From c471969e48ea3cc9ce9ea4ac9cf03b5e3b4d069b Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Fri, 5 Feb 2021 15:08:02 +0800
Subject: [PATCH] fix CVE-2019-13045

(cherry picked from commit a5b4f0d904e134dfeff61763b7cc65be3cb55e07)
---
 CVE-2019-13045-pre.patch | 132 +++++++++++++++++++++++++++++++++++++++
 CVE-2019-13045.patch     |  54 ++++++++++++++++
 irssi.spec               |   8 ++-
 3 files changed, 193 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-13045-pre.patch
 create mode 100644 CVE-2019-13045.patch

diff --git a/CVE-2019-13045-pre.patch b/CVE-2019-13045-pre.patch
new file mode 100644
index 0000000..788f9f5
--- /dev/null
+++ b/CVE-2019-13045-pre.patch
@@ -0,0 +1,132 @@
+From 0a77b366d33bc5e3d7251235defa68650586af4c Mon Sep 17 00:00:00 2001
+From: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date: Thu, 4 Feb 2021 15:44:21 +0800
+Subject: [PATCH] Disconnect SASL properly in case the sasl module got unloaded
+ from server
+
+stops from getting on the network when sasl is unavailable
+
+fixes #629
+---
+ src/fe-common/irc/fe-sasl.c      | 22 -------------------
+ src/irc/core/irc-servers-setup.c |  2 +-
+ src/irc/core/sasl.c              | 36 ++++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 23 deletions(-)
+
+diff --git a/src/fe-common/irc/fe-sasl.c b/src/fe-common/irc/fe-sasl.c
+index fc8105f..ed11f04 100644
+--- a/src/fe-common/irc/fe-sasl.c
++++ b/src/fe-common/irc/fe-sasl.c
+@@ -40,36 +40,14 @@ static void sig_sasl_failure(IRC_SERVER_REC *server, const char *reason)
+ 	printformat(server, NULL, MSGLEVEL_CRAP, IRCTXT_SASL_ERROR, reason);
+ }
+ 
+-static void sig_cap_end(IRC_SERVER_REC *server)
+-{
+-	/* The negotiation has now been terminated, if we didn't manage to
+-	 * authenticate successfully with the server just disconnect. */
+-	if (!server->sasl_success &&
+-	    server->connrec->sasl_mechanism != SASL_MECHANISM_NONE &&
+-	    settings_get_bool("sasl_disconnect_on_failure")) {
+-		/* We can't use server_disconnect() here because we'd end up
+-		 * freeing the 'server' object and be guilty of a slew of UaF. */
+-		server->connection_lost = TRUE;
+-		/* By setting connection_lost we make sure the communication is
+-		 * halted and when the control goes back to irc_parse_incoming
+-		 * the server object is safely destroyed. */
+-		signal_stop();
+-	}
+-
+-}
+-
+ void fe_sasl_init(void)
+ {
+-	settings_add_bool("server", "sasl_disconnect_on_failure", TRUE);
+-
+ 	signal_add("server sasl success", (SIGNAL_FUNC) sig_sasl_success);
+ 	signal_add("server sasl failure", (SIGNAL_FUNC) sig_sasl_failure);
+-	signal_add_first("server cap end", (SIGNAL_FUNC) sig_cap_end);
+ }
+ 
+ void fe_sasl_deinit(void)
+ {
+ 	signal_remove("server sasl success", (SIGNAL_FUNC) sig_sasl_success);
+ 	signal_remove("server sasl failure", (SIGNAL_FUNC) sig_sasl_failure);
+-	signal_remove("server cap end", (SIGNAL_FUNC) sig_cap_end);
+ }
+diff --git a/src/irc/core/irc-servers-setup.c b/src/irc/core/irc-servers-setup.c
+index e79557a..0af9390 100644
+--- a/src/irc/core/irc-servers-setup.c
++++ b/src/irc/core/irc-servers-setup.c
+@@ -98,9 +98,9 @@ static void sig_server_setup_fill_chatnet(IRC_SERVER_CONNECT_REC *conn,
+ 	if (ircnet->sasl_mechanism != NULL) {
+ 		if (!g_ascii_strcasecmp(ircnet->sasl_mechanism, "plain")) {
+ 			/* The PLAIN method needs both the username and the password */
++			conn->sasl_mechanism = SASL_MECHANISM_PLAIN;
+ 			if (ircnet->sasl_username != NULL && *ircnet->sasl_username &&
+ 			    ircnet->sasl_password != NULL && *ircnet->sasl_password) {
+-				conn->sasl_mechanism = SASL_MECHANISM_PLAIN;
+ 				conn->sasl_username = ircnet->sasl_username;
+ 				conn->sasl_password = ircnet->sasl_password;
+ 			} else
+diff --git a/src/irc/core/sasl.c b/src/irc/core/sasl.c
+index c5aa2ca..b7abe74 100644
+--- a/src/irc/core/sasl.c
++++ b/src/irc/core/sasl.c
+@@ -301,9 +301,42 @@ static void sasl_disconnected(IRC_SERVER_REC *server)
+ 	sasl_timeout_stop(server);
+ }
+ 
++static void sig_sasl_over(IRC_SERVER_REC *server)
++{
++	if (!IS_IRC_SERVER(server))
++		return;
++
++	/* The negotiation has now been terminated, if we didn't manage to
++	 * authenticate successfully with the server just disconnect. */
++	if (!server->sasl_success &&
++	    server->connrec->sasl_mechanism != SASL_MECHANISM_NONE) {
++		if (server->cap_supported == NULL ||
++		    !g_hash_table_lookup_extended(server->cap_supported, "sasl", NULL, NULL)) {
++			signal_emit("server sasl failure", 2, server, "The server did not offer SASL");
++		}
++
++		if (settings_get_bool("sasl_disconnect_on_failure")) {
++			/* We can't use server_disconnect() here because we'd end up
++			 * freeing the 'server' object and be guilty of a slew of UaF. */
++			server->connection_lost = TRUE;
++			/* By setting connection_lost we make sure the communication is
++			 * halted and when the control goes back to irc_parse_incoming
++			 * the server object is safely destroyed. */
++			signal_stop();
++		}
++	}
++
++}
++
+ void sasl_init(void)
+ {
++	settings_add_bool("server", "sasl_disconnect_on_failure", TRUE);
++
++	signal_add_first("event 001", (SIGNAL_FUNC) sig_sasl_over);
++	/* this event can get us connected on broken ircds, see irc-servers.c */
++	signal_add_first("event 375", (SIGNAL_FUNC) sig_sasl_over);
+ 	signal_add_first("server cap ack sasl", (SIGNAL_FUNC) sasl_start);
++	signal_add_first("server cap end", (SIGNAL_FUNC) sig_sasl_over);
+ 	signal_add_first("event authenticate", (SIGNAL_FUNC) sasl_step);
+ 	signal_add_first("event 903", (SIGNAL_FUNC) sasl_success);
+ 	signal_add_first("event 902", (SIGNAL_FUNC) sasl_fail);
+@@ -316,7 +349,10 @@ void sasl_init(void)
+ 
+ void sasl_deinit(void)
+ {
++	signal_remove("event 001", (SIGNAL_FUNC) sig_sasl_over);
++	signal_remove("event 375", (SIGNAL_FUNC) sig_sasl_over);
+ 	signal_remove("server cap ack sasl", (SIGNAL_FUNC) sasl_start);
++	signal_remove("server cap end", (SIGNAL_FUNC) sig_sasl_over);
+ 	signal_remove("event authenticate", (SIGNAL_FUNC) sasl_step);
+ 	signal_remove("event 903", (SIGNAL_FUNC) sasl_success);
+ 	signal_remove("event 902", (SIGNAL_FUNC) sasl_fail);
+-- 
+2.23.0
+
diff --git a/CVE-2019-13045.patch b/CVE-2019-13045.patch
new file mode 100644
index 0000000..35ab8c0
--- /dev/null
+++ b/CVE-2019-13045.patch
@@ -0,0 +1,54 @@
+From 5a67b983dc97caeb5df1139aabd0bc4f260a47d8 Mon Sep 17 00:00:00 2001
+From: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date: Mon, 17 Jun 2019 15:22:27 +0200
+Subject: [PATCH] copy sasl username and password values
+
+---
+ src/irc/core/irc-core.c              | 2 ++
+ src/irc/core/irc-servers-reconnect.c | 4 ++--
+ src/irc/core/irc-servers-setup.c     | 4 ++--
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/irc/core/irc-core.c b/src/irc/core/irc-core.c
+index e65abe255..b5e80f2a0 100644
+--- a/src/irc/core/irc-core.c
++++ b/src/irc/core/irc-core.c
+@@ -75,6 +75,8 @@ static void destroy_server_connect(SERVER_CONNECT_REC *conn)
+ 
+ 	g_free_not_null(ircconn->usermode);
+ 	g_free_not_null(ircconn->alternate_nick);
++	g_free_not_null(ircconn->sasl_username);
++	g_free_not_null(ircconn->sasl_password);
+ }
+ 
+ void irc_core_init(void)
+diff --git a/src/irc/core/irc-servers-reconnect.c b/src/irc/core/irc-servers-reconnect.c
+index 3d2933f4e..cfe28a1a0 100644
+--- a/src/irc/core/irc-servers-reconnect.c
++++ b/src/irc/core/irc-servers-reconnect.c
+@@ -49,8 +49,8 @@ static void sig_server_connect_copy(SERVER_CONNECT_REC **dest,
+ 	rec->usermode = g_strdup(src->usermode);
+ 	rec->alternate_nick = g_strdup(src->alternate_nick);
+ 	rec->sasl_mechanism = src->sasl_mechanism;
+-	rec->sasl_username = src->sasl_username;
+-	rec->sasl_password = src->sasl_password;
++	rec->sasl_username = g_strdup(src->sasl_username);
++	rec->sasl_password = g_strdup(src->sasl_password);
+ 	*dest = (SERVER_CONNECT_REC *) rec;
+ }
+ 
+diff --git a/src/irc/core/irc-servers-setup.c b/src/irc/core/irc-servers-setup.c
+index 56e52edd0..5f1290a2f 100644
+--- a/src/irc/core/irc-servers-setup.c
++++ b/src/irc/core/irc-servers-setup.c
+@@ -101,8 +101,8 @@ static void sig_server_setup_fill_chatnet(IRC_SERVER_CONNECT_REC *conn,
+ 			conn->sasl_mechanism = SASL_MECHANISM_PLAIN;
+ 			if (ircnet->sasl_username != NULL && *ircnet->sasl_username &&
+ 			    ircnet->sasl_password != NULL && *ircnet->sasl_password) {
+-				conn->sasl_username = ircnet->sasl_username;
+-				conn->sasl_password = ircnet->sasl_password;
++				conn->sasl_username = g_strdup(ircnet->sasl_username);
++				conn->sasl_password = g_strdup(ircnet->sasl_password);
+ 			} else
+ 				g_warning("The fields sasl_username and sasl_password are either missing or empty");
+ 		}
diff --git a/irssi.spec b/irssi.spec
index 389fd5c..586487a 100644
--- a/irssi.spec
+++ b/irssi.spec
@@ -2,12 +2,15 @@
 
 Name:           irssi
 Version:        1.1.2
-Release:        2
+Release:        3
 Summary:        A modular char client.
 License:        GPLv2+
 URL:            http://irssi.org/
 Source0:        https://github.com/irssi/irssi/releases/download/%{version}/irssi-%{version}.tar.xz
 Source1:        irssi-config.h
+Patch0000:      CVE-2019-13045-pre.patch
+Patch0001:      CVE-2019-13045.patch
+
 BuildRequires:  ncurses-devel openssl-devel zlib-devel autoconf automake libtool
 BuildRequires:  pkgconfig glib2-devel perl-devel perl-generators perl(ExtUtils::Embed)
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
@@ -59,5 +62,8 @@ chmod -R u+w $RPM_BUILD_ROOT%{perl_vendorarch}
 %{_includedir}/irssi/
 
 %changelog
+* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> - 1.1.2-3
+- fix CVE-2019-13045
+
 * Wed Apr 22 2020 chengzihan <chengzihan2@huawei.com> - 1.1.2-2
 - Package init