- Apply patch for bnc#958928 CVE-2015-8547:

* CVE-2015-8547.patch OBS-URL: https://build.opensuse.org/package/show/KDE:Extra/quassel?expand=0&rev=39
2016-02-07 09:52:09 +00:00 · 2016-02-07 09:52:09 +00:00 · b3730a8132
commit b3730a8132
parent 45881f9633
3 changed files with 32 additions and 1 deletions
--- a/CVE-2015-8547.patch
+++ b/CVE-2015-8547.patch
@ -0,0 +1,22 @@
+From 476aaa050f26d6a31494631d172724409e4c569b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konstantin=20Bl=C3=A4si?= <kblaesi@gmail.com>
+Date: Wed, 21 Oct 2015 03:26:02 +0200
+Subject: [PATCH] Fixes a crash of the core when executing "/op *" in a query.
+
+---
+ src/core/coreuserinputhandler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/coreuserinputhandler.cpp b/src/core/coreuserinputhandler.cpp
+index 7887a92..73aac48 100644
+--- a/src/core/coreuserinputhandler.cpp
+++ b/src/core/coreuserinputhandler.cpp
+@@ -228,7 +228,7 @@ void CoreUserInputHandler::doMode(const BufferInfo &bufferInfo, const QChar& add
+     if (!isNumber || maxModes == 0) maxModes = 1;
+ 
+     QStringList nickList;
+-    if (nicks == "*") { // All users in channel
+    if (nicks == "*" && bufferInfo.type() == BufferInfo::ChannelBuffer) { // All users in channel
+         const QList<IrcUser*> users = network()->ircChannel(bufferInfo.bufferName())->ircUsers();
+         foreach(IrcUser *user, users) {
+             if ((addOrRemove == '+' && !network()->ircChannel(bufferInfo.bufferName())->userModes(user).contains(mode))
--- a/quassel.changes
+++ b/quassel.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Dec 14 12:14:48 UTC 2015 - tchvatal@suse.com
+
+- Apply patch for bnc#958928 CVE-2015-8547:
+  * CVE-2015-8547.patch
+
 -------------------------------------------------------------------
 Sun Nov 15 12:16:24 UTC 2015 - vbabka@suse.com

--- a/quassel.spec
+++ b/quassel.spec
@ -1,7 +1,7 @@
 #
 # spec file for package quassel
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -35,6 +35,8 @@ Patch0:         quassel-set-required-libs-and-flags.patch
 Patch1:         Fix-build-with-Qt-5.5.patch
 # PATCH-FIX-UPSTREAM Fix-rejoining-parted-channels.patch
 Patch2:         Fix-rejoining-parted-channels.patch
+# PATCH-FIX-UPSTREAM: fix CVE-2015-8547
+Patch3:         CVE-2015-8547.patch
 BuildRequires:  cmake >= 2.8.10
 BuildRequires:  extra-cmake-modules
 BuildRequires:  fdupes
@ -163,6 +165,7 @@ This contains common parts shared by %{name} and %{name}-client
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 FAKE_BUILDDATE=$(LC_ALL=C date -r %{_sourcedir}/%{name}.changes '+%%b %%e %%Y')