Hello community, here is the log from the commit of package kvirc for openSUSE:Factory checked in at Tue Aug 3 01:58:48 CEST 2010. -------- --- KDE/kvirc/kvirc.changes 2010-07-20 21:51:17.000000000 +0200 +++ /mounts/work_src_done/STABLE/kvirc/kvirc.changes 2010-07-30 12:23:17.000000000 +0200 @@ -1,0 +2,7 @@ +Fri Jul 30 12:22:54 CEST 2010 - ro@suse.de + +- add kvirc-ctcp_vul.diff: + fix issue with remote CTCP commands execution + CVE-2010-2785 (bnc#626942) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- kvirc-ctcp_vul.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kvirc.spec ++++++ --- /var/tmp/diff_new_pack.Ix6yDq/_old 2010-08-03 01:58:04.000000000 +0200 +++ /var/tmp/diff_new_pack.Ix6yDq/_new 2010-08-03 01:58:04.000000000 +0200 @@ -28,8 +28,9 @@ Group: Productivity/Networking/IRC Summary: Graphical Front-End for IRC Version: 4.0.0 -Release: 1 +Release: 2 Source: ftp://ftp.kvirc.de/pub/kvirc/%{version}/source/kvirc-%{version}.tar.bz2 +Patch0: kvirc-ctcp_vul.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %requires_eq perl @@ -64,6 +65,7 @@ %prep %setup -q -n kvirc-%{version} +%patch0 %build mkdir -p build ++++++ kvirc-ctcp_vul.diff ++++++ Index: src/modules/dcc/requests.cpp =================================================================== --- src/modules/dcc/requests.cpp (revision 4692) +++ src/modules/dcc/requests.cpp (revision 4693) @@ -86,7 +86,8 @@ if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes)) { QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText); - dcc_module_reply_errmsg(dcc,szError); + //since szError contains an user-suppplied string, we simplify it to avoid any kind of injection (bug #858) + dcc_module_reply_errmsg(dcc,szError.simplified()); } } Index: src/kvirc/sparser/kvi_sp_ctcp.cpp =================================================================== --- src/kvirc/sparser/kvi_sp_ctcp.cpp (revision 4692) +++ src/kvirc/sparser/kvi_sp_ctcp.cpp (revision 4693) @@ -626,7 +626,7 @@ } -const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks) +const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks, bool bSafeOnly) { // // This one extracts the "next" ctcp parameter in msg_ptr @@ -658,17 +658,20 @@ { case '\\': // backslash : escape sequence - if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin); - msg_ptr++; - if(*msg_ptr) - { - // decode the escape - msg_ptr = decodeCtcpEscape(msg_ptr,buffer); - begin = msg_ptr; + if(bSafeOnly)msg_ptr++; + else { + if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin); + msg_ptr++; + if(*msg_ptr) + { + // decode the escape + msg_ptr = decodeCtcpEscape(msg_ptr,buffer); + begin = msg_ptr; + } + // else it is a senseless trailing backslash. + // Just ignore and let the function + // return spontaneously. } - // else it is a senseless trailing backslash. - // Just ignore and let the function - // return spontaneously. break; case ' ': // space : separate tokens if not in string @@ -683,7 +686,7 @@ } break; case '"': - if(bInString) + if(bInString && !bSafeOnly) { // A string terminator. We don't return // immediately since if !bSpaceBreaks @@ -711,7 +714,7 @@ return msg_ptr; } -const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks) +const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks, bool bSafeOnly) { // // This one extracts the "next" ctcp parameter in p_msg_ptr @@ -743,15 +746,18 @@ { case '\\': // backslash : escape sequence - msg_ptr++; - if(*msg_ptr) - { - // decode the escape - msg_ptr = decodeCtcpEscape(msg_ptr,buffer); + if(bSafeOnly)msg_ptr++; + else { + msg_ptr++; + if(*msg_ptr) + { + // decode the escape + msg_ptr = decodeCtcpEscape(msg_ptr,buffer); + } + // else it is a senseless trailing backslash. + // Just ignore and let the function + // return spontaneously. } - // else it is a senseless trailing backslash. - // Just ignore and let the function - // return spontaneously. break; case ' ': // space : separate tokens if not in string @@ -769,7 +775,7 @@ } break; case '"': - if(bInString) + if(bInString && !bSafeOnly) { // A string terminator. We don't return // immediately since if !bSpaceBreaks @@ -1707,7 +1713,7 @@ { KviDccRequest p; KviStr aux = msg->pData; - msg->pData = extractCtcpParameter(msg->pData,p.szType); + msg->pData = extractCtcpParameter(msg->pData,p.szType, true, true); msg->pData = extractCtcpParameter(msg->pData,p.szParam1); msg->pData = extractCtcpParameter(msg->pData,p.szParam2); msg->pData = extractCtcpParameter(msg->pData,p.szParam3); Index: src/kvirc/sparser/kvi_sparser.h =================================================================== --- src/kvirc/sparser/kvi_sparser.h (revision 4692) +++ src/kvirc/sparser/kvi_sparser.h (revision 4693) @@ -260,8 +260,8 @@ static void encodeCtcpParameter(const char * param,QString &buffer,bool bSpaceBreaks = true); static const char * decodeCtcpEscape(const char * msg_ptr,KviStr &buffer); static const char * decodeCtcpEscape(const char * msg_ptr,QByteArray &buffer); - static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true); - static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true); + static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false); + static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false); }; #ifndef _KVI_SPARSER_CPP_ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org