Ubuntu
hexchat package

[SRU] Hexchat crashes whenever I click on a specific link in a channel

Bug #2029314 reported by Alistair Buxton
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HexChat
Fix Released
Unknown
hexchat (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Committed
Undecided
Unassigned
Mantic
Fix Committed
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

hexchat will crash when an user clicks on a link in any irc tab if the url contains URL Encoded value of the Forward Slash (/). The URL can be a valid url like:

https://github.com/SciQLop/SciQLopPlots/tree/main/.github%2Fworkflows
or
https://salsa.debian.org/debian/softhsm2/-/tree/master/src%2Fbin

There are other example of the URL and all of them will crash hexchat even though the URL can be opened on a browser.

[ Test Plan ]

Open hexchat
connect to the ubuntu servers as a guest
send the url as a message to the guest
click on the url from the guest's screen.

hexchat will crash if the package is not fixed.
With the fixed package, hexchat will not crash but instead it will say "file not found"

Send a good url like https://salsa.debian.org/ and confirm that hexchat can still open it to check there is no regression.

[ Where problems could occur ]

This is an upstream patch which has modified the way it is testing for fobidden characters in the url. So, as a worst case, if the patch is buggy then URL clicking ability of hexchat will be affected.

[ Other Info ]

upstream patch is further encoding the '%' in the URL to %25 which is the correct thing to do. And thus the URL becomes an invalid url after hexchat processes it.
As a hexchat user I would have preferred if upstream could have somehow managed to open the URL as we can open it in the browser.

[ Original Bug Description ]

The link in question:

https://github.com/SciQLop/SciQLopPlots/tree/main/.github%2Fworkflows

Hexchat has persistent history, so I can click this link any time and Hexchat will instantly crash. I am not sure if it will be reproducible for anyone else. The link itself is not harmful. When clicked, Firefox pops to the foreground but does not open the link. Hexchat crashes with a segfault inside glib.

ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: hexchat 2.16.1-1build2
ProcVersionSignature: Ubuntu 6.2.0-23.23-generic 6.2.12
Uname: Linux 6.2.0-23-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: XFCE
Date: Wed Aug 2 00:58:01 2023
InstallationDate: Installed on 2023-06-01 (61 days ago)
InstallationMedia: Xubuntu 23.04 "Lunar Lobster" - Release amd64 (20230414.2)
SourcePackage: hexchat
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Alistair Buxton (a-j-buxton) wrote :
Revision history for this message
Alistair Buxton (a-j-buxton) wrote :

This is already reported upstream. The cause is the URL encoded part "%2F".

https://github.com/hexchat/hexchat/issues/2687

Bug Watch Updater (bug-watch-updater)
Changed in hexchat-irc:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in hexchat-irc:
status: New → Fix Released
Revision history for this message
Sudip Mukherjee (sudipmuk) wrote :

I have now tested and confirmed that it can be reproduced on Noble, Mantic and Jammy. I have also tested and confirmed Focal is not affected.

Changed in hexchat (Ubuntu):
status: New → Confirmed
Sudip Mukherjee (sudipmuk)
Changed in hexchat (Ubuntu Jammy):
status: New → Confirmed
Changed in hexchat (Ubuntu Mantic):
status: New → Confirmed
Changed in hexchat (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in hexchat (Ubuntu Mantic):
status: Confirmed → In Progress
Changed in hexchat (Ubuntu Noble):
status: Confirmed → In Progress
Changed in hexchat (Ubuntu Jammy):
assignee: nobody → Sudip Mukherjee (sudipmuk)
Changed in hexchat (Ubuntu Mantic):
assignee: nobody → Sudip Mukherjee (sudipmuk)
Changed in hexchat (Ubuntu Noble):
assignee: nobody → Sudip Mukherjee (sudipmuk)
Revision history for this message
Sudip Mukherjee (sudipmuk) wrote :

Debdiff attached for Noble, Mantic and Jammy.

summary: - Hexchat crashes whenever I click on a specific link in a channel
+ [SRU] Hexchat crashes whenever I click on a specific link in a channel
description: updated
Revision history for this message
Sudip Mukherjee (sudipmuk) wrote :
Revision history for this message
Sudip Mukherjee (sudipmuk) wrote :
Changed in hexchat (Ubuntu Jammy):
status: In Progress → Confirmed
Changed in hexchat (Ubuntu Mantic):
status: In Progress → Confirmed
Changed in hexchat (Ubuntu Noble):
status: In Progress → Confirmed
Changed in hexchat (Ubuntu Jammy):
assignee: Sudip Mukherjee (sudipmuk) → nobody
Changed in hexchat (Ubuntu Mantic):
assignee: Sudip Mukherjee (sudipmuk) → nobody
Changed in hexchat (Ubuntu Noble):
assignee: Sudip Mukherjee (sudipmuk) → nobody
Revision history for this message
Vladimir Petko (vpa1977) wrote :

Thank you very much!!!

I will test the patch and upload it for noble.

Revision history for this message
Vladimir Petko (vpa1977) wrote :

Thank you very much for the updated package, I have uploaded it for noble[1].

[1] https://launchpad.net/ubuntu/+source/hexchat/2.16.1-1ubuntu1

Steve Langasek (vorlon)
Changed in hexchat (Ubuntu Noble):
status: Confirmed → Fix Committed
Revision history for this message
Lukas Märdian (slyon) wrote :

The SRUs look mostly good to me. I just fixed the version strings as per (please keep that in mind for your next SRU): https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
-> 2.16.1-1ubuntu0.1
-> 2.16.0-4ubuntu0.1

It matches the upstream fix and builds fine.

I'm unsubscribing ~ubuntu-sponsors. The fix is already in noble-proposed and now sponsored for Mantic and Jammy:
https://launchpad.net/ubuntu/mantic/+queue?queue_state=1&queue_text=hexchat
https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=hexchat

Changed in hexchat (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in hexchat (Ubuntu Mantic):
status: Confirmed → In Progress
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Alistair, or anyone else affected,

Accepted hexchat into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/hexchat/2.16.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in hexchat (Ubuntu Mantic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-mantic
Changed in hexchat (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Alistair, or anyone else affected,

Accepted hexchat into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/hexchat/2.16.0-4ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hexchat - 2.16.2-1build1

---------------
hexchat (2.16.2-1build1) noble; urgency=medium

  * No-change rebuild against libcanberra t64.

 -- Matthias Klose <email address hidden> Sun, 24 Mar 2024 14:46:22 +0100

Changed in hexchat (Ubuntu Noble):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.