shouldn't this be a security bug?

Lets see what security@ decides on this, I recommend two options:
1. Apply patch https://github.com/hexchat/hexchat/commit/8996baa35ee12556a7bf402e3568193dbafec5f1 to the 2.9.4 ebuild(s) which should be trivial.
(and/or)
2. (optional) Stabilize 2.9.5.

Comment 3 Rick Farina (Zero_Chaos) 2013-04-08 13:16:56 UTC

(In reply to comment #1)
> shouldn't this be a security bug?

From what I understand it's a self-dos security bug.  You overflow yourself by typing "/server <2000 characters>" so it's not exactly a critical security issue and certainly not worth the glsa imho.  Since 2.9.5 fixed a few other issues for my users (something about sound not working in 2.9.4, didn't even look into it at all) I suggested a bump.

(In reply to comment #3)
> (In reply to comment #1)
> > shouldn't this be a security bug?
> 
> [..] so it's not exactly a critical security issue
My understanding is that all security issues (either minimal or critical) should go through the security@ team. If I was wrong I apologize for it.

> I suggested a bump.
I agree with either applying the patch to the 2.9.4 ebuilds or stabilizing 2.9.5 and removing the <2.9.5 versions from the tree (as 2.9.3 seem to be vulnerable as well?). 
If we remove them from the tree users won't be able to use tcl plugins anymore (as there is tcl support only until 2.9.4). This is not a big deal anyways, as tcl support has been deprecated from hexchat's upstream, I just felt noticing it here.
As I said, I agree with both ideas, altough I think applying the patches to 2.9.4 (and keep it in the tree) is the best solution here.
@hasufell - what do you think?

(In reply to comment #4)
> If we remove them from the tree users won't be able to use tcl plugins
> anymore (as there is tcl support only until 2.9.4). This is not a big deal
> anyways, as tcl support has been deprecated from hexchat's upstream, I just
> felt noticing it here.

Edit: I wanted to say that tcl support is available in 2.9.3 only. There is tcl support in 2.9.4 but we forcefully disable it in the ebuild as per upstream's fault, tcl should have been removed from the 2.9.4 release but it didn't (so they recommended disabling it anyways).

@Zero_Chaos - do we know if this affects 2.9.3 as well? Your link only notices 2.9.4 but the text.c code hasn't been changed since 2.9.3 so I think it affects it as well.

Comment 6 Rick Farina (Zero_Chaos) 2013-04-08 13:32:38 UTC

(In reply to comment #4)
> My understanding is that all security issues (either minimal or critical)
> should go through the security@ team. If I was wrong I apologize for it.

you did nothing wrong. involving security on security issues is always an acceptable choice.  since it was so minor I didn't care, but that likely makes me more wrong than you ;-)

Comment 7 Rick Farina (Zero_Chaos) 2013-04-08 13:33:33 UTC

(In reply to comment #5)

> @Zero_Chaos - do we know if this affects 2.9.3 as well? Your link only
> notices 2.9.4 but the text.c code hasn't been changed since 2.9.3 so I think
> it affects it as well.

it's not officially listed but pretty sure it affect it yeah.  this vuln report is not very official looking but it is valid so here we are :-)

Comment 8 Sean Amoss (RETIRED) 2013-04-08 21:16:36 UTC

(In reply to comment #3)
> (In reply to comment #1)
> > shouldn't this be a security bug?
> 
> From what I understand it's a self-dos security bug.  You overflow yourself
> by typing "/server <2000 characters>" so it's not exactly a critical
> security issue and certainly not worth the glsa imho.  Since 2.9.5 fixed a
> few other issues for my users (something about sound not working in 2.9.4,
> didn't even look into it at all) I suggested a bump.

Agreed, but I guess we will take it ;) 

Is 2.9.5 ready for stabilization?

The latest changes to hexchat ebuilds were non-trivial, so I'd like to wait another week or two if possible.

Comment 10 Jeroen Roovers (RETIRED) 2013-05-09 13:25:41 UTC

*** Bug 469092 has been marked as a duplicate of this bug. ***

Comment 11 Jeroen Roovers (RETIRED) 2013-05-09 13:26:29 UTC

Arch teams, please test and mark stable:
=net-irc/hexchat-2.9.5
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 12 Jeroen Roovers (RETIRED) 2013-05-09 13:26:52 UTC

(Stable for HPPA.)

Comment 13 Agostino Sarubbo 2013-05-09 14:41:19 UTC

This, for me, is a simply crash and not a security issue...could someone explain why this is considered a security issue and how an attacker could do something?

amd64: pass

Comment 15 Agostino Sarubbo 2013-05-11 10:39:19 UTC

amd64 stable

Comment 16 Agostino Sarubbo 2013-05-11 11:03:33 UTC

x86 stable

Comment 17 Agostino Sarubbo 2013-05-11 11:08:04 UTC

alpha stable

Comment 18 Agostino Sarubbo 2013-05-11 11:09:21 UTC

arm stable

Comment 19 Agostino Sarubbo 2013-05-11 11:10:24 UTC

ia64 stable

Comment 20 Agostino Sarubbo 2013-05-11 11:11:20 UTC

ppc64 stable

Comment 21 Agostino Sarubbo 2013-05-11 11:12:06 UTC

ppc stable

Comment 22 Agostino Sarubbo 2013-05-11 11:13:35 UTC

sparc stable

Comment 23 Sergey Popov 2013-09-03 16:03:15 UTC

GLSA vote: no

Comment 24 Tobias Heinlein (RETIRED) 2013-09-03 16:38:08 UTC

NO too, thanks everyone.