summaryrefslogtreecommitdiff
path: root/security/irssi_sa_2016.txt
diff options
context:
space:
mode:
Diffstat (limited to 'security/irssi_sa_2016.txt')
-rw-r--r--security/irssi_sa_2016.txt96
1 files changed, 96 insertions, 0 deletions
diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt
new file mode 100644
index 0000000..5ef4142
--- /dev/null
+++ b/security/irssi_sa_2016.txt
@@ -0,0 +1,96 @@
+heap corruption and missing boundary checks
+===========================================
+CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122
+
+CVE-2016-7044 [1] was assigned to bug 1
+CVE-2016-7045 [2] was assigned to bug 2
+
+
+Description
+-----------
+
+Gabriel Campana and Adrien Guinet from Quarkslab reported two remote
+crash and heap corruption vulnerabilites in Irssi's format parsing
+code.
+
+They also provided us with proof of concept exploit code and patches
+to fix those issues.
+
+
+Impact
+------
+
+Remote crash and heap corruption. Remote code execution seems
+difficult since only Nuls are written.
+
+
+Detailed analysis
+-----------------
+
+Based on analysis Provided by Gabriel Campana and Adrien Guinet from
+Quarkslab:
+
+Bug 1
+
+The unformat_24bit_color() function is called by format_send_to_gui()
+to decode 24bit color codes into their components. The pointer is
+advanced unconditionally without checking if a complete code was
+supplied.
+
+Thus, after the return of unformat_24bit_color(), ptr might be invalid
+and point out of the buffer.
+
+Bug 2
+
+The format_send_to_gui() function does not validate the length of the
+string before incrementing the `ptr' pointer in all cases.
+
+If that happens, the pointer `ptr' can be incremented twice and thus
+end past the boundaries of the original `dup' buffer.
+
+
+Affected versions
+-----------------
+
+Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea
+
+Bug 1 affects only Irssis compiled with true-color enabled.
+Bug 2 affects all Irssis regardless of compilation flags.
+
+
+Fixed in
+--------
+
+Irssi 0.8.20
+
+
+Recommended action
+------------------
+
+Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release
+without any new features.
+
+After installing the updated packages, one can issue the /upgrade
+command to load the new binary. TLS connections will require
+/reconnect. If the buf.pl script is loaded and symlinked into
+~/.irssi/scripts/autorun, text buffer content will be saved and
+restored.
+
+
+Fallback action
+---------------
+
+Distributions which need to remain on Irssi 0.8.17 are strongly urged
+to apply the patch and provide updated packages.
+
+
+Patch
+-----
+
+https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b
+
+
+References
+----------
+[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044
+[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045