Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Jan 2017 13:24:54 +0100
From: Ailin Nemui <ailin.nemui@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Irssi out of bounds read in format string

Hi,

can you please check whether the following Irssi issue needs a CVE

- Printing the value %[ leads to oob read

This has been reported to the Irssi project by Hanno Böck and is
already fixed as part of the last CVE request, however I failed to
include this issue in the initial report. Hanno has blogged about this
at [1] and linked it to the other issue which we credited him for (but
it is in fact a separate issue).

Thanks,

[1] https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html


On Thu, 2017-01-05 at 15:45 +0100, Ailin Nemui wrote:
> Dear oss-security List,
> 
> Please provide some CVEs for the following issues.
> 
> Thanks,
> 
> 
> Multiple vulnerabilities in Irssi [1]
> =====================================
> 
> 
> Description
> -----------
> 
> Four vulnerabilities have been located in Irssi.
> 
> (a) A NULL pointer dereference in the nickcmp function found by Joseph
>     Bisch. (CWE-690)
> 
> (b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
> 
> (c) Out of bounds read in certain incomplete control codes found by
>     Joseph Bisch. (CWE-126)
> 
> (d) Out of bounds read in certain incomplete character sequences found
>     by Hanno Böck and independently by J. Bisch. (CWE-126)
> 
> 
> Impact
> ------
> 
> These issues may result in denial of service (remote crash).
> 
> 
> Affected versions
> -----------------
> 
> (a) All Irssi versions that we observed
> (b) All Irssi versions that we observed
> (c) Irssi 0.8.17 and later
> (d) Irssi 0.8.18 and later
> 
> 
> Fixed in
> --------
> 
> Irssi 0.8.21, Irssi 1.0.0
> 
> 
> Recommended action
> ------------------
> 
> Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
> without any new features.
> 
> After installing the updated packages, one can issue the /upgrade
> command to load the new binary. TLS connections will require
> /reconnect.
> 
> 
> A Note to Distributors
> ----------------------
> 
> First of all, thanks to every maintainer for their awesome job in
> packaging Irssi and backporting security fixes.
> 
> When we had to release a security advisory last year with Irssi
> 0.8.20, we noticed there was a huge confusion amongst Ubuntu users
> about whether their Irssi version was safe to use.
> 
> Since all our releases 0.8.19, 0.8.20 and 0.8.21 have been bug
> fix only, we think distributions should just ship the release.
> 
> But if the security fixes only are backported on top of an old
> version, we would like to urge distributions to consider indicating
> this in a way that is visible inside Irssi. One way to do this would
> be to manually overwrite the PACKAGE_VERSION and marking your package
> as patched. This can be done for example like this:
> 
>   ./configure PACKAGE_VERSION=0.8.17-sa201701
> 
> 
> You can then check the version from inside Irssi with /eval echo $J
> 
> As an added benefit over relying on dpkg, this will also correctly
> report whether you had /upgrade done or not. We are looking for a ways
> to make this easier to handle for both packagers and us, so if you
> have a good idea on this matter please speak forth.
> 
> 
> Mitigating facts
> ----------------
> 
> (a) requires control over the ircd
> 
> (b), (d) require control over the ircd or otherwise can be triggered /
>     avoided by the user themselves
> 
> 
> Patch
> -----
> 
> https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
> 
> 
> References
> ----------
> 
> [1] https://irssi.org/security/irssi_sa_2017_01.txt

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ