diff options
author | Ailin Nemui <ailin@z30a.localdomain> | 2016-09-21 17:00:44 +0200 |
---|---|---|
committer | Ailin Nemui <ailin@z30a.localdomain> | 2016-09-21 19:33:06 +0200 |
commit | 5f2158187281d13a47b9061f1ecc496674ad12db (patch) | |
tree | c32aecbb56325f6f9e03ae1aa7b11de24f1e8c3e /security | |
parent | 9c2ebf64cbf02753f4843d778fae4e700265bbc1 (diff) | |
download | irssi.github.io-5f2158187281d13a47b9061f1ecc496674ad12db.zip |
Add security info and script
Diffstat (limited to 'security')
-rw-r--r-- | security/irssi_sa_2016.txt | 96 | ||||
-rw-r--r-- | security/sa_patch.pl | 2 |
2 files changed, 98 insertions, 0 deletions
diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt new file mode 100644 index 0000000..5ef4142 --- /dev/null +++ b/security/irssi_sa_2016.txt @@ -0,0 +1,96 @@ +heap corruption and missing boundary checks +=========================================== +CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122 + +CVE-2016-7044 [1] was assigned to bug 1 +CVE-2016-7045 [2] was assigned to bug 2 + + +Description +----------- + +Gabriel Campana and Adrien Guinet from Quarkslab reported two remote +crash and heap corruption vulnerabilites in Irssi's format parsing +code. + +They also provided us with proof of concept exploit code and patches +to fix those issues. + + +Impact +------ + +Remote crash and heap corruption. Remote code execution seems +difficult since only Nuls are written. + + +Detailed analysis +----------------- + +Based on analysis Provided by Gabriel Campana and Adrien Guinet from +Quarkslab: + +Bug 1 + +The unformat_24bit_color() function is called by format_send_to_gui() +to decode 24bit color codes into their components. The pointer is +advanced unconditionally without checking if a complete code was +supplied. + +Thus, after the return of unformat_24bit_color(), ptr might be invalid +and point out of the buffer. + +Bug 2 + +The format_send_to_gui() function does not validate the length of the +string before incrementing the `ptr' pointer in all cases. + +If that happens, the pointer `ptr' can be incremented twice and thus +end past the boundaries of the original `dup' buffer. + + +Affected versions +----------------- + +Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea + +Bug 1 affects only Irssis compiled with true-color enabled. +Bug 2 affects all Irssis regardless of compilation flags. + + +Fixed in +-------- + +Irssi 0.8.20 + + +Recommended action +------------------ + +Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release +without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. If the buf.pl script is loaded and symlinked into +~/.irssi/scripts/autorun, text buffer content will be saved and +restored. + + +Fallback action +--------------- + +Distributions which need to remain on Irssi 0.8.17 are strongly urged +to apply the patch and provide updated packages. + + +Patch +----- + +https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b + + +References +---------- +[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 diff --git a/security/sa_patch.pl b/security/sa_patch.pl new file mode 100644 index 0000000..2194dc7 --- /dev/null +++ b/security/sa_patch.pl @@ -0,0 +1,2 @@ +Irssi::signal_add_first("print text", sub { + for ($_[1]) { $_ .= ' ' if /\cD(?!.....)/ } &Irssi::signal_continue }) |