Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 05 Jan 2017 15:45:20 +0100
From: Ailin Nemui <ailin.nemui@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Irssi Multiple Vulnerabilities (2017/01)

Dear oss-security List,

Please provide some CVEs for the following issues.

Thanks,


Multiple vulnerabilities in Irssi [1]
=====================================


Description
-----------

Four vulnerabilities have been located in Irssi.

(a) A NULL pointer dereference in the nickcmp function found by Joseph
    Bisch. (CWE-690)

(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)

(c) Out of bounds read in certain incomplete control codes found by
    Joseph Bisch. (CWE-126)

(d) Out of bounds read in certain incomplete character sequences found
    by Hanno Böck and independently by J. Bisch. (CWE-126)


Impact
------

These issues may result in denial of service (remote crash).


Affected versions
-----------------

(a) All Irssi versions that we observed
(b) All Irssi versions that we observed
(c) Irssi 0.8.17 and later
(d) Irssi 0.8.18 and later


Fixed in
--------

Irssi 0.8.21, Irssi 1.0.0


Recommended action
------------------

Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.


A Note to Distributors
----------------------

First of all, thanks to every maintainer for their awesome job in
packaging Irssi and backporting security fixes.

When we had to release a security advisory last year with Irssi
0.8.20, we noticed there was a huge confusion amongst Ubuntu users
about whether their Irssi version was safe to use.

Since all our releases 0.8.19, 0.8.20 and 0.8.21 have been bug
fix only, we think distributions should just ship the release.

But if the security fixes only are backported on top of an old
version, we would like to urge distributions to consider indicating
this in a way that is visible inside Irssi. One way to do this would
be to manually overwrite the PACKAGE_VERSION and marking your package
as patched. This can be done for example like this:

  ./configure PACKAGE_VERSION=0.8.17-sa201701


You can then check the version from inside Irssi with /eval echo $J

As an added benefit over relying on dpkg, this will also correctly
report whether you had /upgrade done or not. We are looking for a ways
to make this easier to handle for both packagers and us, so if you
have a good idea on this matter please speak forth.


Mitigating facts
----------------

(a) requires control over the ircd

(b), (d) require control over the ircd or otherwise can be triggered /
    avoided by the user themselves


Patch
-----

https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d


References
----------

[1] https://irssi.org/security/irssi_sa_2017_01.txt

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ