http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html buffer overflow in 2.9.4 looks pretty legit, maybe stabilize 2.9.5?
shouldn't this be a security bug?
Lets see what security@ decides on this, I recommend two options: 1. Apply patch https://github.com/hexchat/hexchat/commit/8996baa35ee12556a7bf402e3568193dbafec5f1 to the 2.9.4 ebuild(s) which should be trivial. (and/or) 2. (optional) Stabilize 2.9.5.
(In reply to comment #1) > shouldn't this be a security bug? From what I understand it's a self-dos security bug. You overflow yourself by typing "/server <2000 characters>" so it's not exactly a critical security issue and certainly not worth the glsa imho. Since 2.9.5 fixed a few other issues for my users (something about sound not working in 2.9.4, didn't even look into it at all) I suggested a bump.
(In reply to comment #3) > (In reply to comment #1) > > shouldn't this be a security bug? > > [..] so it's not exactly a critical security issue My understanding is that all security issues (either minimal or critical) should go through the security@ team. If I was wrong I apologize for it. > I suggested a bump. I agree with either applying the patch to the 2.9.4 ebuilds or stabilizing 2.9.5 and removing the <2.9.5 versions from the tree (as 2.9.3 seem to be vulnerable as well?). If we remove them from the tree users won't be able to use tcl plugins anymore (as there is tcl support only until 2.9.4). This is not a big deal anyways, as tcl support has been deprecated from hexchat's upstream, I just felt noticing it here. As I said, I agree with both ideas, altough I think applying the patches to 2.9.4 (and keep it in the tree) is the best solution here. @hasufell - what do you think?
(In reply to comment #4) > If we remove them from the tree users won't be able to use tcl plugins > anymore (as there is tcl support only until 2.9.4). This is not a big deal > anyways, as tcl support has been deprecated from hexchat's upstream, I just > felt noticing it here. Edit: I wanted to say that tcl support is available in 2.9.3 only. There is tcl support in 2.9.4 but we forcefully disable it in the ebuild as per upstream's fault, tcl should have been removed from the 2.9.4 release but it didn't (so they recommended disabling it anyways). @Zero_Chaos - do we know if this affects 2.9.3 as well? Your link only notices 2.9.4 but the text.c code hasn't been changed since 2.9.3 so I think it affects it as well.
(In reply to comment #4) > My understanding is that all security issues (either minimal or critical) > should go through the security@ team. If I was wrong I apologize for it. you did nothing wrong. involving security on security issues is always an acceptable choice. since it was so minor I didn't care, but that likely makes me more wrong than you ;-)
(In reply to comment #5) > @Zero_Chaos - do we know if this affects 2.9.3 as well? Your link only > notices 2.9.4 but the text.c code hasn't been changed since 2.9.3 so I think > it affects it as well. it's not officially listed but pretty sure it affect it yeah. this vuln report is not very official looking but it is valid so here we are :-)
(In reply to comment #3) > (In reply to comment #1) > > shouldn't this be a security bug? > > From what I understand it's a self-dos security bug. You overflow yourself > by typing "/server <2000 characters>" so it's not exactly a critical > security issue and certainly not worth the glsa imho. Since 2.9.5 fixed a > few other issues for my users (something about sound not working in 2.9.4, > didn't even look into it at all) I suggested a bump. Agreed, but I guess we will take it ;) Is 2.9.5 ready for stabilization?
The latest changes to hexchat ebuilds were non-trivial, so I'd like to wait another week or two if possible.
*** Bug 469092 has been marked as a duplicate of this bug. ***
Arch teams, please test and mark stable: =net-irc/hexchat-2.9.5 Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
(Stable for HPPA.)
This, for me, is a simply crash and not a security issue...could someone explain why this is considered a security issue and how an attacker could do something?
amd64: pass
amd64 stable
x86 stable
alpha stable
arm stable
ia64 stable
ppc64 stable
ppc stable
sparc stable
GLSA vote: no
NO too, thanks everyone.