openSUSE has issued an advisory on September 30: https://lists.opensuse.org/opensuse-updates/2017-09/msg00123.html The issue was fixed upstream in 1.9.1 and in a commit linked from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1060140 Mageia 5 and Mageia 6 are also affected.
CC: (none) => jani.valimaaWhiteboard: (none) => MGA6TOO, MGA5TOO
Upgraded cauldron to 1.9.1. Added upstream patch to mga6 to fix the CVE. Working on modifying the patch for mga5 (or finding another distro who has already done so).
CC: (none) => mramboAssignee: pkg-bugs => mrambo
Updated package uploaded for cauldron. Patched package uploaded for Mageia 6 and 5. Advisory: ======================== Patched weechat package fixes security vulnerabilities: It was discovered that logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash via strftime date/time specifiers, because a buffer is not initialized (CVE-2017-14727). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14727 https://security-tracker.debian.org/tracker/CVE-2017-14727 ======================== Updated packages in core/updates_testing: ======================== weechat-1.7.1-1.1.mga6 weechat-aspell-1.7.1-1.1.mga6 weechat-charset-1.7.1-1.1.mga6 weechat-devel-1.7.1-1.1.mga6 weechat-guile-1.7.1-1.1.mga6 weechat-lua-1.7.1-1.1.mga6 weechat-perl-1.7.1-1.1.mga6 weechat-python-1.7.1-1.1.mga6 weechat-ruby-1.7.1-1.1.mga6 weechat-tcl-1.7.1-1.1.mga6 weechat-0.4.1-7.2.mga5 weechat-aspell-0.4.1-7.2.mga5 weechat-charset-0.4.1-7.2.mga5 weechat-devel-0.4.1-7.2.mga5 weechat-guile-0.4.1-7.2.mga5 weechat-lua-0.4.1-7.2.mga5 weechat-perl-0.4.1-7.2.mga5 weechat-python-0.4.1-7.2.mga5 weechat-ruby-0.4.1-7.2.mga5 weechat-tcl-0.4.1-7.2.mga5 from: weechat-1.7.1-1.1.mga6.src.rpm weechat-0.4.1-7.2.mga5.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=20756#c7
Keywords: (none) => has_procedureAssignee: mrambo => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Installed and tested without issues. Tests included connecting to a server, joining a chat room, reading and posting messages and transfer files. I don't usually use weechat, so can't say if all is working as expected, but all I tried seemed to work correctly. System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.89-desktop-1.mga5 #1 SMP Wed Sep 27 16:25:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q weechat weechat-0.4.1-7.2.mga5
CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Testing on mga6 for x86_64. Needed a refresher on this one. Installed everything in the list and familiarized myself with the interface and as before joined the Mageia QA channel without a password. Nobody talking, waited a while and left. Installed the updates and invoked weechat again. Modified some of the default irc settings after consulting /help and /set irc.*. Set an alias for chat.freenode.net and connected to freenode then /join #mageia-qa. Posted a couple of messages and left the chatroom. We should really check out the scripting facilities but I suspect that might require too much involvement. It all looks perfectly OK.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Advisory from comments 2 + 0. Validating as it has a good test for each of Mageia 5 & 6.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Closing as Mageia robot failed to do so due to lack of permissions, which has now been fixed.
CC: (none) => davidwhodginsResolution: (none) => FIXEDStatus: NEW => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0369.html