@ -13,9 +13,6 @@ IRSSI_LICENSE = GPL-2.0+ IRSSI_LICENSE_FILES = COPYING IRSSI_DEPENDENCIES = host-pkgconf libglib2 ncurses openssl -# We're patching configure.ac, so we need to autoreconf -IRSSI_AUTORECONF = YES - IRSSI_CONF_OPTS = \ --disable-glibtest \ --with-ncurses=$(STAGING_DIR)/usr \