diff options
| author | Ailin Nemui <ailin@z30a.localdomain> | 2018-02-14 00:54:53 +0100 |
|---|---|---|
| committer | Ailin Nemui <ailin@z30a.localdomain> | 2018-02-14 23:06:37 +0100 |
| commit | 813c12822a68983ab42905f5af364dcc9c7ffcdd (patch) | |
| tree | b8e8986b0f1bfad0e20809b78b0e9a1a3235ce16 /security/irssi_sa_2016.txt | |
| parent | 21f070359fe8174573deea8fea19ccd95dc3e51d (diff) | |
| download | irssi.github.io-813c12822a68983ab42905f5af364dcc9c7ffcdd.zip | |
enable security collections
Diffstat (limited to 'security/irssi_sa_2016.txt')
| -rw-r--r-- | security/irssi_sa_2016.txt | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt deleted file mode 100644 index 4b60040..0000000 --- a/security/irssi_sa_2016.txt +++ /dev/null @@ -1,101 +0,0 @@ -heap corruption and missing boundary checks -=========================================== -CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122 - -CVE-2016-7044 [1] was assigned to bug 1 -CVE-2016-7045 [2] was assigned to bug 2 - - -Description ------------ - -Gabriel Campana and Adrien Guinet from Quarkslab reported two remote -crash and heap corruption vulnerabilites in Irssi's format parsing -code. - -They also provided us with proof of concept exploit code and patches -to fix those issues. - - -Impact ------- - -Remote crash and heap corruption. Remote code execution seems -difficult since only Nuls are written. - - -Detailed analysis ------------------ - -Based on analysis Provided by Gabriel Campana and Adrien Guinet from -Quarkslab: - -Bug 1 - -The unformat_24bit_color() function is called by format_send_to_gui() -to decode 24bit color codes into their components. The pointer is -advanced unconditionally without checking if a complete code was -supplied. - -Thus, after the return of unformat_24bit_color(), ptr might be invalid -and point out of the buffer. - -Bug 2 - -The format_send_to_gui() function does not validate the length of the -string before incrementing the `ptr' pointer in all cases. - -If that happens, the pointer `ptr' can be incremented twice and thus -end past the boundaries of the original `dup' buffer. - - -Affected versions ------------------ - -Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea - -Bug 1 affects only Irssis compiled with true-color enabled. -Bug 2 affects all Irssis regardless of compilation flags. - - -Fixed in --------- - -Irssi 0.8.20 - - -Recommended action ------------------- - -Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release -without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -Fallback action ---------------- - -Distributions which need to remain on Irssi 0.8.17 are strongly urged -to apply the patch and provide updated packages. - -Those who cannot upgrade right now, but with Perl support enabled in -their Irssi, can load the following script and add it to -~/.irssi/scripts/autorun as a first aid to mitigating these issues: - -https://irssi.org/security/sa_patch.pl - - -Patch ------ - -https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b - - -References ----------- - -[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 -[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 |