From 813c12822a68983ab42905f5af364dcc9c7ffcdd Mon Sep 17 00:00:00 2001 From: Ailin Nemui Date: Wed, 14 Feb 2018 00:54:53 +0100 Subject: enable security collections --- _security/irssi_sa_2017_01.txt | 187 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 _security/irssi_sa_2017_01.txt (limited to '_security/irssi_sa_2017_01.txt') diff --git a/_security/irssi_sa_2017_01.txt b/_security/irssi_sa_2017_01.txt new file mode 100644 index 0000000..df9adbb --- /dev/null +++ b/_security/irssi_sa_2017_01.txt @@ -0,0 +1,187 @@ +Multiple vulnerabilities in Irssi [1] +===================================== +CVE-2017-5193, CVE-2017-5194, CVE-2017-5356, CVE-2017-5195, CVE-2017-5196 + +Description +----------- + +Five vulnerabilities have been located in Irssi. + +(a) A NULL pointer dereference in the nickcmp function found by Joseph + Bisch. (CWE-690) + + CVE-2017-5193 [2] was assigned to this bug + +(b) Use after free when receiving invalid nick message (Issue #466, CWE-416) + + CVE-2017-5194 [3] was assigned to this bug + +(c) Out of bounds read when Printing the value %[ + Found by Hanno Böck. (CWE-126) + + CVE-2017-5356 [4] was assigned to this bug + +(d) Out of bounds read in certain incomplete control codes found by + Joseph Bisch. (CWE-126) + + CVE-2017-5195 [5] was assigned to this bug + +(e) Out of bounds read in certain incomplete character sequences found + by Hanno Böck and independently by J. Bisch. (CWE-126) + + CVE-2017-5196 [6] was assigned to this bug + + + +Impact +------ + +These issues may result in denial of service (remote crash). + + +Affected versions +----------------- + +(a) All Irssi versions that we observed +(b) All Irssi versions that we observed +(c) All Irssi versions that we observed +(d) Irssi 0.8.17 and later +(e) Irssi 0.8.18 and later + + +Fixed in +-------- + +Irssi 0.8.21, Irssi 1.0.0 + + +Recommended action +------------------ + +Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release +without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +A Note to Distributors +---------------------- + +First of all, thanks to every maintainer for their awesome job in +packaging Irssi and backporting security fixes. + +When we had to release a security advisory last year with Irssi +0.8.20, we noticed there was a huge confusion amongst Ubuntu users +about whether their Irssi version was safe to use. + +Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug +fix only, we think distributions should just ship the release. + +But if the security fixes only are backported on top of an old +version, we would like to urge distributions to consider indicating +this in a way that is visible inside Irssi. One way to do this would +be to manually overwrite the PACKAGE_VERSION and marking your package +as patched. This can be done for example like this: + + ./configure PACKAGE_VERSION=0.8.17-sa201701 + + +You can then check the version from inside Irssi with /eval echo $J + +As an added benefit over relying on dpkg, this will also correctly +report whether you had /upgrade done or not. We are looking for a ways +to make this easier to handle for both packagers and us, so if you +have a good idea on this matter please speak forth. + + +Mitigating facts +---------------- + +(a) requires control over the ircd + +(b) and (e) require control over the ircd or otherwise can be + triggered / avoided by the user themselves + +(c) can be triggered / avoided by the user themselves + + +Patch +----- + +https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d + + +Discussion +---------- + +(a) CVE-2017-5193: A NULL pointer dereference in the nickcmp function + found by Joseph Bisch. + + The irc_query_find function will call nick_comp_func in order to + retrieve an associated existing query. + + However, the precondition whether nick was not NULL was not + verified, leading to incorrect API usage of the nick_comp_func and + ultimately NULL pointer dereference resulting in a crash whenever + the server produced such a message without nick. + +(b) CVE-2017-5194: Use after free when receiving invalid nick message. + + Irssi is programmed to cancel the connection when the server + indicates an invalid nick during the registration phase (in the + event_nick_invalid function), because Irssi cannot recover from + this. + + A complex (and still not properly fixed) chain of signal + dependencies emitted by the server_disconnect function, combined + with the lack of reference counting, leads to multiple use after + free issues when the server object has already been destroyed, but + there is currently no way to inform the surrounding code of this + fact. + + As a mitigation, the server_disconnect function is no longer used + in this case and instead the clean-up is pushed to some upper + layer. Fixing this properly will still be a lot of work. + +(c) CVE-2017-5356: Out of bounds read when Printing the value %[ + Found by Hanno Böck. + + The formatting sequence %[...] can be used to execute the + timestamp and "line_start" commands on each printed line. + + The scanner in format_expand_styles will expect it to read unto + the closing ], but in case the end of string has already been + reached while searching for the closing bracket, calling code is + not prepared to deal with this and may advance the char* beyond + end of string. + +(d) CVE-2017-5195: Out of bounds read in certain incomplete control + codes found by Joseph Bisch. + + While parsing the ANSI x8 colour codes, Irssi in many cases failed + to check whether the end of string had already been reached, + resulting in this vulnerability. + +(e) CVE-2017-5196: Out of bounds read in certain incomplete character + sequences found by Hanno Böck and independently by J. Bisch. + + When copying characters to the terminal screen in the term_addstr + function, the g_utf8_get_char function was used unconditionally + without verifying that the input string is proper utf8. As the + behaviour of that function is undefined for invalid input, it + would result in this invalid memory access. The correction is to + use the g_utf8_get_char_validated function instead. + + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_01.txt +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 +[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 +[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356 +[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 +[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 -- cgit v1.2.3