From e5bcf80e162eb9caa6952a77abcd556eb09adcfd Mon Sep 17 00:00:00 2001 From: Ailin Nemui Date: Thu, 5 Jan 2017 16:30:50 +0100 Subject: Release Irssi 1.0.0 --- security/irssi_sa_2017_01.txt | 101 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 security/irssi_sa_2017_01.txt (limited to 'security/irssi_sa_2017_01.txt') diff --git a/security/irssi_sa_2017_01.txt b/security/irssi_sa_2017_01.txt new file mode 100644 index 0000000..d8e6850 --- /dev/null +++ b/security/irssi_sa_2017_01.txt @@ -0,0 +1,101 @@ +Multiple vulnerabilities in Irssi [1] +===================================== + + +Description +----------- + +Four vulnerabilities have been located in Irssi. + +(a) A NULL pointer dereference in the nickcmp function found by Joseph + Bisch. (CWE-690) + +(b) Use after free when receiving invalid nick message (Issue #466, CWE-146) + +(c) Out of bounds read in certain incomplete control codes found by + Joseph Bisch. (CWE-126) + +(d) Out of bounds read in certain incomplete character sequences found + by Hanno Böck and independently by J. Bisch. (CWE-126) + + +Impact +------ + +These issues may result in denial of service (remote crash). + + +Affected versions +----------------- + +(a) All Irssi versions that we observed +(b) All Irssi versions that we observed +(c) Irssi 0.8.17 and later +(d) Irssi 0.8.18 and later + + +Fixed in +-------- + +Irssi 0.8.21, Irssi 1.0.0 + + +Recommended action +------------------ + +Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release +without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +A Note to Distributors +---------------------- + +First of all, thanks to every maintainer for their awesome job in +packaging Irssi and backporting security fixes. + +When we had to release a security advisory last year with Irssi +0.8.20, we noticed there was a huge confusion amongst Ubuntu users +about whether their Irssi version was safe to use. + +Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug +fix only, we think distributions should just ship the release. + +But if the security fixes only are backported on top of an old +version, we would like to urge distributions to consider indicating +this in a way that is visible inside Irssi. One way to do this would +be to manually overwrite the PACKAGE_VERSION and marking your package +as patched. This can be done for example like this: + + ./configure PACKAGE_VERSION=0.8.17-sa201701 + + +You can then check the version from inside Irssi with /eval echo $J + +As an added benefit over relying on dpkg, this will also correctly +report whether you had /upgrade done or not. We are looking for a ways +to make this easier to handle for both packagers and us, so if you +have a good idea on this matter please speak forth. + +Mitigating facts +---------------- + +(a) requires control over the ircd + +(b), (d) require control over the ircd or otherwise can be triggered / + avoided by the user themselves + + +Patch +----- + +https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_01.txt -- cgit v1.2.3