blob: 842a7a31494aae9186f1b2032331965203a87ac1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
---
name: IRSSI-SA-2017-06
release_date: 2017-06-06
git_commit: fb08fc7f1aa6b2e616413d003bf021612301ad55
bugs:
-
cve: CVE-2017-9468
exploitable_by: server
affected_versions:
to: 1.0.2
fixed_version: 1.0.3
credit: 'Joseph Bisch'
description: 'NULL pointer dereference when receiving a DCC message without source nick/host'
description_long: >
When receiving a DCC message without source nick/host, Irssi would
attempt to dereference a NULL pointer. Found by Joseph
Bisch. (CWE-690)
impact: >
May result in denial of service (remote crash).
mitigating_info: >
requires control over the ircd
-
cve: CVE-2017-9469
exploitable_by: client
affected_versions:
to: 1.0.2
fixed_version: 1.0.3
credit: 'Joseph Bisch'
description: 'Out of bounds read when parsing incorrectly quoted DCC files'
description_long: >
When receiving certain incorrectly quoted DCC files, Irssi would
try to find the terminating quote one byte before the allocated
memory. Found by Joseph Bisch. (CWE-129, CWE-127)
impact: >
May result in denial of service (remote crash), but in practice
this seems to be very unlikely unless address sanitizer is
enabled.
recommended_action: >
Upgrade to Irssi 1.0.3. Irssi 1.0.3 is a maintenance release in the
1.0 series, without any new features.
After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.
---
|
