rpms/kvirc/devel kvirc-fix-remote-execution.patch, NONE, 1.1 kvirc.spec, 1.26, 1.27
nucleo
nucleo at fedoraproject.org
Tue Jul 27 22:43:03 UTC 2010
Author: nucleo
Update of /cvs/pkgs/rpms/kvirc/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv24478
Modified Files:
kvirc.spec
Added Files:
kvirc-fix-remote-execution.patch
Log Message:
ix for kvirc#858
kvirc-fix-remote-execution.patch:
kvirc/sparser/kvi_sp_ctcp.cpp | 52 +++++++++++++++++++++++-------------------
kvirc/sparser/kvi_sparser.h | 4 +--
modules/dcc/requests.cpp | 3 +-
3 files changed, 33 insertions(+), 26 deletions(-)
--- NEW FILE kvirc-fix-remote-execution.patch ---
Index: src/modules/dcc/requests.cpp
===================================================================
--- src/modules/dcc/requests.cpp (revision 4692)
+++ src/modules/dcc/requests.cpp (revision 4693)
@@ -86,7 +86,8 @@
if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes))
{
QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText);
- dcc_module_reply_errmsg(dcc,szError);
+ //since szError contains an user-suppplied string, we simplify it to avoid any kind of injection (bug #858)
+ dcc_module_reply_errmsg(dcc,szError.simplified());
}
}
Index: src/kvirc/sparser/kvi_sp_ctcp.cpp
===================================================================
--- src/kvirc/sparser/kvi_sp_ctcp.cpp (revision 4692)
+++ src/kvirc/sparser/kvi_sp_ctcp.cpp (revision 4693)
@@ -626,7 +626,7 @@
}
-const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks)
+const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks, bool bSafeOnly)
{
//
// This one extracts the "next" ctcp parameter in msg_ptr
@@ -658,17 +658,20 @@
{
case '\\':
// backslash : escape sequence
- if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin);
- msg_ptr++;
- if(*msg_ptr)
- {
- // decode the escape
- msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
- begin = msg_ptr;
+ if(bSafeOnly)msg_ptr++;
+ else {
+ if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin);
+ msg_ptr++;
+ if(*msg_ptr)
+ {
+ // decode the escape
+ msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+ begin = msg_ptr;
+ }
+ // else it is a senseless trailing backslash.
+ // Just ignore and let the function
+ // return spontaneously.
}
- // else it is a senseless trailing backslash.
- // Just ignore and let the function
- // return spontaneously.
break;
case ' ':
// space : separate tokens if not in string
@@ -683,7 +686,7 @@
}
break;
case '"':
- if(bInString)
+ if(bInString && !bSafeOnly)
{
// A string terminator. We don't return
// immediately since if !bSpaceBreaks
@@ -711,7 +714,7 @@
return msg_ptr;
}
-const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks)
+const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks, bool bSafeOnly)
{
//
// This one extracts the "next" ctcp parameter in p_msg_ptr
@@ -743,15 +746,18 @@
{
case '\\':
// backslash : escape sequence
- msg_ptr++;
- if(*msg_ptr)
- {
- // decode the escape
- msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+ if(bSafeOnly)msg_ptr++;
+ else {
+ msg_ptr++;
+ if(*msg_ptr)
+ {
+ // decode the escape
+ msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+ }
+ // else it is a senseless trailing backslash.
+ // Just ignore and let the function
+ // return spontaneously.
}
- // else it is a senseless trailing backslash.
- // Just ignore and let the function
- // return spontaneously.
break;
case ' ':
// space : separate tokens if not in string
@@ -769,7 +775,7 @@
}
break;
case '"':
- if(bInString)
+ if(bInString && !bSafeOnly)
{
// A string terminator. We don't return
// immediately since if !bSpaceBreaks
@@ -1707,7 +1713,7 @@
{
KviDccRequest p;
KviStr aux = msg->pData;
- msg->pData = extractCtcpParameter(msg->pData,p.szType);
+ msg->pData = extractCtcpParameter(msg->pData,p.szType, true, true);
msg->pData = extractCtcpParameter(msg->pData,p.szParam1);
msg->pData = extractCtcpParameter(msg->pData,p.szParam2);
msg->pData = extractCtcpParameter(msg->pData,p.szParam3);
Index: src/kvirc/sparser/kvi_sparser.h
===================================================================
--- src/kvirc/sparser/kvi_sparser.h (revision 4692)
+++ src/kvirc/sparser/kvi_sparser.h (revision 4693)
@@ -260,8 +260,8 @@
static void encodeCtcpParameter(const char * param,QString &buffer,bool bSpaceBreaks = true);
static const char * decodeCtcpEscape(const char * msg_ptr,KviStr &buffer);
static const char * decodeCtcpEscape(const char * msg_ptr,QByteArray &buffer);
- static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true);
- static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true);
+ static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false);
+ static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false);
};
#ifndef _KVI_SPARSER_CPP_
Index: kvirc.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kvirc/devel/kvirc.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- kvirc.spec 27 Jul 2010 20:06:14 -0000 1.26
+++ kvirc.spec 27 Jul 2010 22:43:01 -0000 1.27
@@ -6,6 +6,10 @@ Group: Applications/Internet
License: GPLv2+ with exceptions
URL: http://kvirc.net/
Source0: ftp://ftp.kvirc.de/pub/kvirc/4.0.0/source/%{name}-%{version}.tar.bz2
+# Fix for remote command execution vulnerability
+# https://svn.kvirc.de/kvirc/ticket/858
+# https://svn.kvirc.de/kvirc/changeset/4693
+Patch0: kvirc-fix-remote-execution.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: kdelibs4-devel audiofile-devel esound-devel glib2-devel
BuildRequires: python-devel perl-ExtUtils-Embed dbus-devel
@@ -24,7 +28,7 @@ many IRC addicted developers around the
%prep
%setup -q
-
+%patch0
%build
%{cmake} \
@@ -130,6 +134,9 @@ gtk-update-icon-cache %{_datadir}/icons/
%exclude %{_datadir}/%{name}/4.0/doc/README
%changelog
+* Tue Jul 27 2010 Alexey Kurov <nucleo at fedoraproject.org> - 4.0.0-3
+- fix for kvirc#858
+
* Tue Jul 27 2010 Rex Dieter <rdieter at fedoraproject.org> - 4.0.0-2
- rebuild (python27)
More information about the scm-commits
mailing list