diff options
-rw-r--r-- | _config.yml | 2 | ||||
-rw-r--r-- | _data/sb_whatsnew.yml | 2 | ||||
-rw-r--r-- | _data/security.yml | 46 | ||||
-rw-r--r-- | _includes/header.html | 1 | ||||
-rw-r--r-- | _posts/2017-07-23-irssi-1.0.5-released.markdown | 31 | ||||
-rw-r--r-- | download/index.markdown | 4 | ||||
-rw-r--r-- | security/index.html | 5 | ||||
-rw-r--r-- | security/irssi_sa_2017_10.txt | 94 |
8 files changed, 181 insertions, 4 deletions
diff --git a/_config.yml b/_config.yml index 7adf66e..f169ef5 100644 --- a/_config.yml +++ b/_config.yml @@ -13,7 +13,7 @@ description: The Client of the Future name: Irssi Core Team email: staff@irssi.org -gems: +plugins: - jekyll-paginate - jekyll-redirect-from - jekyll-sitemap diff --git a/_data/sb_whatsnew.yml b/_data/sb_whatsnew.yml index cf1fc32..37e04f7 100644 --- a/_data/sb_whatsnew.yml +++ b/_data/sb_whatsnew.yml @@ -1,5 +1,5 @@ - - key: irssi-1.0.4-released + key: irssi-1.0.5-released tag: Security - key: fuzzing-irssi diff --git a/_data/security.yml b/_data/security.yml index a7a1177..e16eb67 100644 --- a/_data/security.yml +++ b/_data/security.yml @@ -275,3 +275,49 @@ fixed_version: 1.0.4 credit: Brian 'geeknik' Carpenter of Geeknik Labs description: 'Use after free after nicklist structure has been corrupted while updating a nick group' +- + name: IRSSI-SA-2017-10 + release_date: 2017-10-23 + git_commit: 43e44d553d44e313003cee87e6ea5e24d68b84a1 + bugs: + - + cve: CVE-2017-15228 + exploitable_by: formats + affected_versions: + to: 1.0.4 + fixed_version: 1.0.5 + credit: 'Hanno Böck' + description: 'Unterminated colour formatting sequences may cause data access beyond the end of the buffer' + - + cve: CVE-2017-15227 + exploitable_by: server + affected_versions: + to: 1.0.4 + fixed_version: 1.0.5 + credit: 'Joseph Bisch' + description: 'Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on' + - + cve: CVE-2017-15721 + exploitable_by: server + affected_versions: + to: 1.0.4 + fixed_version: 1.0.5 + credit: 'Joseph Bisch' + description: 'Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference' + - + cve: CVE-2017-15723 + exploitable_by: server + affected_versions: + from: 0.8.17 + to: 1.0.4 + fixed_version: 1.0.5 + credit: 'Joseph Bisch' + description: 'Overlong nicks or targets may result in a NULL pointer dereference while splitting the message' + - + cve: CVE-2017-15722 + exploitable_by: server + affected_versions: + to: 1.0.4 + fixed_version: 1.0.5 + credit: 'Joseph Bisch' + description: 'Read beyond end of buffer may occur if a Safe channel ID is not long enough' diff --git a/_includes/header.html b/_includes/header.html index e826db4..57299f1 100644 --- a/_includes/header.html +++ b/_includes/header.html @@ -32,6 +32,7 @@ {% endcomment %}{% endif %}{% comment %} {% endcomment %}{% endif %}{% comment %} {% endcomment %}{% endfor %} + <li><a href="https://github.com/irssi/irssi">Source Code</a></li> <li><a href="//irssi-import.github.io/themes/">Themes</a></li> <li><a href="http://scripts.irssi.org/">Scripts</a></li> <li><a href="https://github.com/irssi/irssi/issues">Bugs</a></li> diff --git a/_posts/2017-07-23-irssi-1.0.5-released.markdown b/_posts/2017-07-23-irssi-1.0.5-released.markdown new file mode 100644 index 0000000..23d59c8 --- /dev/null +++ b/_posts/2017-07-23-irssi-1.0.5-released.markdown @@ -0,0 +1,31 @@ +--- +layout: post +title: "Irssi 1.0.5 Released" +--- + +Irssi 1.0.5 has been released. This release fixes a few security +issues in Irssi as well as a few bugs. There are no new +features. **All Irssi users should upgrade to this version**. See the +[NEWS](//raw.githubusercontent.com/irssi/irssi/1.0.5/NEWS) for +details. + +Most issues have been identified using fuzzing, thanks to Hanno Böck +and Joseph Bisch. We expect @jbisch will be able to tell you more +about his newest fuzzer at http://freenode.live on the weekend! + +For more information refer to the [security advisory](/security/irssi_sa_2017_10.txt). + +This release can be downloaded from [our releases +page](https://github.com/irssi/irssi/releases). Binary test packages +for various Linux distributions are automatically generated by the +[openSUSE Build Service](https://build.opensuse.org/) and are +available for download in the +[irssi-test](https://software.opensuse.org/download.html?project=home:ailin_nemui:irssi-test;package=irssi) +repository. + +Please check with your distro whether they provide officially updated +packages. + +We currently do not have any alternate advice. + +The Irssi Team. diff --git a/download/index.markdown b/download/index.markdown index 869af7d..b702ebf 100644 --- a/download/index.markdown +++ b/download/index.markdown @@ -3,7 +3,7 @@ layout: page title: Getting Irssi permalink: /download/ categories: [ _nav, _6 ] -version: 1.0.4 +version: 1.0.5 --- There are several ways you can get Irssi<span class="hidden-md hidden-lg">:</span> @@ -15,6 +15,8 @@ There are several ways you can get Irssi<span class="hidden-md hidden-lg">:</spa </div> +[Security information](/security) + <div class="col-lg-6 col-md-7" markdown="1"> ## Binary Packages diff --git a/security/index.html b/security/index.html index 44391f2..af51403 100644 --- a/security/index.html +++ b/security/index.html @@ -2,8 +2,11 @@ layout: page title: Security permalink: security/ -categories: [ _nav ] --- + +Please report security issues to staff@irssi.org. Thanks! + +<h2>Past issues overview</h2> <table class="table"> <thead> <tr class="text-nowrap"> diff --git a/security/irssi_sa_2017_10.txt b/security/irssi_sa_2017_10.txt new file mode 100644 index 0000000..11d382a --- /dev/null +++ b/security/irssi_sa_2017_10.txt @@ -0,0 +1,94 @@ +IRSSI-SA-2017-10 Irssi Security Advisory [1] +============================================ +CVE-2017-15228, CVE-2017-15227, CVE-2017-15721, CVE-2017-15722, +CVE-2017-15723 + +Description +----------- + +Multiple vulnerabilities have been located in Irssi. + +(a) When installing themes with unterminated colour formatting + sequences, Irssi may access data beyond the end of the + string. (CWE-126) Found by Hanno Böck. + + CVE-2017-15228 was assigned to this issue. + +(b) While waiting for the channel synchronisation, Irssi may + incorrectly fail to remove destroyed channels from the query list, + resulting in use after free conditions when updating the state + later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672) + + CVE-2017-15227 was assigned to this issue. + +(c) Certain incorrectly formatted DCC CTCP messages could cause NULL + pointer dereference. Found by Joseph Bisch. This is a separate, + but similar issue to CVE-2017-9468. (CWE-690) + + CVE-2017-15721 was assigned to this issue. + +(d) Overlong nicks or targets may result in a NULL pointer dereference + while splitting the message. Found by Joseph Bisch. (CWE-690) + + CVE-2017-15722 was assigned to this issue. + +(e) In certain cases Irssi may fail to verify that a Safe channel ID + is long enough, causing reads beyond the end of the string. Found + by Joseph Bisch. (CWE-126) + + CVE-2017-15723 was assigned to this issue. + + +Impact +------ + +(a,b,c,d) May result in denial of service (remote crash). + +(e) May affect the stability of Irssi. + + +Affected versions +----------------- + +(a,b,c,e) All Irssi versions that we observed. + +(d) Starting from 0.8.17. + + +Fixed in +-------- + +Irssi 1.0.5 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.5. Irssi 1.0.5 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires user to install malicious or broken theme file + +(b,c,e) requires a broken ircd or control over the ircd + +(d) irc servers typically have length limits in place + + +Patch +----- + +https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_10.txt |