hexchat: CVE-2016-2087

Debian Bug report logs - #852275
hexchat: CVE-2016-2087

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: hexchat: CVE-2016-2087

Date: Mon, 23 Jan 2017 06:31:18 +0100

Source: hexchat
Version: 2.10.1-1
Severity: important
Tags: security

Hi,

the following vulnerability was published for hexchat. Opening a bug
to have a BTS reference.

CVE-2016-2087[0]:
| Directory traversal vulnerability in the client in HexChat 2.11.0
| allows remote IRC servers to read or modify arbitrary files via a ..
| (dot dot) in the server name.

As noted by Mattia Rizzolo already, the fixing commit is reverted in
the Debian packaging due to regression for some usecases, and waiting
for a better fix.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2087
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2087

Regards,
Salvatore

Message #10 received at 852275@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 852275@bugs.debian.org

Subject: Re: hexchat: CVE-2016-2087

Date: Sat, 3 Jun 2017 22:56:30 +0200

On Mon, Jan 23, 2017 at 06:31:18AM +0100, Salvatore Bonaccorso wrote:
> Source: hexchat
> Version: 2.10.1-1
> Severity: important
> Tags: security
> 
> Hi,
> 
> the following vulnerability was published for hexchat. Opening a bug
> to have a BTS reference.
> 
> CVE-2016-2087[0]:
> | Directory traversal vulnerability in the client in HexChat 2.11.0
> | allows remote IRC servers to read or modify arbitrary files via a ..
> | (dot dot) in the server name.
> 
> As noted by Mattia Rizzolo already, the fixing commit is reverted in
> the Debian packaging due to regression for some usecases, and waiting
> for a better fix.

What's the status? Is there now a proper fix?

Cheers,
        Moritz

Message #15 received at 852275@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mattia Rizzolo <mattia@mapreri.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 852275@bugs.debian.org

Subject: Re: Bug#852275: hexchat: CVE-2016-2087

Date: Sat, 1 Jul 2017 16:26:54 +0200

Hi Mattia,

On Sat, Jun 03, 2017 at 10:56:30PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Jan 23, 2017 at 06:31:18AM +0100, Salvatore Bonaccorso wrote:
> > Source: hexchat
> > Version: 2.10.1-1
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > the following vulnerability was published for hexchat. Opening a bug
> > to have a BTS reference.
> > 
> > CVE-2016-2087[0]:
> > | Directory traversal vulnerability in the client in HexChat 2.11.0
> > | allows remote IRC servers to read or modify arbitrary files via a ..
> > | (dot dot) in the server name.
> > 
> > As noted by Mattia Rizzolo already, the fixing commit is reverted in
> > the Debian packaging due to regression for some usecases, and waiting
> > for a better fix.
> 
> What's the status? Is there now a proper fix?

Do you have news on the above query from Moritz?

Regards,
Salvatore

Message #20 received at 852275-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 852275-close@bugs.debian.org

Subject: Bug#852275: fixed in hexchat 2.12.4-4

Date: Fri, 14 Jul 2017 15:18:29 +0000

Source: hexchat
Source-Version: 2.12.4-4

We believe that the bug you reported is fixed in the latest version of
hexchat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 852275@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated hexchat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jul 2017 16:12:32 +0200
Source: hexchat
Binary: hexchat hexchat-common hexchat-perl hexchat-python hexchat-python2 hexchat-python3 hexchat-lua hexchat-plugins hexchat-dev
Architecture: source
Version: 2.12.4-4
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
 hexchat    - IRC client for X based on X-Chat 2
 hexchat-common - Common files for HexChat
 hexchat-dev - Development files for HexChat
 hexchat-lua - Lua plugin for HexChat
 hexchat-perl - Perl plugin for HexChat
 hexchat-plugins - Common plugins for HexChat
 hexchat-python - transitional dummy package
 hexchat-python2 - Python 2 plugin for HexChat
 hexchat-python3 - Python 3 plugin for HexChat
Closes: 852275
Changes:
 hexchat (2.12.4-4) unstable; urgency=medium
 .
   * Stop reverting upstream commit 15600f405f2d5bda6ccf0dd73957395716e0d4d3.
     This means users will lose their scrollback right after updating, but
     that's what upstream did and we have no real reasons to undefinitely
     diverge from them just to wait for a nicer fix.
     Closes: #852275; CVE-2016-2087
   * d/control: Bump Standards-Version to 4.0.0, no changes needed
   * d/copyright: bump my copyright year for debian/ to cover 2017
Checksums-Sha1:
 ba22f000c9362dd4e53e55570ccfef974f556f4d 2740 hexchat_2.12.4-4.dsc
 f5a7c8c40c8ca9a0e224751b10dbe687e3c4172d 32020 hexchat_2.12.4-4.debian.tar.xz
 48139f8883a7d195a1ee512b1f91b98748505a16 16107 hexchat_2.12.4-4_amd64.buildinfo
Checksums-Sha256:
 3a57e1af62a6eea241d9b6efcd8cb5feebe89b16f39eefa5ef59da6fa2918818 2740 hexchat_2.12.4-4.dsc
 f5a5ad81575e9928798ec1f78dc8ea545db7b369fb802e1b02f426e961776e21 32020 hexchat_2.12.4-4.debian.tar.xz
 7afc65117b527d8f20a2c62cc0a27001e68f73246378fcb12eca8d0aefd3f5ca 16107 hexchat_2.12.4-4_amd64.buildinfo
Files:
 c8a4280e23fe822ae716a3356ca4f773 2740 net optional hexchat_2.12.4-4.dsc
 1e1873b25119caad4f0ee30fe79f9fc6 32020 net optional hexchat_2.12.4-4.debian.tar.xz
 ab8a3e92604b5a8844c8a1e578c4aed2 16107 net optional hexchat_2.12.4-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAllo0lQACgkQCBa54Yx2
K61P2A//Se5VVNHeWaUpTEhqan4XWIMCha/I7BsMkzhy9cn0s3889/RM2XERBLlI
xPDRlw+pkWBa4xEdLLI8osO2qXgU7oWC63gN/y7gTtSjx94uK5tzsO+bzCEWrAt3
IzZxf8H7KwjzRBnffEjcKaa64clfQ46JgFVivfcObP3reAkxFGwXtqD8ufQiBdzI
6pskptWVkYS6s6mZUsuyjK5TMEJIG5xdUNuNkelUr6QYDQN5eVbZg75yancyRHEg
CnRngQtOJlRRgTVXQI3W0Uav7diTjnOeBn+9APCf1NVUGF3cx3EkVHn+XArk/CXQ
9q5mYsWhmwRNTS4AEAAKfgqXKPpYORTWaBKnN5ai/EsHhKA1hnwppXBPXEtwOi3H
oJWGJWbN54cOfVTUv5TXuxhevEMc2OYuRnxWO2iWFm2uJ0J6Go8SmpbEgRVmQQoy
AlUo/XxvVqXbuf5NL5VJIC7+/x78kj8QlkpeVey8qTiwiwFoPcWdQNrb9vrmu5J4
njxdj2CepVU3pLTAlpWFWMs70oigoYbXkSHJL2mIX1xvmEOPRnpw+d8+4M2JIt/b
P+co3NcV93yfR+Hd061YeuSe8byGEW0Q+NGZLvFylbVr/Wutbi+JrlhEo1Ff0rem
KPlFhJls9NPBkuvBfeDQkN9WfljqKusB4dIG8Qnk5Ekvq8bF6VQ=
=v90l
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.