diff options
author | Ailin Nemui <ailin@z30a.localdomain> | 2018-02-14 00:54:53 +0100 |
---|---|---|
committer | Ailin Nemui <ailin@z30a.localdomain> | 2018-02-14 23:06:37 +0100 |
commit | 813c12822a68983ab42905f5af364dcc9c7ffcdd (patch) | |
tree | b8e8986b0f1bfad0e20809b78b0e9a1a3235ce16 /security | |
parent | 21f070359fe8174573deea8fea19ccd95dc3e51d (diff) | |
download | irssi.github.io-813c12822a68983ab42905f5af364dcc9c7ffcdd.zip |
enable security collections
Diffstat (limited to 'security')
-rw-r--r-- | security/buf_pl_sa_2016.txt | 73 | ||||
-rw-r--r-- | security/index.html | 105 | ||||
-rw-r--r-- | security/irssi_sa_2016.txt | 101 | ||||
-rw-r--r-- | security/irssi_sa_2017_01.txt | 187 | ||||
-rw-r--r-- | security/irssi_sa_2017_03.txt | 57 | ||||
-rw-r--r-- | security/irssi_sa_2017_06.txt | 73 | ||||
-rw-r--r-- | security/irssi_sa_2017_07.txt | 75 | ||||
-rw-r--r-- | security/irssi_sa_2017_10.txt | 94 | ||||
-rw-r--r-- | security/irssi_sa_2018_01.txt | 78 | ||||
-rw-r--r-- | security/sa_patch.pl | 2 |
10 files changed, 0 insertions, 845 deletions
diff --git a/security/buf_pl_sa_2016.txt b/security/buf_pl_sa_2016.txt deleted file mode 100644 index 7257538..0000000 --- a/security/buf_pl_sa_2016.txt +++ /dev/null @@ -1,73 +0,0 @@ -information disclosure vulnerability in buf.pl -============================================== -CWE Classification: CWE-732, CWE-538 - -CVE-2016-7553 [1] was assigned to this bug. - - -Description ------------ - -An information disclosure vulnerability was found, reported and fixed -in the buf.pl script by its author. - - -Impact ------- - -Other users on the same machine may be able to retrieve the whole -window contents after /UPGRADE when the buf.pl script is -loaded. Furthermore, this dump of the windows contents is never -removed afterwards. - -Since buf.pl is also an Irssi core script and we recommended its use -to retain your window content, many people could potentially be -affected by this. - -Remote users may be able to retrieve these contents when combined with -other path traversal vulnerabilities in public facing services on that -machine. - - -Detailed analysis ------------------ - -buf.pl restores the scrollbuffer between "/upgrade"s by writing the -contents to a file, and reading that after the new process was spawned. -Through that file, the contents of (private) chat conversations may leak to -other users. - - -Mitigating facts ----------------- - -Careful users with a limited umask (e.g. 077) are not affected by this bug. -However, most Linux systems default to a umask of 022, meaning that files -written without further restricting the permissions, are readable by any -user. - - -Affected versions ------------------ - -All up to 2.13 - - -Fixed versions --------------- - -buf.pl 2.20 [2] - - -Resolution ----------- - -Update the buf.pl script with the latest version from -https://scripts.irssi.org - - -References ----------- - -[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7553 -[2] https://scripts.irssi.org/scripts/buf.pl diff --git a/security/index.html b/security/index.html deleted file mode 100644 index af51403..0000000 --- a/security/index.html +++ /dev/null @@ -1,105 +0,0 @@ ---- -layout: page -title: Security -permalink: security/ ---- - -Please report security issues to staff@irssi.org. Thanks! - -<h2>Past issues overview</h2> -<table class="table"> - <thead> - <tr class="text-nowrap"> - <th colspan="2">Links</th> - <th>Exploitable</th> - <th colspan="3">Versions affected</th> - <th>Fixed</th> - <th>Credit</th> - <th colspan="2">Description</th> - </tr> - </thead> -{% assign advisories = site.data.security %} -{% for advisory in advisories reversed %} - <tbody> - <tr> - <th colspan="3">{% if advisory.link %}<a href="{{ advisory.link }}">{{ advisory.name }}</a>{% elsif advisory.name contains "-SA-" %}<a href="{{ site.baseurl }}/security/{{ advisory.name | slugify | replace: '-', '_' }}.txt">{{ advisory.name }}</a>{% else %}{{ advisory.name }}{% endif %}</th> - <th colspan="3">{% if advisory.affected_note %}{{ advisory.affected_note }}{% endif %}</th> - <th>{% if advisory.git_commit %}<a href="https://github.com/irssi/{% if advisory.repo %}{{ advisory.repo }}{% else %}irssi{% endif %}/commit/{{ advisory.git_commit }}">{{ advisory.release_date }}</a>{% else %}{{ advisory.release_date }}{% endif %}</th> - <th colspan="3"></th> - </tr> - </tbody> - <tbody> - {% for bug in advisory.bugs %} - <tr> - <td rowspan="3"></td> - <td rowspan="3" class="text-nowrap"> - {% if bug.name %} - <div>{% if bug.link %}<a href="{{ bug.link }}">{{ bug.name }}</a>{% else %}{{ bug.name }}{% endif %}</div> - {% endif %} - {% if bug.cve %} - <div><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name={{ bug.cve }}">{{ bug.cve }}</a></div> - {% endif %} - {% for link in bug.external_links %} - <div><a href="{{ link.url }}">{{ link.id }}</a></div> - {% endfor %} - </td> - <td rowspan="3">{{ bug.exploitable_by }}</td> - {% if bug.affected_note_top %}<td class="has-next-row" colspan="4">{{ bug.affected_note_top }}</td>{% else %} - <td class="has-next-row">{% if bug.affected_versions.from %}{{ bug.affected_versions.from }}{% else %}*{% endif %}</td> - <td class="has-next-row">{% if bug.affected_versions.to %}–{% endif %}</td> - <td class="has-next-row">{{ bug.affected_versions.to }}</td> - <td class="has-next-row"> - {% if bug.git_commit %}<a href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}">{{ bug.fixed_version }}</a>{% else %}{{ bug.fixed_version }}{% endif %} - </td> - {% endif %} - <td rowspan="3">{{ bug.credit }}</td> - <td rowspan="3">{{ bug.description }}</td> - <td rowspan="3"></td> - </tr> - <tr> - {% if bug.affected_note_top %} - <td class="has-next-row has-previous-row">{% if bug.affected_versions.from %}{{ bug.affected_versions.from }}{% else %}*{% endif %}</td> - <td class="has-next-row has-previous-row">{% if bug.affected_versions.to %}–{% endif %}</td> - <td class="has-next-row has-previous-row">{{ bug.affected_versions.to }}</td> - <td class="has-next-row has-previous-row"> - {% if bug.git_commit %}<a href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}">{{ bug.fixed_version }}</a>{% else %}{{ bug.fixed_version }}{% endif %} - </td> - {% else %} - <td class="has-previous-row" colspan="3" rowspan="2">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td> - <td class="has-previous-row" rowspan="2"></td> - {% endif %} - </tr> - <tr> - {% if bug.affected_note_top %} - <td class="has-previous-row" colspan="3">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td> - <td class="has-previous-row"></td> - {% endif %} - </tr> - {% endfor %} - </tbody> -{% endfor %} - </tbody> -</table> - -<h2>Reference</h2> - -<p>"Exploitable by" column:</p> - -<ul> - <li> - <b>Server</b>: Triggered by malicious inputs sent by a server with complete control over the connection<br /> - Example: malformed raw IRC commands - </li> - <li> - <b>Client</b>: Triggered by malicious inputs sent by remote clients with no privileges over the network<br /> - Example: malformed color codes inside a message - </li> - <li> - <b>Local</b>: Exploitable by unprivileged system users with access to the same filesystem<br /> - Example: CVE-2016-7553 (buf.pl information disclosure) - </li> - <li> - <b>Formats</b>: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.<br /> - Example: CVE-2017-5356 (Crash on <code>%[</code>) - </li> -</ul> diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt deleted file mode 100644 index 4b60040..0000000 --- a/security/irssi_sa_2016.txt +++ /dev/null @@ -1,101 +0,0 @@ -heap corruption and missing boundary checks -=========================================== -CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122 - -CVE-2016-7044 [1] was assigned to bug 1 -CVE-2016-7045 [2] was assigned to bug 2 - - -Description ------------ - -Gabriel Campana and Adrien Guinet from Quarkslab reported two remote -crash and heap corruption vulnerabilites in Irssi's format parsing -code. - -They also provided us with proof of concept exploit code and patches -to fix those issues. - - -Impact ------- - -Remote crash and heap corruption. Remote code execution seems -difficult since only Nuls are written. - - -Detailed analysis ------------------ - -Based on analysis Provided by Gabriel Campana and Adrien Guinet from -Quarkslab: - -Bug 1 - -The unformat_24bit_color() function is called by format_send_to_gui() -to decode 24bit color codes into their components. The pointer is -advanced unconditionally without checking if a complete code was -supplied. - -Thus, after the return of unformat_24bit_color(), ptr might be invalid -and point out of the buffer. - -Bug 2 - -The format_send_to_gui() function does not validate the length of the -string before incrementing the `ptr' pointer in all cases. - -If that happens, the pointer `ptr' can be incremented twice and thus -end past the boundaries of the original `dup' buffer. - - -Affected versions ------------------ - -Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea - -Bug 1 affects only Irssis compiled with true-color enabled. -Bug 2 affects all Irssis regardless of compilation flags. - - -Fixed in --------- - -Irssi 0.8.20 - - -Recommended action ------------------- - -Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release -without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -Fallback action ---------------- - -Distributions which need to remain on Irssi 0.8.17 are strongly urged -to apply the patch and provide updated packages. - -Those who cannot upgrade right now, but with Perl support enabled in -their Irssi, can load the following script and add it to -~/.irssi/scripts/autorun as a first aid to mitigating these issues: - -https://irssi.org/security/sa_patch.pl - - -Patch ------ - -https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b - - -References ----------- - -[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 -[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 diff --git a/security/irssi_sa_2017_01.txt b/security/irssi_sa_2017_01.txt deleted file mode 100644 index df9adbb..0000000 --- a/security/irssi_sa_2017_01.txt +++ /dev/null @@ -1,187 +0,0 @@ -Multiple vulnerabilities in Irssi [1] -===================================== -CVE-2017-5193, CVE-2017-5194, CVE-2017-5356, CVE-2017-5195, CVE-2017-5196 - -Description ------------ - -Five vulnerabilities have been located in Irssi. - -(a) A NULL pointer dereference in the nickcmp function found by Joseph - Bisch. (CWE-690) - - CVE-2017-5193 [2] was assigned to this bug - -(b) Use after free when receiving invalid nick message (Issue #466, CWE-416) - - CVE-2017-5194 [3] was assigned to this bug - -(c) Out of bounds read when Printing the value %[ - Found by Hanno Böck. (CWE-126) - - CVE-2017-5356 [4] was assigned to this bug - -(d) Out of bounds read in certain incomplete control codes found by - Joseph Bisch. (CWE-126) - - CVE-2017-5195 [5] was assigned to this bug - -(e) Out of bounds read in certain incomplete character sequences found - by Hanno Böck and independently by J. Bisch. (CWE-126) - - CVE-2017-5196 [6] was assigned to this bug - - - -Impact ------- - -These issues may result in denial of service (remote crash). - - -Affected versions ------------------ - -(a) All Irssi versions that we observed -(b) All Irssi versions that we observed -(c) All Irssi versions that we observed -(d) Irssi 0.8.17 and later -(e) Irssi 0.8.18 and later - - -Fixed in --------- - -Irssi 0.8.21, Irssi 1.0.0 - - -Recommended action ------------------- - -Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release -without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -A Note to Distributors ----------------------- - -First of all, thanks to every maintainer for their awesome job in -packaging Irssi and backporting security fixes. - -When we had to release a security advisory last year with Irssi -0.8.20, we noticed there was a huge confusion amongst Ubuntu users -about whether their Irssi version was safe to use. - -Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug -fix only, we think distributions should just ship the release. - -But if the security fixes only are backported on top of an old -version, we would like to urge distributions to consider indicating -this in a way that is visible inside Irssi. One way to do this would -be to manually overwrite the PACKAGE_VERSION and marking your package -as patched. This can be done for example like this: - - ./configure PACKAGE_VERSION=0.8.17-sa201701 - - -You can then check the version from inside Irssi with /eval echo $J - -As an added benefit over relying on dpkg, this will also correctly -report whether you had /upgrade done or not. We are looking for a ways -to make this easier to handle for both packagers and us, so if you -have a good idea on this matter please speak forth. - - -Mitigating facts ----------------- - -(a) requires control over the ircd - -(b) and (e) require control over the ircd or otherwise can be - triggered / avoided by the user themselves - -(c) can be triggered / avoided by the user themselves - - -Patch ------ - -https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d - - -Discussion ----------- - -(a) CVE-2017-5193: A NULL pointer dereference in the nickcmp function - found by Joseph Bisch. - - The irc_query_find function will call nick_comp_func in order to - retrieve an associated existing query. - - However, the precondition whether nick was not NULL was not - verified, leading to incorrect API usage of the nick_comp_func and - ultimately NULL pointer dereference resulting in a crash whenever - the server produced such a message without nick. - -(b) CVE-2017-5194: Use after free when receiving invalid nick message. - - Irssi is programmed to cancel the connection when the server - indicates an invalid nick during the registration phase (in the - event_nick_invalid function), because Irssi cannot recover from - this. - - A complex (and still not properly fixed) chain of signal - dependencies emitted by the server_disconnect function, combined - with the lack of reference counting, leads to multiple use after - free issues when the server object has already been destroyed, but - there is currently no way to inform the surrounding code of this - fact. - - As a mitigation, the server_disconnect function is no longer used - in this case and instead the clean-up is pushed to some upper - layer. Fixing this properly will still be a lot of work. - -(c) CVE-2017-5356: Out of bounds read when Printing the value %[ - Found by Hanno Böck. - - The formatting sequence %[...] can be used to execute the - timestamp and "line_start" commands on each printed line. - - The scanner in format_expand_styles will expect it to read unto - the closing ], but in case the end of string has already been - reached while searching for the closing bracket, calling code is - not prepared to deal with this and may advance the char* beyond - end of string. - -(d) CVE-2017-5195: Out of bounds read in certain incomplete control - codes found by Joseph Bisch. - - While parsing the ANSI x8 colour codes, Irssi in many cases failed - to check whether the end of string had already been reached, - resulting in this vulnerability. - -(e) CVE-2017-5196: Out of bounds read in certain incomplete character - sequences found by Hanno Böck and independently by J. Bisch. - - When copying characters to the terminal screen in the term_addstr - function, the g_utf8_get_char function was used unconditionally - without verifying that the input string is proper utf8. As the - behaviour of that function is undefined for invalid input, it - would result in this invalid memory access. The correction is to - use the g_utf8_get_char_validated function instead. - - - -References ----------- - -[1] https://irssi.org/security/irssi_sa_2017_01.txt -[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 -[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 -[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356 -[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 -[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 diff --git a/security/irssi_sa_2017_03.txt b/security/irssi_sa_2017_03.txt deleted file mode 100644 index d155884..0000000 --- a/security/irssi_sa_2017_03.txt +++ /dev/null @@ -1,57 +0,0 @@ -use after free condition during netjoin processing [1] -====================================================== -CWE Classification: CWE-416 - - -CVE-2017-7191 [2] was assigned to this bug - - -Description ------------ - -Use after free while producing list of netjoins (CWE-416) - -This issue was found and reported to us by APic. - - -Impact ------- - -This issue usually leads to segmentation faults. Targeted code -execution should be difficult. - - -Affected versions ------------------ - -Irssi up to and including 1.0.1 - -We believe Irssi 0.8.21 and prior are not affected since a different -code path causes the netjoins to be flushed prior to reaching the use -after free condition. - - -Fixed in --------- - -Irssi 1.0.2 - - -Recommended action ------------------- - -Upgrade to Irssi 1.0.2. Irssi 1.0.2 is a maintenance release -without any new features. - - -Patch ------ - -https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3 - - -References ----------- - -[1] https://irssi.org/security/irssi_sa_2017_03.txt -[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7191 diff --git a/security/irssi_sa_2017_06.txt b/security/irssi_sa_2017_06.txt deleted file mode 100644 index 0d01f92..0000000 --- a/security/irssi_sa_2017_06.txt +++ /dev/null @@ -1,73 +0,0 @@ -IRSSI-SA-2017-06 Irssi Security Advisory [1] -============================================ -CVE-2017-9468, CVE-2017-9469 - -Description ------------ - -Two vulnerabilities have been located in Irssi. - -(a) When receiving a DCC message without source nick/host, Irssi would - attempt to dereference a NULL pointer. Found by Joseph - Bisch. (CWE-690) - - CVE-2017-9468 [2] was assigned to this bug - -(b) When receiving certain incorrectly quoted DCC files, Irssi would - try to find the terminating quote one byte before the allocated - memory. Found by Joseph Bisch. (CWE-129, CWE-127) - - CVE-2017-9469 [3] was assigned to this bug - - -Impact ------- - -(a) May result in denial of service (remote crash). - -(b) May result in denial of service (remote crash), but in practice - this seems to be very unlikely unless address sanitizer is - enabled. - - -Affected versions ------------------ - -All Irssi versions that we observed. - - -Fixed in --------- - -Irssi 1.0.3 - - -Recommended action ------------------- - -Upgrade to Irssi 1.0.3. Irssi 1.0.3 is a maintenance release in the -1.0 series, without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -Mitigating facts ----------------- - -(a) requires control over the ircd - - -Patch ------ - -https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55 - - -References ----------- - -[1] https://irssi.org/security/irssi_sa_2017_06.txt -[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468 -[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469 diff --git a/security/irssi_sa_2017_07.txt b/security/irssi_sa_2017_07.txt deleted file mode 100644 index 90229ac..0000000 --- a/security/irssi_sa_2017_07.txt +++ /dev/null @@ -1,75 +0,0 @@ -IRSSI-SA-2017-07 Irssi Security Advisory [1] -============================================ -CVE-2017-10965, CVE-2017-10966. - -Description ------------ - -Two vulnerabilities have been located in Irssi. - -(a) When receiving messages with invalid time stamps, Irssi would try - to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter - of Geeknik Labs. (CWE-690) - - CVE-2017-10965 [2] was assigned to this bug - -(b) While updating the internal nick list, Irssi may incorrectly use - the GHashTable interface and free the nick while updating it. This - will then result in use-after-free conditions on each access of - the hash table. Found by Brian 'geeknik' Carpenter of Geeknik - Labs. (CWE-416 caused by CWE-227) - - CVE-2017-10966 [3] was assigned to this bug - - -Impact ------- - -(a) May result in denial of service (remote crash). - -(b) Undefined behaviour. - - -Affected versions ------------------ - -All Irssi versions that we observed. - - -Fixed in --------- - -Irssi 1.0.4 - - -Recommended action ------------------- - -Upgrade to Irssi 1.0.4. Irssi 1.0.4 is a maintenance release in the -1.0 series, without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -Mitigating facts ----------------- - -(a) requires control over the ircd - -(b) should not happen with a conforming ircd - - -Patch ------ - -https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 - - -References ----------- - -[1] https://irssi.org/security/irssi_sa_2017_07.txt -[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965 -[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966 diff --git a/security/irssi_sa_2017_10.txt b/security/irssi_sa_2017_10.txt deleted file mode 100644 index ffca83c..0000000 --- a/security/irssi_sa_2017_10.txt +++ /dev/null @@ -1,94 +0,0 @@ -IRSSI-SA-2017-10 Irssi Security Advisory [1] -============================================ -CVE-2017-15228, CVE-2017-15227, CVE-2017-15721, CVE-2017-15723, -CVE-2017-15722 - -Description ------------ - -Multiple vulnerabilities have been located in Irssi. - -(a) When installing themes with unterminated colour formatting - sequences, Irssi may access data beyond the end of the - string. (CWE-126) Found by Hanno Böck. - - CVE-2017-15228 was assigned to this issue. - -(b) While waiting for the channel synchronisation, Irssi may - incorrectly fail to remove destroyed channels from the query list, - resulting in use after free conditions when updating the state - later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672) - - CVE-2017-15227 was assigned to this issue. - -(c) Certain incorrectly formatted DCC CTCP messages could cause NULL - pointer dereference. Found by Joseph Bisch. This is a separate, - but similar issue to CVE-2017-9468. (CWE-690) - - CVE-2017-15721 was assigned to this issue. - -(d) Overlong nicks or targets may result in a NULL pointer dereference - while splitting the message. Found by Joseph Bisch. (CWE-690) - - CVE-2017-15723 was assigned to this issue. - -(e) In certain cases Irssi may fail to verify that a Safe channel ID - is long enough, causing reads beyond the end of the string. Found - by Joseph Bisch. (CWE-126) - - CVE-2017-15722 was assigned to this issue. - - -Impact ------- - -(a,b,c,d) May result in denial of service (remote crash). - -(e) May affect the stability of Irssi. - - -Affected versions ------------------ - -(a,b,c,e) All Irssi versions that we observed. - -(d) Starting from 0.8.17. - - -Fixed in --------- - -Irssi 1.0.5 - - -Recommended action ------------------- - -Upgrade to Irssi 1.0.5. Irssi 1.0.5 is a maintenance release in the -1.0 series, without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -Mitigating facts ----------------- - -(a) requires user to install malicious or broken theme file - -(b,c,e) requires a broken ircd or control over the ircd - -(d) irc servers typically have length limits in place - - -Patch ------ - -https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 - - -References ----------- - -[1] https://irssi.org/security/irssi_sa_2017_10.txt diff --git a/security/irssi_sa_2018_01.txt b/security/irssi_sa_2018_01.txt deleted file mode 100644 index a9a3686..0000000 --- a/security/irssi_sa_2018_01.txt +++ /dev/null @@ -1,78 +0,0 @@ -IRSSI-SA-2018-01 Irssi Security Advisory [1] -============================================ -CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 - -Description ------------ - -Multiple vulnerabilities have been located in Irssi. - -(a) When the channel topic is set without specifying a sender, Irssi - may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) - - CVE-2018-5206 was assigned to this issue. - -(b) When using incomplete escape codes, Irssi may access data beyond - the end of the string. (CWE-126) Found by Joseph Bisch. - - CVE-2018-5205 was assigned to this issue. - -(c) A calculation error in the completion code could cause a heap - buffer overflow when completing certain strings. (CWE-126) Found - by Joseph Bisch. - - CVE-2018-5208 was assigned to this issue. - -(d) When using an incomplete variable argument, Irssi may access data - beyond the end of the string. (CWE-126) Found by Joseph Bisch. - - CVE-2018-5207 was assigned to this issue. - - -Impact ------- - -May affect the stability of Irssi. - - -Affected versions ------------------ - -(a,b,c,d) All Irssi versions that we observed. - - -Fixed in --------- - -Irssi 1.0.6 - - -Recommended action ------------------- - -Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the -1.0 series, without any new features. - -After installing the updated packages, one can issue the /upgrade -command to load the new binary. TLS connections will require -/reconnect. - - -Mitigating facts ----------------- - -(a) requires a broken ircd or control over the ircd - -(b,d) requires user to install malicious or broken files or enter - affected commands - - -Patch ------ -https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff - - -References ----------- - -[1] https://irssi.org/security/irssi_sa_2018_01.txt diff --git a/security/sa_patch.pl b/security/sa_patch.pl deleted file mode 100644 index 95c80b4..0000000 --- a/security/sa_patch.pl +++ /dev/null @@ -1,2 +0,0 @@ -Irssi::signal_add_first("print text", sub { - for ($_[1]) { $_ .= ' ' if /\cD(?!.....)/s } &Irssi::signal_continue }) |