CVE-2017-8073 weechat remote crash

Bug #1686478 reported by Jeremy Bicha
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
weechat (Debian)
Fix Released
Unknown
weechat (Ubuntu)
Undecided
Unassigned

Bug Description

WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC tot he IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes function during quote removal, with a buffer overflow.

Fixed in Debian
---------------
weechat (1.7-3) unstable; urgency=medium
 .
  * Add a patch to fix CVE-2017-8073 which allows a remote crash by
    sending a filename via DCC to the IRC plugin (Closes: #861121)

That version was synced to Ubuntu 17.10 Alpha "artful"

References
----------
https://security-tracker.debian.org/tracker/CVE-2017-8073
https://weechat.org/download/security/ (all other listed security bugs already fixed in 14.04 LTS and newer)

https://github.com/weechat/weechat/commit/2fb346f25f79

Testing Done
------------
None

CVE References

Jeremy Bicha (jbicha)
description: updated
information type: Public → Public Security
Revision history for this message
Jeremy Bicha (jbicha) wrote :

I used simple version numbers after checking the Ubuntu publishing history. I hope that's not a problem.

Changed in weechat (Ubuntu):
status: New → Confirmed
Revision history for this message
Jeremy Bicha (jbicha) wrote :
Revision history for this message
Jeremy Bicha (jbicha) wrote :
Revision history for this message
Jeremy Bicha (jbicha) wrote :
tags: added: patch
Changed in weechat (Debian):
status: Unknown → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi Jeremy, thanks for the debdiffs. I changed the ...ubuntu1 to ...ubuntu0.1 version numbers, but if the builds succeed and pass sanity checks, I'll publish them tomorrow.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package weechat - 1.7-2ubuntu0.1

---------------
weechat (1.7-2ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: remote buffer overflow crash by sending a filename
    via DCC to the IRC plugin (LP: #1686478)
    - debian/patches/03_fix_CVE-2017-8073.patch: Fix quote removal in
      irc_ctcp_dcc_filename_without_quotes function in
      src/plugins/irc/irc-ctcp.c. Patch from 1.7.1 via Debian.
    - CVE-2017-8073

 -- Jeremy Bicha <email address hidden> Wed, 26 Apr 2017 14:10:49 -0400

Changed in weechat (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package weechat - 1.5-1ubuntu0.1

---------------
weechat (1.5-1ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: remote buffer overflow crash by sending a filename
    via DCC to the IRC plugin (LP: #1686478)
    - debian/patches/03_fix_CVE-2017-8073.patch: Fix quote removal in
      irc_ctcp_dcc_filename_without_quotes function in
      src/plugins/irc/irc-ctcp.c. Patch from 1.7.1 via Debian.
    - CVE-2017-8073

 -- Jeremy Bicha <email address hidden> Wed, 26 Apr 2017 14:10:49 -0400

Changed in weechat (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package weechat - 0.4.2-3ubuntu0.1

---------------
weechat (0.4.2-3ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: remote buffer overflow crash by sending a filename
    via DCC to the IRC plugin (LP: #1686478)
    - debian/patches/03_fix_CVE-2017-8073.patch: Fix quote removal in
      irc_ctcp_dcc_filename_without_quotes function in
      src/plugins/irc/irc-ctcp.c. Patch from 1.7.1 via Debian.
    - CVE-2017-8073

 -- Jeremy Bicha <email address hidden> Wed, 26 Apr 2017 14:10:49 -0400

Changed in weechat (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'm not sure where the launchpad comment went for the xenial upload but that appears to have published as expected https://launchpad.net/ubuntu/+source/weechat/1.4-2ubuntu0.1

Thanks Jeremy

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.