Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Jan 2017 13:24:54 +0100
From: Ailin Nemui <ailin.nemui@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Irssi out of bounds read in format string

Hi,

can you please check whether the following Irssi issue needs a CVE

- Printing the value %[ leads to oob read

This has been reported to the Irssi project by Hanno Böck and is
already fixed as part of the last CVE request, however I failed to
include this issue in the initial report. Hanno has blogged about this
at [1] and linked it to the other issue which we credited him for (but
it is in fact a separate issue).

Thanks,

[1] https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html


On Thu, 2017-01-05 at 15:45 +0100, Ailin Nemui wrote:
> Dear oss-security List,
> 
> Please provide some CVEs for the following issues.
> 
> Thanks,
> 
> 
> Multiple vulnerabilities in Irssi [1]
> =====================================
> 
> 
> Description
> -----------
> 
> Four vulnerabilities have been located in Irssi.
> 
> (a) A NULL pointer dereference in the nickcmp function found by Joseph
>     Bisch. (CWE-690)
> 
> (b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
> 
> (c) Out of bounds read in certain incomplete control codes found by
>     Joseph Bisch. (CWE-126)
> 
> (d) Out of bounds read in certain incomplete character sequences found
>     by Hanno Böck and independently by J. Bisch. (CWE-126)
> 
> 
> Impact
> ------
> 
> These issues may result in denial of service (remote crash).
> 
> 
> Affected versions
> -----------------
> 
> (a) All Irssi versions that we observed
> (b) All Irssi versions that we observed
> (c) Irssi 0.8.17 and later
> (d) Irssi 0.8.18 and later
> 
> 
> Fixed in
> --------
> 
> Irssi 0.8.21, Irssi 1.0.0
> 
> 
> Recommended action
> ------------------
> 
> Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
> without any new features.
> 
> After installing the updated packages, one can issue the /upgrade
> command to load the new binary. TLS connections will require
> /reconnect.
> 
> 
> A Note to Distributors
> ----------------------
> 
> First of all, thanks to every maintainer for their awesome job in
> packaging Irssi and backporting security fixes.
> 
> When we had to release a security advisory last year with Irssi
> 0.8.20, we noticed there was a huge confusion amongst Ubuntu users
> about whether their Irssi version was safe to use.
> 
> Since all our releases 0.8.19, 0.8.20 and 0.8.21 have been bug
> fix only, we think distributions should just ship the release.
> 
> But if the security fixes only are backported on top of an old
> version, we would like to urge distributions to consider indicating
> this in a way that is visible inside Irssi. One way to do this would
> be to manually overwrite the PACKAGE_VERSION and marking your package
> as patched. This can be done for example like this:
> 
>   ./configure PACKAGE_VERSION=0.8.17-sa201701
> 
> 
> You can then check the version from inside Irssi with /eval echo $J
> 
> As an added benefit over relying on dpkg, this will also correctly
> report whether you had /upgrade done or not. We are looking for a ways
> to make this easier to handle for both packagers and us, so if you
> have a good idea on this matter please speak forth.
> 
> 
> Mitigating facts
> ----------------
> 
> (a) requires control over the ircd
> 
> (b), (d) require control over the ircd or otherwise can be triggered /
>     avoided by the user themselves
> 
> 
> Patch
> -----
> 
> https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
> 
> 
> References
> ----------
> 
> [1] https://irssi.org/security/irssi_sa_2017_01.txt

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.