summaryrefslogtreecommitdiff
path: root/_security/irssi_sa_2017_01.txt
diff options
context:
space:
mode:
authorAilin Nemui <ailin@z30a.localdomain>2018-02-14 00:54:53 +0100
committerAilin Nemui <ailin@z30a.localdomain>2018-02-14 23:06:37 +0100
commit813c12822a68983ab42905f5af364dcc9c7ffcdd (patch)
treeb8e8986b0f1bfad0e20809b78b0e9a1a3235ce16 /_security/irssi_sa_2017_01.txt
parent21f070359fe8174573deea8fea19ccd95dc3e51d (diff)
downloadirssi.github.io-813c12822a68983ab42905f5af364dcc9c7ffcdd.zip
enable security collections
Diffstat (limited to '_security/irssi_sa_2017_01.txt')
-rw-r--r--_security/irssi_sa_2017_01.txt187
1 files changed, 187 insertions, 0 deletions
diff --git a/_security/irssi_sa_2017_01.txt b/_security/irssi_sa_2017_01.txt
new file mode 100644
index 0000000..df9adbb
--- /dev/null
+++ b/_security/irssi_sa_2017_01.txt
@@ -0,0 +1,187 @@
+Multiple vulnerabilities in Irssi [1]
+=====================================
+CVE-2017-5193, CVE-2017-5194, CVE-2017-5356, CVE-2017-5195, CVE-2017-5196
+
+Description
+-----------
+
+Five vulnerabilities have been located in Irssi.
+
+(a) A NULL pointer dereference in the nickcmp function found by Joseph
+ Bisch. (CWE-690)
+
+ CVE-2017-5193 [2] was assigned to this bug
+
+(b) Use after free when receiving invalid nick message (Issue #466, CWE-416)
+
+ CVE-2017-5194 [3] was assigned to this bug
+
+(c) Out of bounds read when Printing the value %[
+ Found by Hanno Böck. (CWE-126)
+
+ CVE-2017-5356 [4] was assigned to this bug
+
+(d) Out of bounds read in certain incomplete control codes found by
+ Joseph Bisch. (CWE-126)
+
+ CVE-2017-5195 [5] was assigned to this bug
+
+(e) Out of bounds read in certain incomplete character sequences found
+ by Hanno Böck and independently by J. Bisch. (CWE-126)
+
+ CVE-2017-5196 [6] was assigned to this bug
+
+
+
+Impact
+------
+
+These issues may result in denial of service (remote crash).
+
+
+Affected versions
+-----------------
+
+(a) All Irssi versions that we observed
+(b) All Irssi versions that we observed
+(c) All Irssi versions that we observed
+(d) Irssi 0.8.17 and later
+(e) Irssi 0.8.18 and later
+
+
+Fixed in
+--------
+
+Irssi 0.8.21, Irssi 1.0.0
+
+
+Recommended action
+------------------
+
+Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
+without any new features.
+
+After installing the updated packages, one can issue the /upgrade
+command to load the new binary. TLS connections will require
+/reconnect.
+
+
+A Note to Distributors
+----------------------
+
+First of all, thanks to every maintainer for their awesome job in
+packaging Irssi and backporting security fixes.
+
+When we had to release a security advisory last year with Irssi
+0.8.20, we noticed there was a huge confusion amongst Ubuntu users
+about whether their Irssi version was safe to use.
+
+Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug
+fix only, we think distributions should just ship the release.
+
+But if the security fixes only are backported on top of an old
+version, we would like to urge distributions to consider indicating
+this in a way that is visible inside Irssi. One way to do this would
+be to manually overwrite the PACKAGE_VERSION and marking your package
+as patched. This can be done for example like this:
+
+ ./configure PACKAGE_VERSION=0.8.17-sa201701
+
+
+You can then check the version from inside Irssi with /eval echo $J
+
+As an added benefit over relying on dpkg, this will also correctly
+report whether you had /upgrade done or not. We are looking for a ways
+to make this easier to handle for both packagers and us, so if you
+have a good idea on this matter please speak forth.
+
+
+Mitigating facts
+----------------
+
+(a) requires control over the ircd
+
+(b) and (e) require control over the ircd or otherwise can be
+ triggered / avoided by the user themselves
+
+(c) can be triggered / avoided by the user themselves
+
+
+Patch
+-----
+
+https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
+
+
+Discussion
+----------
+
+(a) CVE-2017-5193: A NULL pointer dereference in the nickcmp function
+ found by Joseph Bisch.
+
+ The irc_query_find function will call nick_comp_func in order to
+ retrieve an associated existing query.
+
+ However, the precondition whether nick was not NULL was not
+ verified, leading to incorrect API usage of the nick_comp_func and
+ ultimately NULL pointer dereference resulting in a crash whenever
+ the server produced such a message without nick.
+
+(b) CVE-2017-5194: Use after free when receiving invalid nick message.
+
+ Irssi is programmed to cancel the connection when the server
+ indicates an invalid nick during the registration phase (in the
+ event_nick_invalid function), because Irssi cannot recover from
+ this.
+
+ A complex (and still not properly fixed) chain of signal
+ dependencies emitted by the server_disconnect function, combined
+ with the lack of reference counting, leads to multiple use after
+ free issues when the server object has already been destroyed, but
+ there is currently no way to inform the surrounding code of this
+ fact.
+
+ As a mitigation, the server_disconnect function is no longer used
+ in this case and instead the clean-up is pushed to some upper
+ layer. Fixing this properly will still be a lot of work.
+
+(c) CVE-2017-5356: Out of bounds read when Printing the value %[
+ Found by Hanno Böck.
+
+ The formatting sequence %[...] can be used to execute the
+ timestamp and "line_start" commands on each printed line.
+
+ The scanner in format_expand_styles will expect it to read unto
+ the closing ], but in case the end of string has already been
+ reached while searching for the closing bracket, calling code is
+ not prepared to deal with this and may advance the char* beyond
+ end of string.
+
+(d) CVE-2017-5195: Out of bounds read in certain incomplete control
+ codes found by Joseph Bisch.
+
+ While parsing the ANSI x8 colour codes, Irssi in many cases failed
+ to check whether the end of string had already been reached,
+ resulting in this vulnerability.
+
+(e) CVE-2017-5196: Out of bounds read in certain incomplete character
+ sequences found by Hanno Böck and independently by J. Bisch.
+
+ When copying characters to the terminal screen in the term_addstr
+ function, the g_utf8_get_char function was used unconditionally
+ without verifying that the input string is proper utf8. As the
+ behaviour of that function is undefined for invalid input, it
+ would result in this invalid memory access. The correction is to
+ use the g_utf8_get_char_validated function instead.
+
+
+
+References
+----------
+
+[1] https://irssi.org/security/irssi_sa_2017_01.txt
+[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
+[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
+[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356
+[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
+[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196