|
Message-ID: <1515248018.2869.2.camel@gmail.com> Date: Sat, 06 Jan 2018 15:13:38 +0100 From: Ailin Nemui <ailin.nemui@...il.com> To: oss-security@...ts.openwall.com Subject: Irssi 1.0.6: CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 IRSSI-SA-2018-01 Irssi Security Advisory [1] ============================================ CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 Description ----------- Multiple vulnerabilities have been located in Irssi. (a) When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) CVE-2018-5206 was assigned to this issue. (b) When using incomplete escape codes, Irssi may access data beyond the end of the string. (CWE-126) Found by Joseph Bisch. CVE-2018-5205 was assigned to this issue. (c) A calculation error in the completion code could cause a heap buffer overflow when completing certain strings. (CWE-126) Found by Joseph Bisch. CVE-2018-5208 was assigned to this issue. (d) When using an incomplete variable argument, Irssi may access data beyond the end of the string. (CWE-126) Found by Joseph Bisch. CVE-2018-5207 was assigned to this issue. Impact ------ May affect the stability of Irssi. Affected versions ----------------- (a,b,c,d) All Irssi versions that we observed. Fixed in -------- Irssi 1.0.6 Recommended action ------------------ Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the 1.0 series, without any new features. After installing the updated packages, one can issue the /upgrade command to load the new binary. TLS connections will require /reconnect. Mitigating facts ---------------- (a) requires a broken ircd or control over the ircd (b,d) requires user to install malicious or broken files or enter affected commands Patch ----- https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0. 6.diff References ---------- [1] https://irssi.org/security/irssi_sa_2018_01.txt
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.