From aa3679cf00f9a46c1c2584f35dc955787d25c8ea Mon Sep 17 00:00:00 2001 From: Ailin Nemui Date: Sat, 6 Jan 2018 15:06:19 +0100 Subject: Release Irssi 1.0.6 --- _data/sb_whatsnew.yml | 2 +- _data/security.yml | 36 ++++++++++++ _posts/2018-01-07-irssi-1.0.6-released.markdown | 31 ++++++++++ download/index.markdown | 2 +- security/irssi_sa_2018_01.txt | 78 +++++++++++++++++++++++++ 5 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 _posts/2018-01-07-irssi-1.0.6-released.markdown create mode 100644 security/irssi_sa_2018_01.txt diff --git a/_data/sb_whatsnew.yml b/_data/sb_whatsnew.yml index 37e04f7..41ec6dc 100644 --- a/_data/sb_whatsnew.yml +++ b/_data/sb_whatsnew.yml @@ -1,5 +1,5 @@ - - key: irssi-1.0.5-released + key: irssi-1.0.6-released tag: Security - key: fuzzing-irssi diff --git a/_data/security.yml b/_data/security.yml index e16eb67..49671b0 100644 --- a/_data/security.yml +++ b/_data/security.yml @@ -321,3 +321,39 @@ fixed_version: 1.0.5 credit: 'Joseph Bisch' description: 'Read beyond end of buffer may occur if a Safe channel ID is not long enough' +- + name: IRSSI-SA-2018-01 + release_date: 2018-01-07 + bugs: + - + cve: CVE-2018-5206 + exploitable_by: server + affected_versions: + to: 1.0.5 + fixed_version: 1.0.6 + credit: 'Joseph Bisch' + description: 'When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer.' + - + cve: CVE-2018-5205 + exploitable_by: formats + affected_versions: + to: 1.0.5 + fixed_version: 1.0.6 + credit: 'Joseph Bisch' + description: 'When using incomplete escape codes, Irssi may access data beyond the end of the string.' + - + cve: CVE-2018-5208 + exploitable_by: server + affected_versions: + to: 1.0.5 + fixed_version: 1.0.6 + credit: 'Joseph Bisch' + description: 'A calculation error in the completion code could cause a heap buffer overflow when completing certain strings.' + - + cve: CVE-2018-5207 + exploitable_by: formats + affected_versions: + to: 1.0.5 + fixed_version: 1.0.6 + credit: 'Joseph Bisch' + description: 'When using an incomplete variable argument, Irssi may access data beyond the end of the string.' diff --git a/_posts/2018-01-07-irssi-1.0.6-released.markdown b/_posts/2018-01-07-irssi-1.0.6-released.markdown new file mode 100644 index 0000000..7f903ec --- /dev/null +++ b/_posts/2018-01-07-irssi-1.0.6-released.markdown @@ -0,0 +1,31 @@ +--- +layout: post +title: "Irssi 1.0.6 Released" +--- + +Happy new year from the Irssi Team! + +Irssi 1.0.6 has been released. This release fixes a few security +issues in Irssi as well as a few bugs. There are no new +features. **All Irssi users should upgrade to this version**. See the +[NEWS](//raw.githubusercontent.com/irssi/irssi/1.0.6/NEWS) for +details. + +Most issues have been identified using fuzzing, thanks to Joseph Bisch. + +For more information refer to the [security advisory](/security/irssi_sa_2018_01.txt). + +This release can be downloaded from [our releases +page](https://github.com/irssi/irssi/releases). Binary test packages +for various Linux distributions are automatically generated by the +[openSUSE Build Service](https://build.opensuse.org/) and are +available for download in the +[irssi-test](https://software.opensuse.org/download.html?project=home:ailin_nemui:irssi-test;package=irssi) +repository. + +Please check with your distro whether they provide officially updated +packages. + +We currently do not have any alternate advice. + +The Irssi Team. diff --git a/download/index.markdown b/download/index.markdown index b702ebf..482ec5e 100644 --- a/download/index.markdown +++ b/download/index.markdown @@ -3,7 +3,7 @@ layout: page title: Getting Irssi permalink: /download/ categories: [ _nav, _6 ] -version: 1.0.5 +version: 1.0.6 --- There are several ways you can get Irssi diff --git a/security/irssi_sa_2018_01.txt b/security/irssi_sa_2018_01.txt new file mode 100644 index 0000000..a9a3686 --- /dev/null +++ b/security/irssi_sa_2018_01.txt @@ -0,0 +1,78 @@ +IRSSI-SA-2018-01 Irssi Security Advisory [1] +============================================ +CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 + +Description +----------- + +Multiple vulnerabilities have been located in Irssi. + +(a) When the channel topic is set without specifying a sender, Irssi + may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) + + CVE-2018-5206 was assigned to this issue. + +(b) When using incomplete escape codes, Irssi may access data beyond + the end of the string. (CWE-126) Found by Joseph Bisch. + + CVE-2018-5205 was assigned to this issue. + +(c) A calculation error in the completion code could cause a heap + buffer overflow when completing certain strings. (CWE-126) Found + by Joseph Bisch. + + CVE-2018-5208 was assigned to this issue. + +(d) When using an incomplete variable argument, Irssi may access data + beyond the end of the string. (CWE-126) Found by Joseph Bisch. + + CVE-2018-5207 was assigned to this issue. + + +Impact +------ + +May affect the stability of Irssi. + + +Affected versions +----------------- + +(a,b,c,d) All Irssi versions that we observed. + + +Fixed in +-------- + +Irssi 1.0.6 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires a broken ircd or control over the ircd + +(b,d) requires user to install malicious or broken files or enter + affected commands + + +Patch +----- +https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2018_01.txt -- cgit v1.2.3