diffstat for kvirc_3.4.0-5 kvirc_3.4.0-6 debian/patches/33_upstream_security_#858.patch | 157 ++++++++++ kvirc-3.4.0/debian/changelog | 7 kvirc-3.4.0/debian/patches/01_am_maintainer_mode.patch | 10 kvirc-3.4.0/debian/patches/02_rpath.patch | 15 kvirc-3.4.0/debian/patches/05_xpmicon.patch | 48 +-- kvirc-3.4.0/debian/patches/09_plugin_dir.patch | 27 - kvirc-3.4.0/debian/patches/10_gcc4.3_fix.patch | 9 kvirc-3.4.0/debian/patches/13_eula.patch | 19 - kvirc-3.4.0/debian/patches/17_awaybackaction.patch | 10 kvirc-3.4.0/debian/patches/20_fixman.patch | 12 kvirc-3.4.0/debian/patches/30_security-cipherlist-bad-order_r1990.patch | 12 kvirc-3.4.0/debian/patches/31_r1997-irchandler-exploit-bug503401.patch | 95 ++---- kvirc-3.4.0/debian/patches/32_DCC_fix_r4335.diff | 141 ++++---- kvirc-3.4.0/debian/patches/series | 1 14 files changed, 382 insertions(+), 181 deletions(-) diff -u kvirc-3.4.0/debian/changelog kvirc-3.4.0/debian/changelog --- kvirc-3.4.0/debian/changelog +++ kvirc-3.4.0/debian/changelog @@ -1,3 +1,10 @@ +kvirc (2:3.4.0-6) stable-security; urgency=high + + * Added debian/patches/33_upstream_security_#858.patch to address a severe + bug in the DCC module. + + -- Kai Wasserbäch Tue, 27 Jul 2010 15:10:24 +0200 + kvirc (2:3.4.0-5) stable-security; urgency=high * Reupload with Raul's name stripped of special characters, for diff -u kvirc-3.4.0/debian/patches/32_DCC_fix_r4335.diff kvirc-3.4.0/debian/patches/32_DCC_fix_r4335.diff --- kvirc-3.4.0/debian/patches/32_DCC_fix_r4335.diff +++ kvirc-3.4.0/debian/patches/32_DCC_fix_r4335.diff @@ -1,60 +1,13 @@ ---- a/src/modules/dcc/chat.cpp -+++ b/src/modules/dcc/chat.cpp -@@ -221,7 +221,7 @@ - struct in_addr a; - if(kvi_stringIpToBinaryIp(ip.ptr(),&a))ip.setNum(htonl(a.s_addr)); - -- QString szReq = QString("PRIVMSG %1 :%2DCC %3 chat %4 %5").arg(m_pDescriptor->szNick).arg((char)0x01).arg(m_pDescriptor->szType).arg(ip.ptr()).arg(port); -+ QString szReq = QString("PRIVMSG %1 :%2DCC %3 chat %4 %5").arg(m_pDescriptor->szNick, QChar(0x01), m_pDescriptor->szType, ip.ptr()).arg(port); - - if(m_pDescriptor->isZeroPortRequest()) - { -@@ -270,11 +270,11 @@ - { - QString tmp = QString("DCC %1 %2@%3:%4").arg( - #ifdef COMPILE_SSL_SUPPORT -- m_pDescriptor->bIsSSL ? "SChat" : "Chat").arg( -+ m_pDescriptor->bIsSSL ? "SChat" : "Chat", - #else -- "Chat").arg( -+ "Chat", - #endif -- m_pDescriptor->szNick).arg(m_pDescriptor->szIp).arg(m_pDescriptor->szPort); -+ m_pDescriptor->szNick, m_pDescriptor->szIp, m_pDescriptor->szPort); - - m_szPlainTextCaption = tmp; - ---- a/src/modules/dcc/requests.cpp -+++ b/src/modules/dcc/requests.cpp -@@ -80,7 +80,7 @@ - - if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes)) - { -- QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr()).arg(errText); -+ QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText); - dcc_module_reply_errmsg(dcc,szError); - } - } -@@ -454,6 +454,16 @@ - dcc->szParam1.cutToLast('/'); - } - -+ if(dcc->szParam1.contains("%2F")) -+ { -+ if(!dcc->ctcpMsg->msg->haltOutput()) -+ { -+ dcc->ctcpMsg->msg->console()->output(KVI_OUT_DCCMSG, -+ __tr2qs_ctx("The above request is broken: The filename contains path components, stripping the leading path and trying to continue","dcc"),dcc->szParam1.ptr()); -+ } -+ dcc->szParam1.cutToLast("%2F"); -+ } -+ - KviStr szExtensions = dcc->szType; - szExtensions.cutRight(4); // cut off SEND - +--- + src/modules/dcc/broker.cpp | 20 ++++++++++---------- + src/modules/dcc/chat.cpp | 8 ++++---- + src/modules/dcc/requests.cpp | 12 +++++++++++- + src/modules/dcc/send.cpp | 16 ++++++++-------- + 4 files changed, 33 insertions(+), 23 deletions(-) + --- a/src/modules/dcc/broker.cpp +++ b/src/modules/dcc/broker.cpp -@@ -268,7 +268,7 @@ +@@ -268,7 +268,7 @@ void KviDccBroker::handleChatRequest(Kvi QString tmp = __tr2qs_ctx( \ "%1 [%2@%3] requests a " \ "Direct Client Connection in %4 mode.
", \ @@ -63,7 +16,7 @@ #ifdef COMPILE_SSL_SUPPORT if(dcc->bIsSSL)tmp += __tr2qs_ctx("The connection will be secured using SSL.
","dcc"); -@@ -282,7 +282,7 @@ +@@ -282,7 +282,7 @@ void KviDccBroker::handleChatRequest(Kvi } else { tmp += __tr2qs_ctx( \ "The connection target will be host %1 on port %2
" \ @@ -72,7 +25,7 @@ } -@@ -315,7 +315,7 @@ +@@ -315,7 +315,7 @@ void KviDccBroker::executeChat(KviDccBox KviStr szSubProto = dcc->szType; szSubProto.toLower(); @@ -81,7 +34,7 @@ KviDccChat * chat = new KviDccChat(dcc->console()->frame(),dcc,tmp.utf8().data()); bool bMinimized = dcc->bOverrideMinimize ? dcc->bShowMinimized : \ -@@ -341,7 +341,7 @@ +@@ -341,7 +341,7 @@ void KviDccBroker::activeVoiceManage(Kvi "Direct Client Connection in VOICE mode.
" \ "The connection target will be host %4 on port %5
" \ ,"dcc" \ @@ -90,7 +43,7 @@ KviDccAcceptBox * box = new KviDccAcceptBox(this,dcc,tmp,__tr2qs_ctx("DCC VOICE request","dcc")); m_pBoxList->append(box); -@@ -412,7 +412,7 @@ +@@ -412,7 +412,7 @@ void KviDccBroker::activeCanvasManage(Kv "Direct Client Connection in CANVAS mode.
" \ "The connection target will be host %4 on port %5
" \ ,"dcc" \ @@ -99,7 +52,7 @@ KviDccAcceptBox * box = new KviDccAcceptBox(this,dcc,tmp,__tr2qs_ctx("DCC CANVAS request","dcc")); m_pBoxList->append(box); -@@ -505,9 +505,9 @@ +@@ -505,9 +505,9 @@ void KviDccBroker::recvFileManage(KviDcc "%5 large.
" \ "The connection target will be host %6 on port %7
" \ ,"dcc" \ @@ -112,7 +65,7 @@ } else { // passive: we will be listening! -@@ -518,7 +518,7 @@ +@@ -518,7 +518,7 @@ void KviDccBroker::recvFileManage(KviDcc "%5 large.
" \ "You will be the passive side of the connection.
" \ ,"dcc" \ @@ -121,7 +74,7 @@ dcc->szFileName).arg(KviQString::makeSizeReadable(dcc->szFileSize.toInt())); } -@@ -669,7 +669,7 @@ +@@ -669,7 +669,7 @@ void KviDccBroker::renameOverwriteResume "auto-rename the new file, or
" \ "resume an incomplete download?" \ ,"dcc" \ @@ -130,9 +83,63 @@ } else { bDisableResume = true; // the file on disk is larger or equal to the remote one +--- a/src/modules/dcc/chat.cpp ++++ b/src/modules/dcc/chat.cpp +@@ -221,7 +221,7 @@ void KviDccChat::connectionInProgress() + struct in_addr a; + if(kvi_stringIpToBinaryIp(ip.ptr(),&a))ip.setNum(htonl(a.s_addr)); + +- QString szReq = QString("PRIVMSG %1 :%2DCC %3 chat %4 %5").arg(m_pDescriptor->szNick).arg((char)0x01).arg(m_pDescriptor->szType).arg(ip.ptr()).arg(port); ++ QString szReq = QString("PRIVMSG %1 :%2DCC %3 chat %4 %5").arg(m_pDescriptor->szNick, QChar(0x01), m_pDescriptor->szType, ip.ptr()).arg(port); + + if(m_pDescriptor->isZeroPortRequest()) + { +@@ -270,11 +270,11 @@ void KviDccChat::fillCaptionBuffers() + { + QString tmp = QString("DCC %1 %2@%3:%4").arg( + #ifdef COMPILE_SSL_SUPPORT +- m_pDescriptor->bIsSSL ? "SChat" : "Chat").arg( ++ m_pDescriptor->bIsSSL ? "SChat" : "Chat", + #else +- "Chat").arg( ++ "Chat", + #endif +- m_pDescriptor->szNick).arg(m_pDescriptor->szIp).arg(m_pDescriptor->szPort); ++ m_pDescriptor->szNick, m_pDescriptor->szIp, m_pDescriptor->szPort); + + m_szPlainTextCaption = tmp; + +--- a/src/modules/dcc/requests.cpp ++++ b/src/modules/dcc/requests.cpp +@@ -80,7 +80,7 @@ static void dcc_module_request_error(Kvi + + if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes)) + { +- QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr()).arg(errText); ++ QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText); + dcc_module_reply_errmsg(dcc,szError); + } + } +@@ -454,6 +454,16 @@ static void dccModuleParseDccSend(KviDcc + dcc->szParam1.cutToLast('/'); + } + ++ if(dcc->szParam1.contains("%2F")) ++ { ++ if(!dcc->ctcpMsg->msg->haltOutput()) ++ { ++ dcc->ctcpMsg->msg->console()->output(KVI_OUT_DCCMSG, ++ __tr2qs_ctx("The above request is broken: The filename contains path components, stripping the leading path and trying to continue","dcc"),dcc->szParam1.ptr()); ++ } ++ dcc->szParam1.cutToLast("%2F"); ++ } ++ + KviStr szExtensions = dcc->szType; + szExtensions.cutRight(4); // cut off SEND + --- a/src/modules/dcc/send.cpp +++ b/src/modules/dcc/send.cpp -@@ -1236,14 +1236,14 @@ +@@ -1236,14 +1236,14 @@ void KviDccFileTransfer::displayPaint(QP if(iW2 > 0)p->fillRect(5 + iL2,5,iW2,10,bIsTerminated ? QColor(150,130,110) : QColor(220,170,100)); p->fillRect(5,5,iL2,10,bIsTerminated ? QColor(140,110,110) : QColor(200,100,100)); @@ -149,7 +156,7 @@ } } else { -@@ -1477,14 +1477,14 @@ +@@ -1477,14 +1477,14 @@ void KviDccFileTransfer::connectionInPro // if(TRIGGER_EVENT_5PARAM_RETVALUE(KviEvent_OnDCCSendConnected,this,m_pDescriptor->szPort.ptr(),m_pDescriptor->szFileName.ptr(),m_pDescriptor->szNick.ptr(),m_pDescriptor->szUser.ptr(),m_pDescriptor->szHost.ptr())); // } // @@ -166,7 +173,7 @@ outputAndLog(m_szStatusString); if(m_pDescriptor->bSendRequest) -@@ -1558,7 +1558,7 @@ +@@ -1558,7 +1558,7 @@ void KviDccFileTransfer::connectionInPro ip.utf8().data(),port.ptr(), &(m_pDescriptor->szLocalFileSize),0x01); } @@ -175,7 +182,7 @@ } else { outputAndLog(__tr2qs_ctx("DCC %1 request not sent, awaiting manual connection","dcc").arg(m_szDccType.ptr())); } -@@ -1687,8 +1687,8 @@ +@@ -1687,8 +1687,8 @@ void KviDccFileTransfer::handleMarshalEr void KviDccFileTransfer::connected() { @@ -186,7 +193,7 @@ m_tTransferStartTime = kvi_unixTime(); -@@ -1768,7 +1768,7 @@ +@@ -1768,7 +1768,7 @@ bool KviDccFileTransfer::resumeAccepted( if(ret != KviError_success)handleMarshalError(ret); else { diff -u kvirc-3.4.0/debian/patches/20_fixman.patch kvirc-3.4.0/debian/patches/20_fixman.patch --- kvirc-3.4.0/debian/patches/20_fixman.patch +++ kvirc-3.4.0/debian/patches/20_fixman.patch @@ -1,11 +1,15 @@ ---- kvirc/data/man/kvirc.1~ 2007-07-01 05:29:03.000000000 +0200 -+++ kvirc/data/man/kvirc.1 2008-04-18 00:28:16.000000000 +0200 -@@ -11,7 +11,7 @@ +--- + data/man/kvirc.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/data/man/kvirc.1 ++++ b/data/man/kvirc.1 +@@ -11,7 +11,7 @@ KVIrc is a Visual Internet Relay Chat cl It is intended to be an "user friendly" interface to the IRC protocol (see \fIRFC1459\fP) and its extensions. .SH OPTIONS -.l -+.I ++.I \fIKVIrc\fP accepts the following options: .TP 8 .B \-h, \-\-help diff -u kvirc-3.4.0/debian/patches/05_xpmicon.patch kvirc-3.4.0/debian/patches/05_xpmicon.patch --- kvirc-3.4.0/debian/patches/05_xpmicon.patch +++ kvirc-3.4.0/debian/patches/05_xpmicon.patch @@ -1,6 +1,21 @@ -diff -Nur kvirc/data/icons/32x32/kvirc.xpm kvirc.new/data/icons/32x32/kvirc.xpm ---- kvirc/data/icons/32x32/kvirc.xpm 1970-01-01 01:00:00.000000000 +0100 -+++ kvirc.new/data/icons/32x32/kvirc.xpm 2005-02-09 12:31:44.000000000 +0100 +--- + data/icons/32x32/Makefile.am | 3 + data/icons/32x32/kvirc.xpm | 295 ++++++++++++++++++++++++++++++++++++++++ + data/icons/48x48/Makefile.am | 2 + data/icons/48x48/kvirc.xpm | 311 +++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 609 insertions(+), 2 deletions(-) + +--- a/data/icons/32x32/Makefile.am ++++ b/data/icons/32x32/Makefile.am +@@ -1,4 +1,5 @@ +-iconapps32data_DATA = kvirc.png ++iconapps32data_DATA = kvirc.png \ ++ kvirc.xpm + + iconmime32data_DATA = kvs.png kvc.png kvt.png kva.png + +--- /dev/null ++++ b/data/icons/32x32/kvirc.xpm @@ -0,0 +1,295 @@ +/* XPM */ +static char *kvirc3[] = { @@ -297,19 +312,16 @@ +"YXYXYXYXYXYXYXYXYXYXYXYX % t t t u & YXYXYXYXYXYXYXYXYXYXYXYX", +"YXYXYXYXYXYXYXYXYXYXYXYX o o o o YXYXYXYXYXYXYXYXYXYXYXYX" +}; -diff -Nur kvirc/data/icons/32x32/Makefile.am kvirc.new/data/icons/32x32/Makefile.am ---- kvirc/data/icons/32x32/Makefile.am 2003-02-25 09:46:27.000000000 +0100 -+++ kvirc.new/data/icons/32x32/Makefile.am 2005-02-09 17:13:00.000000000 +0100 -@@ -1,4 +1,5 @@ --iconapps32data_DATA = kvirc.png -+iconapps32data_DATA = kvirc.png \ -+ kvirc.xpm +--- a/data/icons/48x48/Makefile.am ++++ b/data/icons/48x48/Makefile.am +@@ -1,4 +1,4 @@ +-iconapps48data_DATA = kvirc.png ++iconapps48data_DATA = kvirc.png kvirc.xpm - iconmime32data_DATA = kvs.png + iconmime48data_DATA = kvs.png kvc.png kvt.png kva.png -diff -Nur kvirc/data/icons/48x48/kvirc.xpm kvirc.new/data/icons/48x48/kvirc.xpm ---- kvirc/data/icons/48x48/kvirc.xpm 1970-01-01 01:00:00.000000000 +0100 -+++ kvirc.new/data/icons/48x48/kvirc.xpm 2005-02-09 12:32:20.000000000 +0100 +--- /dev/null ++++ b/data/icons/48x48/kvirc.xpm @@ -0,0 +1,311 @@ +/* XPM */ +static char *kvirc3[] = { @@ -625,8 +636,0 @@ -diff -Nur kvirc/data/icons/48x48/Makefile.am kvirc.new/data/icons/48x48/Makefile.am ---- kvirc/data/icons/48x48/Makefile.am 2003-02-25 09:46:27.000000000 +0100 -+++ kvirc.new/data/icons/48x48/Makefile.am 2005-02-09 17:13:29.000000000 +0100 -@@ -1,4 +1,4 @@ --iconapps48data_DATA = kvirc.png -+iconapps48data_DATA = kvirc.png kvirc.xpm - - iconmime48data_DATA = kvs.png diff -u kvirc-3.4.0/debian/patches/02_rpath.patch kvirc-3.4.0/debian/patches/02_rpath.patch --- kvirc-3.4.0/debian/patches/02_rpath.patch +++ kvirc-3.4.0/debian/patches/02_rpath.patch @@ -1,7 +1,10 @@ -diff -u kvirc/admin/acinclude.m4.in.2 kvirc/admin/acinclude.m4.in ---- kvirc/admin/acinclude.m4.in.2 2008-03-30 18:39:06.000000000 +0200 -+++ kvirc/admin/acinclude.m4.in 2008-04-15 09:48:33.000000000 +0200 -@@ -1105,7 +1105,7 @@ +--- + admin/acinclude.m4.in | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/admin/acinclude.m4.in ++++ b/admin/acinclude.m4.in +@@ -1105,7 +1105,7 @@ AC_DEFUN([AC_SS_CHECK_ARTS], ss_save_LIBS="$LIBS" CPPFLAGS="-I$SS_X_INCDIR -I$SS_QT3_INCDIR -I$SS_KDE_INCDIR $CPPFLAGS $X_CFLAGS" CXXFLAGS="-O2 -Wall $CXXFLAGS" @@ -10,7 +13,7 @@ if test "$SS_LINK_TO_LIBDL" = "yes"; then LIBS="$LIBS -ldl"; fi -@@ -2252,7 +2252,7 @@ +@@ -2252,7 +2252,7 @@ AC_DEFUN([AC_SS_ENSURE_CAN_COMPILE_X_QT3 if test -n "$SS_X_LIBLINK"; then LIBS="$LIBS $SS_X_LIBLINK" fi @@ -19,7 +22,7 @@ if test "$SS_LINK_TO_LIBDL" = "yes"; then LIBS="$LIBS -ldl"; fi -@@ -2505,6 +2505,7 @@ +@@ -2505,6 +2505,7 @@ AC_DEFUN([AC_SS_FINAL_CONFIG], AC_SUBST(SS_CPPFLAGS) AC_SUBST(SS_INCDIRS) AC_SUBST(SS_LDFLAGS) diff -u kvirc-3.4.0/debian/patches/09_plugin_dir.patch kvirc-3.4.0/debian/patches/09_plugin_dir.patch --- kvirc-3.4.0/debian/patches/09_plugin_dir.patch +++ kvirc-3.4.0/debian/patches/09_plugin_dir.patch @@ -1,7 +1,12 @@ -diff -Nru kvirc/admin/acinclude.m4.in.org kvirc/admin/acinclude.m4.in ---- kvirc/admin/acinclude.m4.in.org 2008-04-17 00:52:30.000000000 +0200 -+++ kvirc/admin/acinclude.m4.in 2008-04-17 00:56:45.000000000 +0200 -@@ -2562,10 +2563,10 @@ +--- + admin/acinclude.m4.in | 4 ++-- + src/kvirc/kernel/kvi_app_fs.cpp | 5 ++++- + src/kvirc/kernel/kvi_app_setup.cpp | 2 +- + 3 files changed, 7 insertions(+), 4 deletions(-) + +--- a/admin/acinclude.m4.in ++++ b/admin/acinclude.m4.in +@@ -2563,10 +2563,10 @@ AC_DEFUN([AC_SS_FINAL_CONFIG], helpdir="\${globalkvircdir}/help/en" AC_SUBST(helpdir) @@ -14,10 +19,9 @@ AC_SUBST(modulelibdir) defscriptdir="\${globalkvircdir}/defscript" -diff -Nru kvirc/src/kvirc/kernel/kvi_app_fs.cpp kvirc/src/kvirc/kernel/kvi_app_fs.cpp.2 ---- kvirc/src/kvirc/kernel/kvi_app_fs.cpp 2008-03-30 22:02:35.000000000 +0200 -+++ kvirc/src/kvirc/kernel/kvi_app_fs.cpp.2 2008-03-30 22:05:15.000000000 +0200 -@@ -52,8 +52,11 @@ +--- a/src/kvirc/kernel/kvi_app_fs.cpp ++++ b/src/kvirc/kernel/kvi_app_fs.cpp +@@ -52,8 +52,11 @@ void KviApp::getGlobalKvircDirectory(QSt { case None : break; case Pics : szData.append("pics"); break; @@ -30,10 +34,9 @@ case EasyPlugins : szData.append("easyplugins"); break; case ConfigPlugins : KviQString::appendFormatted(szData,"config%smodules",KVI_PATH_SEPARATOR); break; case ConfigScripts : KviQString::appendFormatted(szData,"config%sscripts",KVI_PATH_SEPARATOR); break; -diff -Nru kvirc/src/kvirc/kernel/kvi_app_setup.cpp kvirc/src/kvirc/kernel/kvi_app_setup.cpp ---- kvirc/src/kvirc/kernel/kvi_app_setup.cpp 2006-07-28 14:51:38.000000000 +0200 -+++ kvirc/src/kvirc/kernel/kvi_app_setup.cpp 2006-11-02 02:35:01.000000000 +0100 -@@ -79,7 +79,7 @@ +--- a/src/kvirc/kernel/kvi_app_setup.cpp ++++ b/src/kvirc/kernel/kvi_app_setup.cpp +@@ -80,7 +80,7 @@ bool KviApp::checkGlobalKvircDirectory(c { //First check if the help subdir exists QString szDir2 = dir; diff -u kvirc-3.4.0/debian/patches/17_awaybackaction.patch kvirc-3.4.0/debian/patches/17_awaybackaction.patch --- kvirc-3.4.0/debian/patches/17_awaybackaction.patch +++ kvirc-3.4.0/debian/patches/17_awaybackaction.patch @@ -1,6 +1,10 @@ ---- kvirc/src/kvirc/kernel/kvi_coreactions.cpp.orig 2006-07-25 13:10:28.000000000 +0000 -+++ kvirc/src/kvirc/kernel/kvi_coreactions.cpp 2006-07-25 13:11:20.000000000 +0000 -@@ -1011,12 +1011,14 @@ +--- + src/kvirc/kernel/kvi_coreactions.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/src/kvirc/kernel/kvi_coreactions.cpp ++++ b/src/kvirc/kernel/kvi_coreactions.cpp +@@ -1050,12 +1050,14 @@ void KviGoAwayAction::activeContextState b->setTextLabel(txt); } m_uInternalFlags |= KVI_ACTION_FLAG_ENABLED; diff -u kvirc-3.4.0/debian/patches/series kvirc-3.4.0/debian/patches/series --- kvirc-3.4.0/debian/patches/series +++ kvirc-3.4.0/debian/patches/series @@ -9,6 +9,7 @@ 30_security-cipherlist-bad-order_r1990.patch 31_r1997-irchandler-exploit-bug503401.patch 32_DCC_fix_r4335.diff +33_upstream_security_#858.patch 51_PERL_SYS_INIT3_r2271-bug495064.patch 52_windowmenu-crashes_r1991.patch 98_buildprep.diff -p0 diff -u kvirc-3.4.0/debian/patches/01_am_maintainer_mode.patch kvirc-3.4.0/debian/patches/01_am_maintainer_mode.patch --- kvirc-3.4.0/debian/patches/01_am_maintainer_mode.patch +++ kvirc-3.4.0/debian/patches/01_am_maintainer_mode.patch @@ -1,6 +1,10 @@ ---- kvirc-3.4.0.org/configure.in 2008-04-10 00:44:34.000000000 +0200 -+++ kvirc-3.4.0/configure.in 2008-04-10 00:51:48.000000000 +0200 -@@ -17,6 +17,8 @@ +--- + configure.in | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/configure.in ++++ b/configure.in +@@ -17,6 +17,8 @@ AC_PREREQ(2.52) AM_INIT_AUTOMAKE(kvirc,3.4.0) diff -u kvirc-3.4.0/debian/patches/13_eula.patch kvirc-3.4.0/debian/patches/13_eula.patch --- kvirc-3.4.0/debian/patches/13_eula.patch +++ kvirc-3.4.0/debian/patches/13_eula.patch @@ -1,7 +1,12 @@ unchanged: ---- kvirc/src/modules/about/aboutdialog.cpp 2008-03-30 18:49:51.000000000 +0200 -+++ kvirc/src/modules/about/aboutdialog.cpp.2 2008-03-30 18:49:46.000000000 +0200 -@@ -130,7 +130,7 @@ +--- + src/modules/about/aboutdialog.cpp | 2 +- + src/modules/setup/setupwizard.cpp | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/src/modules/about/aboutdialog.cpp ++++ b/src/modules/about/aboutdialog.cpp +@@ -130,7 +130,7 @@ KviAboutDialog::KviAboutDialog() QString szLicense; QString szLicensePath; @@ -10,11 +15,9 @@ if(!KviFileUtils::loadFile(szLicensePath,szLicense)) { -only in patch2: -unchanged: ---- kvirc/src/modules/setup/setupwizard.cpp 2008-03-30 18:49:51.000000000 +0200 -+++ kvirc/src/modules/setup/setupwizard.cpp.2 2008-03-30 18:47:49.000000000 +0200 -@@ -197,7 +197,7 @@ +--- a/src/modules/setup/setupwizard.cpp ++++ b/src/modules/setup/setupwizard.cpp +@@ -197,7 +197,7 @@ KviSetupWizard::KviSetupWizard() ed->setWordWrap(KviTalTextEdit::NoWrap); QString szLicense; QString szLicensePath; diff -u kvirc-3.4.0/debian/patches/30_security-cipherlist-bad-order_r1990.patch kvirc-3.4.0/debian/patches/30_security-cipherlist-bad-order_r1990.patch --- kvirc-3.4.0/debian/patches/30_security-cipherlist-bad-order_r1990.patch +++ kvirc-3.4.0/debian/patches/30_security-cipherlist-bad-order_r1990.patch @@ -1,8 +1,10 @@ -Index: kvirc/src/kvilib/net/kvi_ssl.cpp -=================================================================== ---- kvirc/src/kvilib/net/kvi_ssl.cpp (revisión: 1989) -+++ kvirc/src/kvilib/net/kvi_ssl.cpp (revisión: 1990) -@@ -305,7 +305,8 @@ +--- + src/kvilib/net/kvi_ssl.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/kvilib/net/kvi_ssl.cpp ++++ b/src/kvilib/net/kvi_ssl.cpp +@@ -305,7 +305,8 @@ bool KviSSL::initContext(Method m) m_pSSLCtx = SSL_CTX_new(m == Client ? SSLv23_client_method() : SSLv23_server_method()); if(!m_pSSLCtx)return false; // FIXME: this should be configurable ? diff -u kvirc-3.4.0/debian/patches/10_gcc4.3_fix.patch kvirc-3.4.0/debian/patches/10_gcc4.3_fix.patch --- kvirc-3.4.0/debian/patches/10_gcc4.3_fix.patch +++ kvirc-3.4.0/debian/patches/10_gcc4.3_fix.patch @@ -1,6 +1,9 @@ -diff -Nru kvirc/src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp kvirc/src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp ---- kvirc/src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp 2006-07-28 14:51:38.000000000 +0200 -+++ kvirc/src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp 2008-01-28 09:43:06.293187308 +0100 +--- + src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp ++++ b/src/kvirc/kvs/kvi_kvs_coresimplecommands_sz.cpp @@ -38,6 +38,7 @@ #include "kvi_netutils.h" #include "kvi_menubar.h" diff -u kvirc-3.4.0/debian/patches/31_r1997-irchandler-exploit-bug503401.patch kvirc-3.4.0/debian/patches/31_r1997-irchandler-exploit-bug503401.patch --- kvirc-3.4.0/debian/patches/31_r1997-irchandler-exploit-bug503401.patch +++ kvirc-3.4.0/debian/patches/31_r1997-irchandler-exploit-bug503401.patch @@ -1,7 +1,40 @@ -Index: 3.4.0/src/kvirc/sparser/kvi_sp_ctcp.cpp -=================================================================== ---- 3.4.0/src/kvirc/sparser/kvi_sp_ctcp.cpp (revisión: 1996) -+++ 3.4.0/src/kvirc/sparser/kvi_sp_ctcp.cpp (revisión: 1997) +--- + src/kvirc/kernel/kvi_app.cpp | 12 ++++++++++- + src/kvirc/sparser/kvi_sp_ctcp.cpp | 11 +++++++++- + src/kvirc/sparser/kvi_sp_literal.cpp | 36 +++++++++++++++++------------------ + src/kvirc/ui/kvi_console.cpp | 11 +++++++++- + 4 files changed, 49 insertions(+), 21 deletions(-) + +--- a/src/kvirc/kernel/kvi_app.cpp ++++ b/src/kvirc/kernel/kvi_app.cpp +@@ -109,6 +109,12 @@ + #endif + #endif + ++#ifdef COMPILE_USE_QT4 ++ #include ++#else ++ #include ++#endif ++ + KVIRC_API KviApp * g_pApp = 0; // global application pointer + + KviConfig * g_pWinPropertiesConfig = 0; +@@ -1048,7 +1054,11 @@ void KviApp::fileDownloadTerminated(bool + szMsg += szLocalFileName; + szMsg += ")"; + } +- notifierMessage(0,iIconId,szMsg,30); ++#ifdef COMPILE_USE_QT4 ++ notifierMessage(0,iIconId,Qt::escape(szMsg),30); ++#else ++ notifierMessage(0,iIconId,QStyleSheet::escape(szMsg),30); ++#endif + } + return; + } +--- a/src/kvirc/sparser/kvi_sp_ctcp.cpp ++++ b/src/kvirc/sparser/kvi_sp_ctcp.cpp @@ -60,6 +60,11 @@ #include @@ -14,7 +47,7 @@ -@@ -1445,7 +1450,11 @@ +@@ -1442,7 +1447,11 @@ void KviServerParser::parseCtcpRequestAc QString szMsg = ""; szMsg += msg->pSource->nick(); szMsg += " "; @@ -27,10 +60,8 @@ //debug("kvi_sp_ctcp.cpp:975 debug: %s",szMsg.data()); g_pApp->notifierMessage(pOut,KVI_OPTION_MSGTYPE(KVI_OUT_ACTION).pixId(),szMsg,90); } -Index: 3.4.0/src/kvirc/sparser/kvi_sp_literal.cpp -=================================================================== ---- 3.4.0/src/kvirc/sparser/kvi_sp_literal.cpp (revisión: 1996) -+++ 3.4.0/src/kvirc/sparser/kvi_sp_literal.cpp (revisión: 1997) +--- a/src/kvirc/sparser/kvi_sp_literal.cpp ++++ b/src/kvirc/sparser/kvi_sp_literal.cpp @@ -72,6 +72,12 @@ //#include "kvi_iconmanager.h" #include @@ -44,7 +75,7 @@ extern KviNickServRuleSet * g_pNickServRuleSet; /////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -@@ -910,15 +916,12 @@ +@@ -910,15 +916,12 @@ void KviServerParser::parseLiteralPrivms { // don't send the message to the notifier twice iFlags |= KviConsole::NoNotifier; @@ -58,7 +89,7 @@ - szMsg += szHtml; - //debug("kvi_sp_literal.cpp:908 debug: %s",szHtml.data()); + #ifdef COMPILE_USE_QT4 -+ QString szMsg = Qt::escape(szMsgText); ++ QString szMsg = Qt::escape(szMsgText); + #else + QString szMsg = QStyleSheet::escape(szMsgText); + #endif @@ -66,7 +97,7 @@ g_pApp->notifierMessage(query,KVI_SMALLICON_QUERYPRIVMSG,szMsg,1800); } } -@@ -1271,15 +1274,12 @@ +@@ -1271,15 +1274,12 @@ void KviServerParser::parseLiteralNotice { // don't send the message twice to the notifier iFlags |= KviConsole::NoNotifier; @@ -80,7 +111,7 @@ - szMsg += szHtml; - //debug("kvi_sp_literal.cpp:1262 debug: %s",szHtml.data()); + #ifdef COMPILE_USE_QT4 -+ QString szMsg = Qt::escape(szMsgText); ++ QString szMsg = Qt::escape(szMsgText); + #else + QString szMsg = QStyleSheet::escape(szMsgText); + #endif @@ -88,40 +119,8 @@ g_pApp->notifierMessage(query,KVI_SMALLICON_QUERYNOTICE,szMsg,1800); } } -Index: 3.4.0/src/kvirc/kernel/kvi_app.cpp -=================================================================== ---- 3.4.0/src/kvirc/kernel/kvi_app.cpp (revisión: 1996) -+++ 3.4.0/src/kvirc/kernel/kvi_app.cpp (revisión: 1997) -@@ -109,6 +109,12 @@ - #endif - #endif - -+#ifdef COMPILE_USE_QT4 -+ #include -+#else -+ #include -+#endif -+ - KVIRC_API KviApp * g_pApp = 0; // global application pointer - - KviConfig * g_pWinPropertiesConfig = 0; -@@ -1048,7 +1054,11 @@ - szMsg += szLocalFileName; - szMsg += ")"; - } -- notifierMessage(0,iIconId,szMsg,30); -+#ifdef COMPILE_USE_QT4 -+ notifierMessage(0,iIconId,Qt::escape(szMsg),30); -+#else -+ notifierMessage(0,iIconId,QStyleSheet::escape(szMsg),30); -+#endif - } - return; - } -Index: 3.4.0/src/kvirc/ui/kvi_console.cpp -=================================================================== ---- 3.4.0/src/kvirc/ui/kvi_console.cpp (revisión: 1996) -+++ 3.4.0/src/kvirc/ui/kvi_console.cpp (revisión: 1997) +--- a/src/kvirc/ui/kvi_console.cpp ++++ b/src/kvirc/ui/kvi_console.cpp @@ -97,6 +97,11 @@ #define __KVI_DEBUG__ #include "kvi_debug.h" @@ -134,7 +133,7 @@ extern KVIRC_API KviIrcServerDataBase * g_pIrcServerDataBase; extern KVIRC_API KviProxyDataBase * g_pProxyDataBase; -@@ -762,7 +767,11 @@ +@@ -762,7 +767,11 @@ void KviConsole::outputPrivmsg(KviWindow QString szMsg = "<"; szMsg += nick; szMsg += "> "; only in patch2: unchanged: --- kvirc-3.4.0.orig/debian/patches/33_upstream_security_#858.patch +++ kvirc-3.4.0/debian/patches/33_upstream_security_#858.patch @@ -0,0 +1,157 @@ +Subject: Security fix for upstream's #858 (DCC module). +Origin: upstream, https://svn.kvirc.de/kvirc/changeset/4695 +Last-Update: 2010-07-27 + +--- + ChangeLog | 10 ++++++- + src/kvirc/sparser/kvi_sp_ctcp.cpp | 52 +++++++++++++++++++++----------------- + src/kvirc/sparser/kvi_sparser.h | 4 +- + src/modules/dcc/requests.cpp | 3 +- + 4 files changed, 42 insertions(+), 27 deletions(-) + +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,4 +1,12 @@ +-02 May 2007 - 12 March 2008 ++Jul 2010 ++ [CtrlAltCa] ++ - backported fix for #858 ++ ++Jun 2010 ++ [KVIrc Development Team] ++ - Since KVIrc 4 is out now, development on the 3.x branch is deprecated. Only fixes for big security issues are going to be backported. ++ ++May 2007 - Jun 2010 + [KVIrc Development Team] + - A lot of changes documented in the svn log. See http://svn.kvirc.de/kvirc/ for the timeline. + +--- a/src/kvirc/sparser/kvi_sp_ctcp.cpp ++++ b/src/kvirc/sparser/kvi_sp_ctcp.cpp +@@ -636,7 +636,7 @@ const char * KviServerParser::decodeCtcp + } + + +-const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks) ++const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks, bool bSafeOnly) + { + // + // This one extracts the "next" ctcp parameter in msg_ptr +@@ -668,17 +668,20 @@ const char * KviServerParser::extractCtc + { + case '\\': + // backslash : escape sequence +- if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin); +- msg_ptr++; +- if(*msg_ptr) +- { +- // decode the escape +- msg_ptr = decodeCtcpEscape(msg_ptr,buffer); +- begin = msg_ptr; ++ if(bSafeOnly)msg_ptr++; ++ else { ++ if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin); ++ msg_ptr++; ++ if(*msg_ptr) ++ { ++ // decode the escape ++ msg_ptr = decodeCtcpEscape(msg_ptr,buffer); ++ begin = msg_ptr; ++ } ++ // else it is a senseless trailing backslash. ++ // Just ignore and let the function ++ // return spontaneously. + } +- // else it is a senseless trailing backslash. +- // Just ignore and let the function +- // return spontaneously. + break; + case ' ': + // space : separate tokens if not in string +@@ -693,7 +696,7 @@ const char * KviServerParser::extractCtc + } + break; + case '"': +- if(bInString) ++ if(bInString && !bSafeOnly) + { + // A string terminator. We don't return + // immediately since if !bSpaceBreaks +@@ -721,7 +724,7 @@ const char * KviServerParser::extractCtc + return msg_ptr; + } + +-const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks) ++const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks, bool bSafeOnly) + { + // + // This one extracts the "next" ctcp parameter in p_msg_ptr +@@ -753,15 +756,18 @@ const char * KviServerParser::extractCtc + { + case '\\': + // backslash : escape sequence +- msg_ptr++; +- if(*msg_ptr) +- { +- // decode the escape +- msg_ptr = decodeCtcpEscape(msg_ptr,buffer); ++ if(bSafeOnly)msg_ptr++; ++ else { ++ msg_ptr++; ++ if(*msg_ptr) ++ { ++ // decode the escape ++ msg_ptr = decodeCtcpEscape(msg_ptr,buffer); ++ } ++ // else it is a senseless trailing backslash. ++ // Just ignore and let the function ++ // return spontaneously. + } +- // else it is a senseless trailing backslash. +- // Just ignore and let the function +- // return spontaneously. + break; + case ' ': + // space : separate tokens if not in string +@@ -779,7 +785,7 @@ const char * KviServerParser::extractCtc + } + break; + case '"': +- if(bInString) ++ if(bInString && !bSafeOnly) + { + // A string terminator. We don't return + // immediately since if !bSpaceBreaks +@@ -1704,7 +1710,7 @@ void KviServerParser::parseCtcpRequestDc + { + KviDccRequest p; + KviStr aux = msg->pData; +- msg->pData = extractCtcpParameter(msg->pData,p.szType); ++ msg->pData = extractCtcpParameter(msg->pData,p.szType, true, true); + msg->pData = extractCtcpParameter(msg->pData,p.szParam1); + msg->pData = extractCtcpParameter(msg->pData,p.szParam2); + msg->pData = extractCtcpParameter(msg->pData,p.szParam3); +--- a/src/kvirc/sparser/kvi_sparser.h ++++ b/src/kvirc/sparser/kvi_sparser.h +@@ -256,8 +256,8 @@ public: + static void encodeCtcpParameter(const char * param,QString &buffer,bool bSpaceBreaks = true); + static const char * decodeCtcpEscape(const char * msg_ptr,KviStr &buffer); + static const char * decodeCtcpEscape(const char * msg_ptr,KviQCString &buffer); +- static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true); +- static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true); ++ static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false); ++ static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false); + }; + + #ifndef _KVI_SPARSER_CPP_ +--- a/src/modules/dcc/requests.cpp ++++ b/src/modules/dcc/requests.cpp +@@ -81,7 +81,8 @@ static void dcc_module_request_error(Kvi + if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes)) + { + QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText); +- dcc_module_reply_errmsg(dcc,szError); ++ //since szError contains an user-suppplied string, we simplify it to avoid any kind of injection (bug #858) ++ dcc_module_reply_errmsg(dcc,szError.simplifyWhiteSpace()); + } + } +