Updating chat/hexchat for security

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi tech-pkg@,

chat/hexchat is currently vulnerable to CVE-2016-2233. It is at version 
2.12.1nb3 in pkgsrc at the moment, while the official fix needs a patch 
for 2.12.4; there is no release with the fix yet:
https://github.com/hexchat/hexchat/issues/1934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2233

I have only been able to package 2.12.3 so far, as 2.12.4 depends on 
some files in /usr/share/aclocal, /usr/share/intltool etc to be present 
and I haven't figured all the nits to get it to build yet - even after 
getting inspiration from eg audio/gimmix which has the same issue 
apparently.

Is it fine to commit it anyway? I think it brings us closer to 2.12.4, 
and it is a leaf package. The corresponding patch is attached.

If I find the time (or someone beats me to it) it is possible to study 
the individual commit that fixes the issue, and import it into pkgsrc if 
it really is appropriate for 2.12.1 or 2.12.3:
https://github.com/hexchat/hexchat/commit/4e061a43b3453a9856d34250c3913175c45afe9d

Note that the vulnerability was present since 2.11.0 or earlier, so this 
update does not introduce it either:
https://www.exploit-db.com/exploits/39657/

HTH,
--
khorben

Update chat/hexchat to version 2.12.3
    
2.12.3 (2016-10-22)
    
  * fix crash with bad translations
  * fix crash and leaks in mpcinfo plugin
  * add mhop command
  * change ping timeout to 60 by default
  * update translations


2.12.2 (2016-10-08)

  * fix input box theme with Adwaita 3.20
  * fix return value of hexchat_pluginpref_get_int()
  * fix tab color changing when print events are eaten
  * fix network name not being sanitized for scrollback files
  * fix building sysinfo on OS X <= 10.9
  * fix resume with DCC GET
  * fix possible assertion when decoding incoming text
  * fix possible crashes when plugins modify the UI during context close
  * add "chanmodes" to channel list in plugin api
  * lua:
      o add automatic return and = handling in console
      o fix pluginpref usage
  * fishlim:
      o fix saving nicks containing [ or ]
      o add commands: /topic+, /msg+, and /notice+
      o add support for /me
      o add /keyx command to do DH1080 key exchanges
  * improve efficiency of various timers
  * reduce updates of user count in titlebar/userlist
  * download extra redist for perl on Windows
  * update appdata file
  * update translations
  * update dependencies on Windows

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/chat/hexchat/Makefile,v
retrieving revision 1.13
diff -p -u -r1.13 Makefile
--- Makefile	12 Feb 2017 06:25:08 -0000	1.13
+++ Makefile	27 Mar 2017 19:38:15 -0000
@@ -1,7 +1,6 @@
 # $NetBSD: Makefile,v 1.13 2017/02/12 06:25:08 ryoon Exp $
 
-DISTNAME=	hexchat-2.12.1
-PKGREVISION=	3
+DISTNAME=	hexchat-2.12.3
 CATEGORIES=	chat
 MASTER_SITES=	http://dl.hexchat.net/hexchat/
 EXTRACT_SUFX=	.tar.xz
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/chat/hexchat/distinfo,v
retrieving revision 1.3
diff -p -u -r1.3 distinfo
--- distinfo	16 Aug 2016 08:30:14 -0000	1.3
+++ distinfo	27 Mar 2017 19:38:15 -0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.3 2016/08/16 08:30:14 tnn Exp $
+$NetBSD$
 
-SHA1 (hexchat-2.12.1.tar.xz) = 45281165322bf4c331cdb5047f9907fdc6526a09
-RMD160 (hexchat-2.12.1.tar.xz) = 877b00c61a2a32a9297babbaf7e0e8536f5d301f
-SHA512 (hexchat-2.12.1.tar.xz) = ef21029108f0c7de527186137a849540665878dab3dbd97993ba48977c81c3e5dc7e7a677e2aa11dcdf324f881659f7c2dcefa1bd092c83d9acad3b536d5a0af
-Size (hexchat-2.12.1.tar.xz) = 1585532 bytes
+SHA1 (hexchat-2.12.3.tar.xz) = 69c91e374eed4b869941d55a7d50362c667119bb
+RMD160 (hexchat-2.12.3.tar.xz) = b9340b949012f4f86e6d14b7b8c6e7794967bb0b
+SHA512 (hexchat-2.12.3.tar.xz) = 1ee8348b70ed27786874aebb136e78b9d3b24bc55b7cebb5c6a730970f6aa3ec690f8c7422003d7ace56987ca84c993694c8ab6b830ef39b620e544fc7353b04
+Size (hexchat-2.12.3.tar.xz) = 1577736 bytes
 SHA1 (patch-configure) = 4b62af9f771c743c979dc1ad98d48ddaa5f3e50d
 SHA1 (patch-osx_launcher.sh) = 7493430921809182898aca2ebb8fd1f493dbd9d3
 SHA1 (patch-plugins_sysinfo_Makefile.in) = cd1d3b70a59ecd18b895a1633f59e6ab745c2e42
Index: options.mk
===================================================================
RCS file: /cvsroot/pkgsrc/chat/hexchat/options.mk,v
retrieving revision 1.4
diff -p -u -r1.4 options.mk
--- options.mk	16 Aug 2016 08:30:14 -0000	1.4
+++ options.mk	27 Mar 2017 19:38:15 -0000
@@ -24,7 +24,7 @@ CONFIGURE_ARGS+=	--disable-dbus
 .include "../../x11/gtk2/buildlink3.mk"
 PLIST.gtk2=		yes
 .else
-CONFIGURE_ARGS+=	--disable-gtkfe --disable-gtktest
+CONFIGURE_ARGS+=	--disable-gtkfe
 .endif
 
 .if empty(PKG_OPTIONS:Minet6)
@@ -101,11 +101,8 @@ CONFIGURE_ARGS+=	--enable-python=no
 
 .if !empty(PKG_OPTIONS:Mtests)
 CONFIGURE_ARGS+=	--enable-glibtest
-.if !empty(PKG_OPTIONS:Mgtk2)
-CONFIGURE_ARGS+=	--enable-gtktest
-.endif
 .else
-CONFIGURE_ARGS+=	--disable-glibtest --disable-gtktest
+CONFIGURE_ARGS+=	--disable-glibtest
 .endif
 
 .if !empty(PKG_OPTIONS:Mthemes)