Search Results: "kolter"

24 June 2021

Louis-Philippe V ronneau: Hardening Weechat Relays Against RCE on Bullseye

I've been using weechat to connect to IRC since late 2016 and one of its killer feature is relays. They let use other frontends like the Weechat Android app or the amazing Glowing Bear (packaged in Debian Bullseye by yours truly). Sadly, relays also used to be somewhat of a security risk: anyone with access to a relay¹ could run scripts on the machine running weechat by using commands such as /exec or /script. Not great. Since version 2.5 (Buster had version 2.3), you can mitigate this risk by setting a command allowlist for relays. Later versions implemented a sane default by blocking the following commands:

/exec
/fset
/set
/unset
/plugin
/script
/python
/perl
/ruby
/lua
/tcl
/guile
/javascript
/php
/secure
/upgrade
/quit

Sadly, this default didn't make in into Bullseye. If you are running weechat and are using the relays feature, after upgrading to Bullseye, I would recommend you run the following commands in the weechat TUI:

/set relay.weechat.commands *,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit
/save

For example, someone steals your phone and connects to IRC via the Weechat app...

7 September 2011

Emmanuel Bouthenot: Sympa in Squeeze Backports

For those interested in Sympa, version 6.1.4 has been uploaded to squeeze-backports. This version fixes around two dozen bugs since the version present in squeeze (6.0.1). I strongly recommend to use this version with squeeze as it fixes some very annoying bugs. How to install it: For squeeze users Be sure to have squeeze-backports repository enabled in your sources.list as explained on Debian Backports website then:

apt-get -t squeeze-backports install sympa

For lenny users For lenny users with a running sympa installation who plan to upgrade to squeeze and use sympa from squeeze-backports, it is recommended to upgrade directly from the version 5.3.4 (lenny's version) to 6.1.4. To do so, you just need to add some apt pinning in /etc/apt/preferences (see below) and then dist-ugprade normally.

Package: sympa
Pin: version 6.1.4*
Pin-Priority: 500

Sympa 6.1.6 is already out and should be uploaded in unstable soon, it should also be backported to squeeze-backports if all goes fine. Special thanks to Gerfried (rhonda) and Alexander (formorer) for their work on Debian Backports.

31 December 2009

Debian News: New Debian Developers (December 2009)

The following developers got their Debian accounts in the last month:

Ludovico Cavedon (cavedon)
Gilles Filippini (pini)
Christopher Taylor (ctaylor)
Oliver Korff (okoli)
Franck Joncourt (franck)
Antonio Radici (antonio)
Emmanuel Bouthenot (kolter)
Tim Retout (diocles)
Dario Minnucci (midget)
Hector Oron (zumbi)
Albin Tonnerre (lutin)
Modestas Vainius (modax)
Christoph Egger (christoph)
Andrea Veri (and)

Congratulations!

3 November 2006

Julien Danjou: DeFuBu contest #4

Welcome to this 4th issue of the DeFuBu contest, the monthly championship of the funniest bug reported to the Debian BTS. The challengers

Pierre Habouzit with #316531 (apt-listchanges: closes regex too strict), #390794 (apache2-mpm-prefork: /usr/sbin/apache2 not executable) and #393149 (uae: cannot open display)
kolter with #390263 (uswsusp: "Linux" not capitalized in package description)
Julien Louis with #31581 (project: Time between releases is too long) and #393083 (Hijacked website)''
David Pashley with #393511 (irssi should notice when you are typing something in the wrong channel)

How the vote has been done Four Debian related people voted for these bugs, Philipp Kern, Florent Bayle, Cyril Brulebois and Gregory Colpart.
Mohammed Adn ne Trojette should vote quicker next time. Full ranking Bugs

#393511 (irssi should notice when you are typing something in the wrong channel) (21 points)
#393083 (Hijacked website)'' (19 points)
#31581 (project: Time between releases is too long) (13 points)
#390794 (apache2-mpm-prefork: /usr/sbin/apache2 not executable) (13 points)
#316531 (apt-listchanges: closes regex too strict) (9 points)
#390263 (uswsusp: "Linux" not capitalized in package description) (5 points)
#393149 (uae: cannot open display) (4 points)

Challengers

Julien Louis (32 points with 2 bugs)
Pierre Habouzit (26 points with 3 bugs)
David Pashley (21 points with 1 bug)
kolter (5 points with 1 bug)

The winners

Bug: #393511 (irssi should notice when you are typing something in the wrong channel) (21 points)
Challenger: Julien Louis
Bug reporter: Jason Spiro
Voter: Florent Bayle with the nearest non-ordered quart : #393083, #393511, #390794, #31581

Notes To participate, simply drop me an email with a bug number. About DeFuBu

25 August 2006

Julien Danjou: DeFuBu contest #2

Welcome to this 2nd issue of the DeFuBu contest, the monthly championship of the funniest bug reported to the Debian BTS. The challengers

Julien Danjou with #360285 (ITP: libjoey -- forks itself and does several things at the same time), #102434 (gpm: reverse marking) and #178290 (grave problems when badly mixed with irda)
Pierre Habouzit with #379912 (kodo: Incorrectly described as useless)
Julien Goodwin with #318229 (XOrg package is controlled by a woman disrespectful of men (which make up the vast majority of debian developers))
Frans Pop with #258723 (vim: replace $ shlibs:Depends] in debian/control)
Daniel Burrows with #331210 (aptitude maintainer should do bug DB clean-up and/or bug merging)
Andres Salomon with #236874 (xscreensaver: pacman screensaver plays game incorrectly)
Loic Minier with #382014 (can't fly to girlfriend) and #375789 (gnome-osd: information leakage when screensaver is active)
Florent Bayle with #381978 (debian-installer: etch d-i installs an antique mouse cursor)
Julien Louis with #382181 (nmap is a clairvoyant)
Cyril Lacoux with #373142 (apt-get install spamc on testing removes sarge kernel image)

How the vote has been done Five Debian related people voted for these bugs: Roland Mas, Alexis Sukrieh, Cl ment Stenac, kolter and Yves-Alexis Perez. Full ranking Bugs

#360285 (ITP: libjoey -- forks itself and does several things at the same time) (52 points)
#102434 (gpm: reverse marking) (44 points)
#236874 (xscreensaver: pacman screensaver plays game incorrectly) (43 points)
#258723 (vim: replace $ shlibs:Depends] in debian/control) (37 points)
#331210 (aptitude maintainer should do bug DB clean-up and/or bug merging) (33 points)
#382014 (can't fly to girlfriend) (31 points)
#373142 (apt-get install spamc on testing removes sarge kernel image) (29 points)
#379912 (kodo: Incorrectly described as useless) and #382181 (nmap is a clairvoyant) (26 points)
#381978 (debian-installer: etch d-i installs an antique mouse cursor) (15 points)
#318229 (XOrg package is controlled by a woman disrespectful of men (which make up the vast majority of debian developers)) (22 points)
#178290 (grave problems when badly mixed with irda) and #375789 (gnome-osd: information leakage when screensaver is active) (13 points)

Challengers

Julien Danjou (109 points)
Loic Minier (44 points)
Andres Salomon (43 points)
Frans Pop (37 points)
Daniel Burrows (33 points)
Cyril Lacoux (29 points)
Julien Louis and Pierre Habouzit (26 points)
Julien Goodwin (22 points)
Florent Bayle (15 points)

The winners

Bug: #360285 (ITP: libjoey -- forks itself and does several things at the same time)
Challenger: Julien Danjou
Bug reporter: Alexander Wirt
Voter: Roland Mas with the correct reverse ordered tierc : [1] #236874, [2] #102434 and [3] #360285.

Notes To participate, simply drop me an email with a bug number. About DeFuBu