Multiple vulnerabilities in Irssi [1] ===================================== CVE-2017-5193, CVE-2017-5194, CVE-2017-5356, CVE-2017-5195, CVE-2017-5196 Description ----------- Five vulnerabilities have been located in Irssi. (a) A NULL pointer dereference in the nickcmp function found by Joseph Bisch. (CWE-690) CVE-2017-5193 [2] was assigned to this bug (b) Use after free when receiving invalid nick message (Issue #466, CWE-416) CVE-2017-5194 [3] was assigned to this bug (c) Out of bounds read when Printing the value %[ Found by Hanno Böck. (CWE-126) CVE-2017-5356 [4] was assigned to this bug (d) Out of bounds read in certain incomplete control codes found by Joseph Bisch. (CWE-126) CVE-2017-5195 [5] was assigned to this bug (e) Out of bounds read in certain incomplete character sequences found by Hanno Böck and independently by J. Bisch. (CWE-126) CVE-2017-5196 [6] was assigned to this bug Impact ------ These issues may result in denial of service (remote crash). Affected versions ----------------- (a) All Irssi versions that we observed (b) All Irssi versions that we observed (c) All Irssi versions that we observed (d) Irssi 0.8.17 and later (e) Irssi 0.8.18 and later Fixed in -------- Irssi 0.8.21, Irssi 1.0.0 Recommended action ------------------ Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release without any new features. After installing the updated packages, one can issue the /upgrade command to load the new binary. TLS connections will require /reconnect. A Note to Distributors ---------------------- First of all, thanks to every maintainer for their awesome job in packaging Irssi and backporting security fixes. When we had to release a security advisory last year with Irssi 0.8.20, we noticed there was a huge confusion amongst Ubuntu users about whether their Irssi version was safe to use. Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug fix only, we think distributions should just ship the release. But if the security fixes only are backported on top of an old version, we would like to urge distributions to consider indicating this in a way that is visible inside Irssi. One way to do this would be to manually overwrite the PACKAGE_VERSION and marking your package as patched. This can be done for example like this: ./configure PACKAGE_VERSION=0.8.17-sa201701 You can then check the version from inside Irssi with /eval echo $J As an added benefit over relying on dpkg, this will also correctly report whether you had /upgrade done or not. We are looking for a ways to make this easier to handle for both packagers and us, so if you have a good idea on this matter please speak forth. Mitigating facts ---------------- (a) requires control over the ircd (b) and (e) require control over the ircd or otherwise can be triggered / avoided by the user themselves (c) can be triggered / avoided by the user themselves Patch ----- https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d Discussion ---------- (a) CVE-2017-5193: A NULL pointer dereference in the nickcmp function found by Joseph Bisch. The irc_query_find function will call nick_comp_func in order to retrieve an associated existing query. However, the precondition whether nick was not NULL was not verified, leading to incorrect API usage of the nick_comp_func and ultimately NULL pointer dereference resulting in a crash whenever the server produced such a message without nick. (b) CVE-2017-5194: Use after free when receiving invalid nick message. Irssi is programmed to cancel the connection when the server indicates an invalid nick during the registration phase (in the event_nick_invalid function), because Irssi cannot recover from this. A complex (and still not properly fixed) chain of signal dependencies emitted by the server_disconnect function, combined with the lack of reference counting, leads to multiple use after free issues when the server object has already been destroyed, but there is currently no way to inform the surrounding code of this fact. As a mitigation, the server_disconnect function is no longer used in this case and instead the clean-up is pushed to some upper layer. Fixing this properly will still be a lot of work. (c) CVE-2017-5356: Out of bounds read when Printing the value %[ Found by Hanno Böck. The formatting sequence %[...] can be used to execute the timestamp and "line_start" commands on each printed line. The scanner in format_expand_styles will expect it to read unto the closing ], but in case the end of string has already been reached while searching for the closing bracket, calling code is not prepared to deal with this and may advance the char* beyond end of string. (d) CVE-2017-5195: Out of bounds read in certain incomplete control codes found by Joseph Bisch. While parsing the ANSI x8 colour codes, Irssi in many cases failed to check whether the end of string had already been reached, resulting in this vulnerability. (e) CVE-2017-5196: Out of bounds read in certain incomplete character sequences found by Hanno Böck and independently by J. Bisch. When copying characters to the terminal screen in the term_addstr function, the g_utf8_get_char function was used unconditionally without verifying that the input string is proper utf8. As the behaviour of that function is undefined for invalid input, it would result in this invalid memory access. The correction is to use the g_utf8_get_char_validated function instead. References ---------- [1] https://irssi.org/security/irssi_sa_2017_01.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196