Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621188 (CVE-2017-9468, CVE-2017-9469) - <net-irc/irssi-1.0.3: multiple vulnerabilities (CVE-2017-{9468,9469})
Summary: <net-irc/irssi-1.0.3: multiple vulnerabilities (CVE-2017-{9468,9469})
Status: RESOLVED FIXED
Alias: CVE-2017-9468, CVE-2017-9469
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-10965, CVE-2017-10966
Blocks:
  Show dependency tree
 
Reported: 2017-06-08 07:42 UTC by Agostino Sarubbo
Modified: 2017-10-20 01:49 UTC (History)
2 users (show)

See Also:
Package list:
net-irc/irssi-1.0.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-08 07:42:02 UTC
From ${URL} :

IRSSI-SA-2017-06 Irssi Security Advisory [1]
============================================

Description
-----------

Two vulnerabilities have been located in Irssi.

(a) When receiving a DCC message without source nick/host, Irssi would
    attempt to dereference a NULL pointer. Found by Joseph
    Bisch. (CWE-690)

(b) When receiving certain incorrectly quoted DCC files, Irssi would
    try to find the terminating quote one byte before the allocated
    memory. Found by Joseph Bisch. (CWE-129, CWE-127)


Impact
------

(a) May result in denial of service (remote crash).

(b) May result in denial of service (remote crash), but in practice
    this seems to be very unlikely unless address sanitizer is
    enabled.


Affected versions
-----------------

All Irssi versions that we observed.


Fixed in
--------

Irssi 1.0.3


Recommended action
------------------

Upgrade to Irssi 1.0.3. Irssi 1.0.3 is a maintenance release in the
1.0 series, without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.


Mitigating facts
----------------

(a) requires control over the ircd


Patch
-----

https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612
301ad55


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2017-06-08 08:22:35 UTC
Hi!

@Security: the package is indeed already in the tree and ready for stabilisation.

@Arch teams: please mark stable ASAP net-irc/irssi-1.0.3.

Thanks!
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-13 20:46:36 UTC
To make things happen faster i suggest to populate 'Package list' field.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-13 21:07:31 UTC
ia64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-14 07:49:25 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-15 09:54:31 UTC
x86 stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-06-15 19:23:04 UTC
CVE-2017-9469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9469):
  In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files,
  it tries to find the terminating quote one byte before the allocated memory.
  Thus, remote attackers might be able to cause a crash.

CVE-2017-9468 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9468):
  In Irssi before 1.0.3, when receiving a DCC message without source
  nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC
  servers can cause a crash.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 14:58:37 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2017-06-21 12:03:45 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-21 12:18:21 UTC
ppc64 stable
Comment 10 Markus Meier gentoo-dev 2017-06-23 04:39:38 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-07-07 09:08:54 UTC
sparc stable