[Buildroot] [PATCH] irssi: security bump to version 1.0.2

[Buildroot] [PATCH] irssi: security bump to version 1.0.2

[Peter Korsgaard]

Fixes CWE-416 (use after free condition during netjoin processing). No CVE
assigned yet:

https://irssi.org/security/irssi_sa_2017_03.txt

Notice that the 0.8.x series is not believed to be vulnerable to this
specific issue. From the advisory:

Affected versions
-----------------

Irssi up to and including 1.0.1

We believe Irssi 0.8.21 and prior are not affected since a different
code path causes the netjoins to be flushed prior to reaching the use
after free condition.

Openssl is no longer optional, so select it and drop the enable/disable
handling.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/irssi/Config.in  |  1 +
 package/irssi/irssi.hash |  2 +-
 package/irssi/irssi.mk   | 11 ++---------
 3 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/package/irssi/Config.in b/package/irssi/Config.in
index 7d2920178..2cdd06c87 100644
--- a/package/irssi/Config.in
+++ b/package/irssi/Config.in
@@ -2,6 +2,7 @@ config BR2_PACKAGE_IRSSI
 	bool "irssi"
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_NCURSES
+	select BR2_PACKAGE_OPENSSL
 	depends on BR2_USE_WCHAR # libglib2
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
 	depends on BR2_USE_MMU # fork()
diff --git a/package/irssi/irssi.hash b/package/irssi/irssi.hash
index b1048bf8f..f1472e04b 100644
--- a/package/irssi/irssi.hash
+++ b/package/irssi/irssi.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256	e433063b8714dcf17438126902c9a9d5c97944b3185ecd0fc5ae25c4959bf35a	irssi-0.8.21.tar.xz
+sha256	5c1c3cc2caf103aad073fadeb000e0f8cb3b416833a7f43ceb8bd9fcf275fbe9	irssi-1.0.2.tar.xz
diff --git a/package/irssi/irssi.mk b/package/irssi/irssi.mk
index e467f8989..7df7bbc44 100644
--- a/package/irssi/irssi.mk
+++ b/package/irssi/irssi.mk
@@ -4,27 +4,20 @@
 #
 ################################################################################
 
-IRSSI_VERSION = 0.8.21
+IRSSI_VERSION = 1.0.2
 IRSSI_SOURCE = irssi-$(IRSSI_VERSION).tar.xz
 # Do not use the github helper here. The generated tarball is *NOT* the
 # same as the one uploaded by upstream for the release.
 IRSSI_SITE = https://github.com/irssi/irssi/releases/download/$(IRSSI_VERSION)
 IRSSI_LICENSE = GPLv2+
 IRSSI_LICENSE_FILES = COPYING
-IRSSI_DEPENDENCIES = host-pkgconf libglib2 ncurses
+IRSSI_DEPENDENCIES = host-pkgconf libglib2 ncurses openssl
 
 IRSSI_CONF_OPTS = \
 	--disable-glibtest \
 	--with-ncurses=$(STAGING_DIR)/usr \
 	--without-perl
 
-ifeq ($(BR2_PACKAGE_OPENSSL),y)
-IRSSI_CONF_OPTS += --enable-ssl
-IRSSI_DEPENDENCIES += openssl
-else
-IRSSI_CONF_OPTS += --disable-ssl
-endif
-
 ifeq ($(BR2_PACKAGE_IRSSI_PROXY),y)
 IRSSI_CONF_OPTS += --with-proxy
 # If shared libs are disabled, 'proxy' has to go in the list of built-in
-- 
2.11.0

[Buildroot] [PATCH] irssi: security bump to version 1.0.2

[Thomas Petazzoni]

Hello,

On Tue, 14 Mar 2017 16:00:39 +0100, Peter Korsgaard wrote:
> Fixes CWE-416 (use after free condition during netjoin processing). No CVE
> assigned yet:
> 
> https://irssi.org/security/irssi_sa_2017_03.txt
> 
> Notice that the 0.8.x series is not believed to be vulnerable to this
> specific issue. From the advisory:
> 
> Affected versions
> -----------------
> 
> Irssi up to and including 1.0.1
> 
> We believe Irssi 0.8.21 and prior are not affected since a different
> code path causes the netjoins to be flushed prior to reaching the use
> after free condition.

So why do you have "security bump" in the commit title ? We're using
0.8.21, which is not affected by the issue, so this is not a security
bump IMO, unless I missed something.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH] irssi: security bump to version 1.0.2

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes:

 > Hello,
 > On Tue, 14 Mar 2017 16:00:39 +0100, Peter Korsgaard wrote:
 >> Fixes CWE-416 (use after free condition during netjoin processing). No CVE
 >> assigned yet:
 >> 
 >> https://irssi.org/security/irssi_sa_2017_03.txt
 >> 
 >> Notice that the 0.8.x series is not believed to be vulnerable to this
 >> specific issue. From the advisory:
 >> 
 >> Affected versions
 >> -----------------
 >> 
 >> Irssi up to and including 1.0.1
 >> 
 >> We believe Irssi 0.8.21 and prior are not affected since a different
 >> code path causes the netjoins to be flushed prior to reaching the use
 >> after free condition.

 > So why do you have "security bump" in the commit title ? We're using
 > 0.8.21, which is not affected by the issue, so this is not a security
 > bump IMO, unless I missed something.

Well, it is both. 1.0.2 is a security fix for 1.0.1, but as we hadn't
moved to the 1.0.x series yet it isn't a pure security bump.

I saw the alert so I started working on the update, and only at the end
noticed that the issue didn't actually affect the 0.8.x series. I could
have structured it as 2 separate patches, a bump from 0.8.21 -> 1.0.1 +
a security bump to 1.0.2, but that seemed a bit silly to me.

I can reword the commit text if you have a good idea about how to
explain it?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH] irssi: security bump to version 1.0.2

[Thomas Petazzoni]

Hello,

On Tue, 14 Mar 2017 22:21:56 +0100, Peter Korsgaard wrote:

> Well, it is both. 1.0.2 is a security fix for 1.0.1, but as we hadn't
> moved to the 1.0.x series yet it isn't a pure security bump.

It isn't at all :)

> I saw the alert so I started working on the update, and only at the end
> noticed that the issue didn't actually affect the 0.8.x series. I could
> have structured it as 2 separate patches, a bump from 0.8.21 -> 1.0.1 +
> a security bump to 1.0.2, but that seemed a bit silly to me.

Agreed, 2 patches seem silly.

> I can reword the commit text if you have a good idea about how to
> explain it?

I would simply not indicate in the title that it is a security bump. If
it were a security bump, we would have to apply it to the LTS branch,
while considering what you explained, we do not need to apply this
patch to the LTS branch, because the old 0.8.21 is unaffected. Unless
of course, 0.8.21 is affected by other security issues.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH] irssi: security bump to version 1.0.2

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes:

 > Hello,
 > On Tue, 14 Mar 2017 22:21:56 +0100, Peter Korsgaard wrote:

 >> Well, it is both. 1.0.2 is a security fix for 1.0.1, but as we hadn't
 >> moved to the 1.0.x series yet it isn't a pure security bump.

 > It isn't at all :)

 >> I saw the alert so I started working on the update, and only at the end
 >> noticed that the issue didn't actually affect the 0.8.x series. I could
 >> have structured it as 2 separate patches, a bump from 0.8.21 -> 1.0.1 +
 >> a security bump to 1.0.2, but that seemed a bit silly to me.

 > Agreed, 2 patches seem silly.

 >> I can reword the commit text if you have a good idea about how to
 >> explain it?

 > I would simply not indicate in the title that it is a security bump. If
 > it were a security bump, we would have to apply it to the LTS branch,
 > while considering what you explained, we do not need to apply this
 > patch to the LTS branch, because the old 0.8.21 is unaffected. Unless
 > of course, 0.8.21 is affected by other security issues.

Ok, thanks. Committed after rewording the commit description.

-- 
Bye, Peter Korsgaard