| Summary: | <net-irc/irssi-0.8.20-r1: Information disclosure in buf.pl | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | monsieurp, swegener |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1379270 | ||
| Whiteboard: | B4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
I've just added 0.8.20-r1 to the tree, including the fix. I have forward-ported all the keywords, as only architecture-independent perl code has been changed. - The shipped script is not in use by default - The script stores the world-readable scrollbuffer file in ~/.irssi - If it does not exist, irssi creates the ~/.irssi directory with mode 0700 (since at least commit c95034c6de1bf72536595e1e3431d8ec64b9880e from 2000-04-26) I consider this a low-risk issue. Fixed since https://gitweb.gentoo.org/repo/gentoo.git/commit/net-irc/irssi?id=c90ead2db6c8dfde6519ae6e3b5b99bf6c0ad6aa Cleanup via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-irc/irssi?id=bd1a5b6ba37078f293db6c80e2ee9daf717affa3 @ Security: Please vote! GLSA Vote: No |
From ${URL} : An information disclosure vulnerability was found in the buf.pl core script for irssi. Other users on the same machine may be able to retrieve the whole window contents after /UPGRADE when the buf.pl script is loaded. Furthermore, this dump of the windows contents is never removed afterwards. External References: https://irssi.org/2016/09/22/buf.pl-update/ Upstream fix: https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a References: http://seclists.org/oss-sec/2016/q3/605 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.