diff options
Diffstat (limited to '_security')
-rw-r--r-- | _security/buf_pl_sa_2016.txt | 73 | ||||
-rw-r--r-- | _security/index.html | 105 | ||||
-rw-r--r-- | _security/irssi_sa_2016.txt | 101 | ||||
-rw-r--r-- | _security/irssi_sa_2017_01.txt | 187 | ||||
-rw-r--r-- | _security/irssi_sa_2017_03.txt | 57 | ||||
-rw-r--r-- | _security/irssi_sa_2017_06.txt | 73 | ||||
-rw-r--r-- | _security/irssi_sa_2017_07.txt | 75 | ||||
-rw-r--r-- | _security/irssi_sa_2017_10.txt | 94 | ||||
-rw-r--r-- | _security/irssi_sa_2018_01.txt | 78 | ||||
-rw-r--r-- | _security/sa_patch.pl | 2 |
10 files changed, 845 insertions, 0 deletions
diff --git a/_security/buf_pl_sa_2016.txt b/_security/buf_pl_sa_2016.txt new file mode 100644 index 0000000..7257538 --- /dev/null +++ b/_security/buf_pl_sa_2016.txt @@ -0,0 +1,73 @@ +information disclosure vulnerability in buf.pl +============================================== +CWE Classification: CWE-732, CWE-538 + +CVE-2016-7553 [1] was assigned to this bug. + + +Description +----------- + +An information disclosure vulnerability was found, reported and fixed +in the buf.pl script by its author. + + +Impact +------ + +Other users on the same machine may be able to retrieve the whole +window contents after /UPGRADE when the buf.pl script is +loaded. Furthermore, this dump of the windows contents is never +removed afterwards. + +Since buf.pl is also an Irssi core script and we recommended its use +to retain your window content, many people could potentially be +affected by this. + +Remote users may be able to retrieve these contents when combined with +other path traversal vulnerabilities in public facing services on that +machine. + + +Detailed analysis +----------------- + +buf.pl restores the scrollbuffer between "/upgrade"s by writing the +contents to a file, and reading that after the new process was spawned. +Through that file, the contents of (private) chat conversations may leak to +other users. + + +Mitigating facts +---------------- + +Careful users with a limited umask (e.g. 077) are not affected by this bug. +However, most Linux systems default to a umask of 022, meaning that files +written without further restricting the permissions, are readable by any +user. + + +Affected versions +----------------- + +All up to 2.13 + + +Fixed versions +-------------- + +buf.pl 2.20 [2] + + +Resolution +---------- + +Update the buf.pl script with the latest version from +https://scripts.irssi.org + + +References +---------- + +[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7553 +[2] https://scripts.irssi.org/scripts/buf.pl diff --git a/_security/index.html b/_security/index.html new file mode 100644 index 0000000..af51403 --- /dev/null +++ b/_security/index.html @@ -0,0 +1,105 @@ +--- +layout: page +title: Security +permalink: security/ +--- + +Please report security issues to staff@irssi.org. Thanks! + +<h2>Past issues overview</h2> +<table class="table"> + <thead> + <tr class="text-nowrap"> + <th colspan="2">Links</th> + <th>Exploitable</th> + <th colspan="3">Versions affected</th> + <th>Fixed</th> + <th>Credit</th> + <th colspan="2">Description</th> + </tr> + </thead> +{% assign advisories = site.data.security %} +{% for advisory in advisories reversed %} + <tbody> + <tr> + <th colspan="3">{% if advisory.link %}<a href="{{ advisory.link }}">{{ advisory.name }}</a>{% elsif advisory.name contains "-SA-" %}<a href="{{ site.baseurl }}/security/{{ advisory.name | slugify | replace: '-', '_' }}.txt">{{ advisory.name }}</a>{% else %}{{ advisory.name }}{% endif %}</th> + <th colspan="3">{% if advisory.affected_note %}{{ advisory.affected_note }}{% endif %}</th> + <th>{% if advisory.git_commit %}<a href="https://github.com/irssi/{% if advisory.repo %}{{ advisory.repo }}{% else %}irssi{% endif %}/commit/{{ advisory.git_commit }}">{{ advisory.release_date }}</a>{% else %}{{ advisory.release_date }}{% endif %}</th> + <th colspan="3"></th> + </tr> + </tbody> + <tbody> + {% for bug in advisory.bugs %} + <tr> + <td rowspan="3"></td> + <td rowspan="3" class="text-nowrap"> + {% if bug.name %} + <div>{% if bug.link %}<a href="{{ bug.link }}">{{ bug.name }}</a>{% else %}{{ bug.name }}{% endif %}</div> + {% endif %} + {% if bug.cve %} + <div><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name={{ bug.cve }}">{{ bug.cve }}</a></div> + {% endif %} + {% for link in bug.external_links %} + <div><a href="{{ link.url }}">{{ link.id }}</a></div> + {% endfor %} + </td> + <td rowspan="3">{{ bug.exploitable_by }}</td> + {% if bug.affected_note_top %}<td class="has-next-row" colspan="4">{{ bug.affected_note_top }}</td>{% else %} + <td class="has-next-row">{% if bug.affected_versions.from %}{{ bug.affected_versions.from }}{% else %}*{% endif %}</td> + <td class="has-next-row">{% if bug.affected_versions.to %}–{% endif %}</td> + <td class="has-next-row">{{ bug.affected_versions.to }}</td> + <td class="has-next-row"> + {% if bug.git_commit %}<a href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}">{{ bug.fixed_version }}</a>{% else %}{{ bug.fixed_version }}{% endif %} + </td> + {% endif %} + <td rowspan="3">{{ bug.credit }}</td> + <td rowspan="3">{{ bug.description }}</td> + <td rowspan="3"></td> + </tr> + <tr> + {% if bug.affected_note_top %} + <td class="has-next-row has-previous-row">{% if bug.affected_versions.from %}{{ bug.affected_versions.from }}{% else %}*{% endif %}</td> + <td class="has-next-row has-previous-row">{% if bug.affected_versions.to %}–{% endif %}</td> + <td class="has-next-row has-previous-row">{{ bug.affected_versions.to }}</td> + <td class="has-next-row has-previous-row"> + {% if bug.git_commit %}<a href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}">{{ bug.fixed_version }}</a>{% else %}{{ bug.fixed_version }}{% endif %} + </td> + {% else %} + <td class="has-previous-row" colspan="3" rowspan="2">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td> + <td class="has-previous-row" rowspan="2"></td> + {% endif %} + </tr> + <tr> + {% if bug.affected_note_top %} + <td class="has-previous-row" colspan="3">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td> + <td class="has-previous-row"></td> + {% endif %} + </tr> + {% endfor %} + </tbody> +{% endfor %} + </tbody> +</table> + +<h2>Reference</h2> + +<p>"Exploitable by" column:</p> + +<ul> + <li> + <b>Server</b>: Triggered by malicious inputs sent by a server with complete control over the connection<br /> + Example: malformed raw IRC commands + </li> + <li> + <b>Client</b>: Triggered by malicious inputs sent by remote clients with no privileges over the network<br /> + Example: malformed color codes inside a message + </li> + <li> + <b>Local</b>: Exploitable by unprivileged system users with access to the same filesystem<br /> + Example: CVE-2016-7553 (buf.pl information disclosure) + </li> + <li> + <b>Formats</b>: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.<br /> + Example: CVE-2017-5356 (Crash on <code>%[</code>) + </li> +</ul> diff --git a/_security/irssi_sa_2016.txt b/_security/irssi_sa_2016.txt new file mode 100644 index 0000000..4b60040 --- /dev/null +++ b/_security/irssi_sa_2016.txt @@ -0,0 +1,101 @@ +heap corruption and missing boundary checks +=========================================== +CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122 + +CVE-2016-7044 [1] was assigned to bug 1 +CVE-2016-7045 [2] was assigned to bug 2 + + +Description +----------- + +Gabriel Campana and Adrien Guinet from Quarkslab reported two remote +crash and heap corruption vulnerabilites in Irssi's format parsing +code. + +They also provided us with proof of concept exploit code and patches +to fix those issues. + + +Impact +------ + +Remote crash and heap corruption. Remote code execution seems +difficult since only Nuls are written. + + +Detailed analysis +----------------- + +Based on analysis Provided by Gabriel Campana and Adrien Guinet from +Quarkslab: + +Bug 1 + +The unformat_24bit_color() function is called by format_send_to_gui() +to decode 24bit color codes into their components. The pointer is +advanced unconditionally without checking if a complete code was +supplied. + +Thus, after the return of unformat_24bit_color(), ptr might be invalid +and point out of the buffer. + +Bug 2 + +The format_send_to_gui() function does not validate the length of the +string before incrementing the `ptr' pointer in all cases. + +If that happens, the pointer `ptr' can be incremented twice and thus +end past the boundaries of the original `dup' buffer. + + +Affected versions +----------------- + +Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea + +Bug 1 affects only Irssis compiled with true-color enabled. +Bug 2 affects all Irssis regardless of compilation flags. + + +Fixed in +-------- + +Irssi 0.8.20 + + +Recommended action +------------------ + +Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release +without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Fallback action +--------------- + +Distributions which need to remain on Irssi 0.8.17 are strongly urged +to apply the patch and provide updated packages. + +Those who cannot upgrade right now, but with Perl support enabled in +their Irssi, can load the following script and add it to +~/.irssi/scripts/autorun as a first aid to mitigating these issues: + +https://irssi.org/security/sa_patch.pl + + +Patch +----- + +https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b + + +References +---------- + +[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 diff --git a/_security/irssi_sa_2017_01.txt b/_security/irssi_sa_2017_01.txt new file mode 100644 index 0000000..df9adbb --- /dev/null +++ b/_security/irssi_sa_2017_01.txt @@ -0,0 +1,187 @@ +Multiple vulnerabilities in Irssi [1] +===================================== +CVE-2017-5193, CVE-2017-5194, CVE-2017-5356, CVE-2017-5195, CVE-2017-5196 + +Description +----------- + +Five vulnerabilities have been located in Irssi. + +(a) A NULL pointer dereference in the nickcmp function found by Joseph + Bisch. (CWE-690) + + CVE-2017-5193 [2] was assigned to this bug + +(b) Use after free when receiving invalid nick message (Issue #466, CWE-416) + + CVE-2017-5194 [3] was assigned to this bug + +(c) Out of bounds read when Printing the value %[ + Found by Hanno Böck. (CWE-126) + + CVE-2017-5356 [4] was assigned to this bug + +(d) Out of bounds read in certain incomplete control codes found by + Joseph Bisch. (CWE-126) + + CVE-2017-5195 [5] was assigned to this bug + +(e) Out of bounds read in certain incomplete character sequences found + by Hanno Böck and independently by J. Bisch. (CWE-126) + + CVE-2017-5196 [6] was assigned to this bug + + + +Impact +------ + +These issues may result in denial of service (remote crash). + + +Affected versions +----------------- + +(a) All Irssi versions that we observed +(b) All Irssi versions that we observed +(c) All Irssi versions that we observed +(d) Irssi 0.8.17 and later +(e) Irssi 0.8.18 and later + + +Fixed in +-------- + +Irssi 0.8.21, Irssi 1.0.0 + + +Recommended action +------------------ + +Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release +without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +A Note to Distributors +---------------------- + +First of all, thanks to every maintainer for their awesome job in +packaging Irssi and backporting security fixes. + +When we had to release a security advisory last year with Irssi +0.8.20, we noticed there was a huge confusion amongst Ubuntu users +about whether their Irssi version was safe to use. + +Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug +fix only, we think distributions should just ship the release. + +But if the security fixes only are backported on top of an old +version, we would like to urge distributions to consider indicating +this in a way that is visible inside Irssi. One way to do this would +be to manually overwrite the PACKAGE_VERSION and marking your package +as patched. This can be done for example like this: + + ./configure PACKAGE_VERSION=0.8.17-sa201701 + + +You can then check the version from inside Irssi with /eval echo $J + +As an added benefit over relying on dpkg, this will also correctly +report whether you had /upgrade done or not. We are looking for a ways +to make this easier to handle for both packagers and us, so if you +have a good idea on this matter please speak forth. + + +Mitigating facts +---------------- + +(a) requires control over the ircd + +(b) and (e) require control over the ircd or otherwise can be + triggered / avoided by the user themselves + +(c) can be triggered / avoided by the user themselves + + +Patch +----- + +https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d + + +Discussion +---------- + +(a) CVE-2017-5193: A NULL pointer dereference in the nickcmp function + found by Joseph Bisch. + + The irc_query_find function will call nick_comp_func in order to + retrieve an associated existing query. + + However, the precondition whether nick was not NULL was not + verified, leading to incorrect API usage of the nick_comp_func and + ultimately NULL pointer dereference resulting in a crash whenever + the server produced such a message without nick. + +(b) CVE-2017-5194: Use after free when receiving invalid nick message. + + Irssi is programmed to cancel the connection when the server + indicates an invalid nick during the registration phase (in the + event_nick_invalid function), because Irssi cannot recover from + this. + + A complex (and still not properly fixed) chain of signal + dependencies emitted by the server_disconnect function, combined + with the lack of reference counting, leads to multiple use after + free issues when the server object has already been destroyed, but + there is currently no way to inform the surrounding code of this + fact. + + As a mitigation, the server_disconnect function is no longer used + in this case and instead the clean-up is pushed to some upper + layer. Fixing this properly will still be a lot of work. + +(c) CVE-2017-5356: Out of bounds read when Printing the value %[ + Found by Hanno Böck. + + The formatting sequence %[...] can be used to execute the + timestamp and "line_start" commands on each printed line. + + The scanner in format_expand_styles will expect it to read unto + the closing ], but in case the end of string has already been + reached while searching for the closing bracket, calling code is + not prepared to deal with this and may advance the char* beyond + end of string. + +(d) CVE-2017-5195: Out of bounds read in certain incomplete control + codes found by Joseph Bisch. + + While parsing the ANSI x8 colour codes, Irssi in many cases failed + to check whether the end of string had already been reached, + resulting in this vulnerability. + +(e) CVE-2017-5196: Out of bounds read in certain incomplete character + sequences found by Hanno Böck and independently by J. Bisch. + + When copying characters to the terminal screen in the term_addstr + function, the g_utf8_get_char function was used unconditionally + without verifying that the input string is proper utf8. As the + behaviour of that function is undefined for invalid input, it + would result in this invalid memory access. The correction is to + use the g_utf8_get_char_validated function instead. + + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_01.txt +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 +[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 +[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356 +[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 +[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 diff --git a/_security/irssi_sa_2017_03.txt b/_security/irssi_sa_2017_03.txt new file mode 100644 index 0000000..d155884 --- /dev/null +++ b/_security/irssi_sa_2017_03.txt @@ -0,0 +1,57 @@ +use after free condition during netjoin processing [1] +====================================================== +CWE Classification: CWE-416 + + +CVE-2017-7191 [2] was assigned to this bug + + +Description +----------- + +Use after free while producing list of netjoins (CWE-416) + +This issue was found and reported to us by APic. + + +Impact +------ + +This issue usually leads to segmentation faults. Targeted code +execution should be difficult. + + +Affected versions +----------------- + +Irssi up to and including 1.0.1 + +We believe Irssi 0.8.21 and prior are not affected since a different +code path causes the netjoins to be flushed prior to reaching the use +after free condition. + + +Fixed in +-------- + +Irssi 1.0.2 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.2. Irssi 1.0.2 is a maintenance release +without any new features. + + +Patch +----- + +https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_03.txt +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7191 diff --git a/_security/irssi_sa_2017_06.txt b/_security/irssi_sa_2017_06.txt new file mode 100644 index 0000000..0d01f92 --- /dev/null +++ b/_security/irssi_sa_2017_06.txt @@ -0,0 +1,73 @@ +IRSSI-SA-2017-06 Irssi Security Advisory [1] +============================================ +CVE-2017-9468, CVE-2017-9469 + +Description +----------- + +Two vulnerabilities have been located in Irssi. + +(a) When receiving a DCC message without source nick/host, Irssi would + attempt to dereference a NULL pointer. Found by Joseph + Bisch. (CWE-690) + + CVE-2017-9468 [2] was assigned to this bug + +(b) When receiving certain incorrectly quoted DCC files, Irssi would + try to find the terminating quote one byte before the allocated + memory. Found by Joseph Bisch. (CWE-129, CWE-127) + + CVE-2017-9469 [3] was assigned to this bug + + +Impact +------ + +(a) May result in denial of service (remote crash). + +(b) May result in denial of service (remote crash), but in practice + this seems to be very unlikely unless address sanitizer is + enabled. + + +Affected versions +----------------- + +All Irssi versions that we observed. + + +Fixed in +-------- + +Irssi 1.0.3 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.3. Irssi 1.0.3 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires control over the ircd + + +Patch +----- + +https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_06.txt +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468 +[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469 diff --git a/_security/irssi_sa_2017_07.txt b/_security/irssi_sa_2017_07.txt new file mode 100644 index 0000000..90229ac --- /dev/null +++ b/_security/irssi_sa_2017_07.txt @@ -0,0 +1,75 @@ +IRSSI-SA-2017-07 Irssi Security Advisory [1] +============================================ +CVE-2017-10965, CVE-2017-10966. + +Description +----------- + +Two vulnerabilities have been located in Irssi. + +(a) When receiving messages with invalid time stamps, Irssi would try + to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter + of Geeknik Labs. (CWE-690) + + CVE-2017-10965 [2] was assigned to this bug + +(b) While updating the internal nick list, Irssi may incorrectly use + the GHashTable interface and free the nick while updating it. This + will then result in use-after-free conditions on each access of + the hash table. Found by Brian 'geeknik' Carpenter of Geeknik + Labs. (CWE-416 caused by CWE-227) + + CVE-2017-10966 [3] was assigned to this bug + + +Impact +------ + +(a) May result in denial of service (remote crash). + +(b) Undefined behaviour. + + +Affected versions +----------------- + +All Irssi versions that we observed. + + +Fixed in +-------- + +Irssi 1.0.4 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.4. Irssi 1.0.4 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires control over the ircd + +(b) should not happen with a conforming ircd + + +Patch +----- + +https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_07.txt +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965 +[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966 diff --git a/_security/irssi_sa_2017_10.txt b/_security/irssi_sa_2017_10.txt new file mode 100644 index 0000000..ffca83c --- /dev/null +++ b/_security/irssi_sa_2017_10.txt @@ -0,0 +1,94 @@ +IRSSI-SA-2017-10 Irssi Security Advisory [1] +============================================ +CVE-2017-15228, CVE-2017-15227, CVE-2017-15721, CVE-2017-15723, +CVE-2017-15722 + +Description +----------- + +Multiple vulnerabilities have been located in Irssi. + +(a) When installing themes with unterminated colour formatting + sequences, Irssi may access data beyond the end of the + string. (CWE-126) Found by Hanno Böck. + + CVE-2017-15228 was assigned to this issue. + +(b) While waiting for the channel synchronisation, Irssi may + incorrectly fail to remove destroyed channels from the query list, + resulting in use after free conditions when updating the state + later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672) + + CVE-2017-15227 was assigned to this issue. + +(c) Certain incorrectly formatted DCC CTCP messages could cause NULL + pointer dereference. Found by Joseph Bisch. This is a separate, + but similar issue to CVE-2017-9468. (CWE-690) + + CVE-2017-15721 was assigned to this issue. + +(d) Overlong nicks or targets may result in a NULL pointer dereference + while splitting the message. Found by Joseph Bisch. (CWE-690) + + CVE-2017-15723 was assigned to this issue. + +(e) In certain cases Irssi may fail to verify that a Safe channel ID + is long enough, causing reads beyond the end of the string. Found + by Joseph Bisch. (CWE-126) + + CVE-2017-15722 was assigned to this issue. + + +Impact +------ + +(a,b,c,d) May result in denial of service (remote crash). + +(e) May affect the stability of Irssi. + + +Affected versions +----------------- + +(a,b,c,e) All Irssi versions that we observed. + +(d) Starting from 0.8.17. + + +Fixed in +-------- + +Irssi 1.0.5 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.5. Irssi 1.0.5 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires user to install malicious or broken theme file + +(b,c,e) requires a broken ircd or control over the ircd + +(d) irc servers typically have length limits in place + + +Patch +----- + +https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_10.txt diff --git a/_security/irssi_sa_2018_01.txt b/_security/irssi_sa_2018_01.txt new file mode 100644 index 0000000..a9a3686 --- /dev/null +++ b/_security/irssi_sa_2018_01.txt @@ -0,0 +1,78 @@ +IRSSI-SA-2018-01 Irssi Security Advisory [1] +============================================ +CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 + +Description +----------- + +Multiple vulnerabilities have been located in Irssi. + +(a) When the channel topic is set without specifying a sender, Irssi + may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) + + CVE-2018-5206 was assigned to this issue. + +(b) When using incomplete escape codes, Irssi may access data beyond + the end of the string. (CWE-126) Found by Joseph Bisch. + + CVE-2018-5205 was assigned to this issue. + +(c) A calculation error in the completion code could cause a heap + buffer overflow when completing certain strings. (CWE-126) Found + by Joseph Bisch. + + CVE-2018-5208 was assigned to this issue. + +(d) When using an incomplete variable argument, Irssi may access data + beyond the end of the string. (CWE-126) Found by Joseph Bisch. + + CVE-2018-5207 was assigned to this issue. + + +Impact +------ + +May affect the stability of Irssi. + + +Affected versions +----------------- + +(a,b,c,d) All Irssi versions that we observed. + + +Fixed in +-------- + +Irssi 1.0.6 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires a broken ircd or control over the ircd + +(b,d) requires user to install malicious or broken files or enter + affected commands + + +Patch +----- +https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2018_01.txt diff --git a/_security/sa_patch.pl b/_security/sa_patch.pl new file mode 100644 index 0000000..95c80b4 --- /dev/null +++ b/_security/sa_patch.pl @@ -0,0 +1,2 @@ +Irssi::signal_add_first("print text", sub { + for ($_[1]) { $_ .= ' ' if /\cD(?!.....)/s } &Irssi::signal_continue }) |