diff options
author | Ailin Nemui <ailin@z30a.localdomain> | 2017-10-22 15:30:40 +0200 |
---|---|---|
committer | Ailin Nemui <ailin@z30a.localdomain> | 2017-10-22 15:30:40 +0200 |
commit | 6d139d40a31a7bdb40ac659b9834d816405cdeec (patch) | |
tree | 8e459a55e4c2e92e7db9de19afa39b4583326f50 /security/irssi_sa_2017_10.txt | |
parent | 9ab87ea27dd4af0e5f26b09d6bb008889098fc16 (diff) | |
download | irssi.github.io-6d139d40a31a7bdb40ac659b9834d816405cdeec.zip |
Release Irssi 1.0.5
Diffstat (limited to 'security/irssi_sa_2017_10.txt')
-rw-r--r-- | security/irssi_sa_2017_10.txt | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/security/irssi_sa_2017_10.txt b/security/irssi_sa_2017_10.txt new file mode 100644 index 0000000..11d382a --- /dev/null +++ b/security/irssi_sa_2017_10.txt @@ -0,0 +1,94 @@ +IRSSI-SA-2017-10 Irssi Security Advisory [1] +============================================ +CVE-2017-15228, CVE-2017-15227, CVE-2017-15721, CVE-2017-15722, +CVE-2017-15723 + +Description +----------- + +Multiple vulnerabilities have been located in Irssi. + +(a) When installing themes with unterminated colour formatting + sequences, Irssi may access data beyond the end of the + string. (CWE-126) Found by Hanno Böck. + + CVE-2017-15228 was assigned to this issue. + +(b) While waiting for the channel synchronisation, Irssi may + incorrectly fail to remove destroyed channels from the query list, + resulting in use after free conditions when updating the state + later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672) + + CVE-2017-15227 was assigned to this issue. + +(c) Certain incorrectly formatted DCC CTCP messages could cause NULL + pointer dereference. Found by Joseph Bisch. This is a separate, + but similar issue to CVE-2017-9468. (CWE-690) + + CVE-2017-15721 was assigned to this issue. + +(d) Overlong nicks or targets may result in a NULL pointer dereference + while splitting the message. Found by Joseph Bisch. (CWE-690) + + CVE-2017-15722 was assigned to this issue. + +(e) In certain cases Irssi may fail to verify that a Safe channel ID + is long enough, causing reads beyond the end of the string. Found + by Joseph Bisch. (CWE-126) + + CVE-2017-15723 was assigned to this issue. + + +Impact +------ + +(a,b,c,d) May result in denial of service (remote crash). + +(e) May affect the stability of Irssi. + + +Affected versions +----------------- + +(a,b,c,e) All Irssi versions that we observed. + +(d) Starting from 0.8.17. + + +Fixed in +-------- + +Irssi 1.0.5 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.5. Irssi 1.0.5 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires user to install malicious or broken theme file + +(b,c,e) requires a broken ircd or control over the ircd + +(d) irc servers typically have length limits in place + + +Patch +----- + +https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_10.txt |