From 5f2158187281d13a47b9061f1ecc496674ad12db Mon Sep 17 00:00:00 2001 From: Ailin Nemui Date: Wed, 21 Sep 2016 17:00:44 +0200 Subject: Add security info and script --- security/irssi_sa_2016.txt | 96 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 security/irssi_sa_2016.txt (limited to 'security/irssi_sa_2016.txt') diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt new file mode 100644 index 0000000..5ef4142 --- /dev/null +++ b/security/irssi_sa_2016.txt @@ -0,0 +1,96 @@ +heap corruption and missing boundary checks +=========================================== +CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122 + +CVE-2016-7044 [1] was assigned to bug 1 +CVE-2016-7045 [2] was assigned to bug 2 + + +Description +----------- + +Gabriel Campana and Adrien Guinet from Quarkslab reported two remote +crash and heap corruption vulnerabilites in Irssi's format parsing +code. + +They also provided us with proof of concept exploit code and patches +to fix those issues. + + +Impact +------ + +Remote crash and heap corruption. Remote code execution seems +difficult since only Nuls are written. + + +Detailed analysis +----------------- + +Based on analysis Provided by Gabriel Campana and Adrien Guinet from +Quarkslab: + +Bug 1 + +The unformat_24bit_color() function is called by format_send_to_gui() +to decode 24bit color codes into their components. The pointer is +advanced unconditionally without checking if a complete code was +supplied. + +Thus, after the return of unformat_24bit_color(), ptr might be invalid +and point out of the buffer. + +Bug 2 + +The format_send_to_gui() function does not validate the length of the +string before incrementing the `ptr' pointer in all cases. + +If that happens, the pointer `ptr' can be incremented twice and thus +end past the boundaries of the original `dup' buffer. + + +Affected versions +----------------- + +Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea + +Bug 1 affects only Irssis compiled with true-color enabled. +Bug 2 affects all Irssis regardless of compilation flags. + + +Fixed in +-------- + +Irssi 0.8.20 + + +Recommended action +------------------ + +Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release +without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. If the buf.pl script is loaded and symlinked into +~/.irssi/scripts/autorun, text buffer content will be saved and +restored. + + +Fallback action +--------------- + +Distributions which need to remain on Irssi 0.8.17 are strongly urged +to apply the patch and provide updated packages. + + +Patch +----- + +https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b + + +References +---------- +[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 +[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 -- cgit v1.2.3