core: add CVE ids in ChangeLog

Version 2.7.1
irc: fix crash when receiving a malformed message 352 (who)
2020-03-02 20:43:10 +01:00 · 2020-02-20 20:45:08 +01:00 · 2020-02-14 08:14:31 +01:00 · 2020-02-14 08:11:02 +01:00 · 2020-02-14 08:08:23 +01:00 · 2020-02-14 08:05:19 +01:00
9 changed files with 94 additions and 15 deletions
--- a/ChangeLog.adoc
+++ b/ChangeLog.adoc
@ -15,6 +15,15 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
 (file _ReleaseNotes.adoc_ in sources).


+[[v2.7.1]]
+== Version 2.7.1 (2020-02-20)
+
+Bug fixes::
+
+  * irc: fix crash when a new message 005 is received with longer nick prefixes (CVE-2020-9760)
+  * irc: fix crash when receiving a malformed message 352 (who) (CVE-2020-9759)
+  * irc: fix crash when receiving a malformed message 324 (channel mode) (CVE-2020-8955)
+
 [[v2.7]]
 == Version 2.7 (2019-12-08)

--- a/ReleaseNotes.adoc
+++ b/ReleaseNotes.adoc
@ -17,6 +17,11 @@ https://weechat.org/files/changelog/ChangeLog-devel.html[ChangeLog]
 (file _ChangeLog.adoc_ in sources).


+[[v2.7.1]]
+== Version 2.7.1 (2020-02-20)
+
+Bug fix and maintenance release.
+
 [[v2.7]]
 == Version 2.7 (2019-12-08)

--- a/src/plugins/irc/irc-mode.c
+++ b/src/plugins/irc/irc-mode.c
@ -224,17 +224,20 @@ irc_mode_channel_update (struct t_irc_server *server,
                    current_arg++;
                if (pos[0] == chanmode)
                {
-                    chanmode_found = 1;
-                    if (set_flag == '+')
+                    if (!chanmode_found)
                    {
-                        str_mode[0] = pos[0];
-                        str_mode[1] = '\0';
-                        strcat (new_modes, str_mode);
-                        if (argument)
+                        chanmode_found = 1;
+                        if (set_flag == '+')
                        {
-                            if (new_args[0])
-                                strcat (new_args, " ");
-                            strcat (new_args, argument);
+                            str_mode[0] = pos[0];
+                            str_mode[1] = '\0';
+                            strcat (new_modes, str_mode);
+                            if (argument)
+                            {
+                                if (new_args[0])
+                                    strcat (new_args, " ");
+                                strcat (new_args, argument);
+                            }
                        }
                    }
                }
--- a/src/plugins/irc/irc-nick.c
+++ b/src/plugins/irc/irc-nick.c
@ -643,6 +643,53 @@ irc_nick_set_mode (struct t_irc_server *server, struct t_irc_channel *channel,
    }
 }

+/*
+ * Reallocates the "prefixes" string in all nicks of all channels on the server
+ * (after 005 has been received).
+ */
+
+void
+irc_nick_realloc_prefixes (struct t_irc_server *server,
+                           int old_length, int new_length)
+{
+    struct t_irc_channel *ptr_channel;
+    struct t_irc_nick *ptr_nick;
+    char *new_prefixes;
+
+    for (ptr_channel = server->channels; ptr_channel;
+         ptr_channel = ptr_channel->next_channel)
+    {
+        for (ptr_nick = ptr_channel->nicks; ptr_nick;
+             ptr_nick = ptr_nick->next_nick)
+        {
+            if (ptr_nick->prefixes)
+            {
+                new_prefixes = realloc (ptr_nick->prefixes, new_length + 1);
+                if (new_prefixes)
+                {
+                    ptr_nick->prefixes = new_prefixes;
+                    if (new_length > old_length)
+                    {
+                        memset (ptr_nick->prefixes + old_length,
+                                ' ',
+                                new_length - old_length);
+                    }
+                    ptr_nick->prefixes[new_length] = '\0';
+                }
+            }
+            else
+            {
+                ptr_nick->prefixes = malloc (new_length + 1);
+                if (ptr_nick->prefixes)
+                {
+                    memset (ptr_nick->prefixes, ' ', new_length);
+                    ptr_nick->prefixes[new_length] = '\0';
+                }
+            }
+        }
+    }
+}
+
 /*
 * Removes a nick from a channel.
 */
--- a/src/plugins/irc/irc-nick.h
+++ b/src/plugins/irc/irc-nick.h
@ -74,6 +74,8 @@ extern void irc_nick_change (struct t_irc_server *server,
 extern void irc_nick_set_mode (struct t_irc_server *server,
                               struct t_irc_channel *channel,
                               struct t_irc_nick *nick, int set, char mode);
+extern void irc_nick_realloc_prefixes (struct t_irc_server *server,
+                                       int old_length, int new_length);
 extern void irc_nick_free (struct t_irc_server *server,
                           struct t_irc_channel *channel,
                           struct t_irc_nick *nick);
--- a/src/plugins/irc/irc-protocol.c
+++ b/src/plugins/irc/irc-protocol.c
@ -4689,7 +4689,7 @@ IRC_PROTOCOL_CALLBACK(352)

    if (argc > 8)
    {
-        arg_start = (strcmp (argv[8], "*") == 0) ? 9 : 8;
+        arg_start = ((argc > 9) && (strcmp (argv[8], "*") == 0)) ? 9 : 8;
        if (argv[arg_start][0] == ':')
        {
            pos_attr = NULL;
--- a/src/plugins/irc/irc-server.c
+++ b/src/plugins/irc/irc-server.c
@ -988,11 +988,15 @@ irc_server_set_prefix_modes_chars (struct t_irc_server *server,
                                   const char *prefix)
 {
    char *pos;
-    int i, length_modes, length_chars;
+    int i, old_length_chars, length_modes, length_chars;

    if (!server || !prefix)
        return;

+    old_length_chars = (server->prefix_chars) ?
+        strlen (server->prefix_chars) :
+        strlen (irc_server_prefix_chars_default);
+
    /* free previous values */
    if (server->prefix_modes)
    {
@ -1032,6 +1036,13 @@ irc_server_set_prefix_modes_chars (struct t_irc_server *server,
            }
        }
    }
+
+    length_chars = (server->prefix_chars) ?
+        strlen (server->prefix_chars) :
+        strlen (irc_server_prefix_chars_default);
+
+    if (length_chars != old_length_chars)
+        irc_nick_realloc_prefixes (server, old_length_chars, length_chars);
 }

 /*
--- a/version.sh
+++ b/version.sh
@ -32,9 +32,9 @@
 #     devel-patch  the patch version of devel (e.g. 2 for version 1.4.2)
 #

-WEECHAT_STABLE=2.7
-WEECHAT_DEVEL=2.7
-WEECHAT_DEVEL_FULL=2.7
+WEECHAT_STABLE=2.7.1
+WEECHAT_DEVEL=2.7.1
+WEECHAT_DEVEL_FULL=2.7.1

 if [ $# -lt 1 ]; then
    echo >&2 "Syntax: $0 stable|devel|devel-full|devel-major|devel-minor|devel-patch"
--- a/weechat.spec
+++ b/weechat.spec
@ -23,7 +23,7 @@
 #

 %define name weechat
-%define version 2.7
+%define version 2.7.1
 %define release 1

 Name:      %{name}
@ -82,6 +82,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_prefix}/share/icons/hicolor/512x512/apps/weechat.png

 %changelog
+* Thu Feb 20 2020 Sébastien Helleu <flashcode@flashtux.org> 2.7.1-1
+- Released version 2.7.1
 * Sun Dec 08 2019 Sébastien Helleu <flashcode@flashtux.org> 2.7-1
 - Released version 2.7
 * Sun Sep 08 2019 Sébastien Helleu <flashcode@flashtux.org> 2.6-1
Author	SHA1	Message	Date
Sébastien Helleu	d50d32629f	core: add CVE ids in ChangeLog	2020-03-02 20:43:10 +01:00
Sébastien Helleu	5c0aa1aae7	Version 2.7.1	2020-02-20 20:45:08 +01:00
Sébastien Helleu	c827d6fa86	irc: fix crash when receiving a malformed message 352 (who) Thanks to Stuart Nevans Locke for reporting the issue.	2020-02-14 08:14:31 +01:00
Sébastien Helleu	694b5c9f87	irc: fix crash when a new message 005 is received with longer nick prefixes Thanks to Stuart Nevans Locke for reporting the issue.	2020-02-14 08:11:02 +01:00
Sébastien Helleu	51a739df61	irc: fix crash when receiving a malformed message 324 (channel mode) (CVE-2020-8955) Thanks to Stuart Nevans Locke for reporting the issue.	2020-02-14 08:08:23 +01:00
Sébastien Helleu	410a12b2ae	Version 2.7.1-dev	2020-02-14 08:05:19 +01:00