Bug 624100 (CVE-2017-10965, CVE-2017-10966)

Summary:	<net-irc/irssi-1.0.4: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Kristian Fiskerstrand (RETIRED) <k_f>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	monsieurp, sudormrfhalt, swegener
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://irssi.org/security/irssi_sa_2017_07.txt
Whiteboard:	B3 [noglsa cve]
Package list:	=net-irc/irssi-1.0.4	Runtime testing required:	No
Bug Depends on:
Bug Blocks:	621188

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-07-07 12:37:47 UTC

From $URL:
IRSSI-SA-2017-07 Irssi Security Advisory
============================================
CVE-2017-10965, CVE-2017-10966.

Description
-----------

Two vulnerabilities have been located in Irssi.

(a) When receiving messages with invalid time stamps, Irssi would try
    to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter
    of Geeknik Labs. (CWE-690)

    CVE-2017-10965 [2] was assigned to this bug

(b) While updating the internal nick list, Irssi may incorrectly use
    the GHashTable interface and free the nick while updating it. This
    will then result in use-after-free conditions on each access of
    the hash table. Found by Brian 'geeknik' Carpenter of Geeknik
    Labs. (CWE-416 caused by CWE-227)

    CVE-2017-10966 [3] was assigned to this bug


Impact
------

(a) May result in denial of service (remote crash).

(b) Undefined behaviour.


Affected versions
-----------------

All Irssi versions that we observed.


Fixed in
--------

Irssi 1.0.4


Recommended action
------------------

Upgrade to Irssi 1.0.4. Irssi 1.0.4 is a maintenance release in the
1.0 series, without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.


Mitigating facts
----------------

(a) requires control over the ircd

(b) should not happen with a conforming ircd


Patch
-----

https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206
384d291


References
----------

[1] https://irssi.org/security/irssi_sa_2017_07.txt
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966

Comment 1 Patrice Clement (RETIRED) gentoo-dev

2017-07-07 13:16:19 UTC

commit d939b3f9445cd00df8426d136d035c650b466e12 (HEAD -> master, origin/master, origin/HEAD)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Fri Jul 7 15:13:57 2017 +0200
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Fri Jul 7 15:14:43 2017 +0200

net-irc/irssi: version bump.

Gentoo-Bug: https://bugs.gentoo.org/624100

Package-Manager: Portage-2.3.6, Repoman-2.3.1

net-irc/irssi/Manifest           |  1 +
net-irc/irssi/irssi-1.0.4.ebuild | 55 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 net-irc/irssi/irssi-1.0.4.ebuild

Comment 2 Patrice Clement (RETIRED) gentoo-dev

2017-07-07 13:17:34 UTC

This bug report renders bug 624100 obsolete now.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-07-07 13:19:06 UTC

(In reply to Patrice Clement from comment #1)
> net-irc/irssi: version bump.

Thank you for the version bump Patrice. Please call for stabilization once you feel it is sufficiently ready for it.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-07-07 13:19:41 UTC

(In reply to Patrice Clement from comment #2)
> This bug report renders bug 624100 obsolete now.

Recursive loop?

Comment 5 Patrice Clement (RETIRED) gentoo-dev

2017-07-07 13:25:52 UTC

(In reply to Kristian Fiskerstrand from comment #4)
> (In reply to Patrice Clement from comment #2)
> > This bug report renders bug 624100 obsolete now.
> 
> Recursive loop?

Uh.. my copy/paste skills are so bad :/ I meant to write bug 621188! :)

Comment 6 Andrey Ovcharov 2017-07-14 12:10:47 UTC

*** Bug 624982 has been marked as a duplicate of this bug. ***

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-08-08 14:04:53 UTC

ia64 stable

Comment 8 Markus Meier gentoo-dev

2017-08-08 20:40:27 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2017-08-10 07:01:30 UTC

amd64 stable

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-18 20:11:47 UTC

x86 stable

Comment 11 Matt Turner gentoo-dev

2017-08-31 15:21:52 UTC

alpha stable

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2017-09-10 22:17:48 UTC

sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-23 14:03:29 UTC

hppa stable

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-26 08:59:54 UTC

ppc64 stable

Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-26 22:28:43 UTC

ppc stable

Comment 16 Patrice Clement (RETIRED) gentoo-dev

2017-10-19 15:53:20 UTC

Security,

Please proceed.

Comment 17 Larry the Git Cow gentoo-dev

2017-10-19 16:27:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0556397f8153373c5a1b8b4716b6142fcb91e7e0

commit 0556397f8153373c5a1b8b4716b6142fcb91e7e0
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2017-10-19 16:27:08 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-10-19 16:27:29 +0000

    net-irc/irssi: remove vulnerable versions.
    
    Bug: https://bugs.gentoo.org/624100
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 net-irc/irssi/Manifest                       |  3 --
 net-irc/irssi/files/irssi-0.8.20-tinfo.patch | 21 --------
 net-irc/irssi/irssi-0.8.21.ebuild            | 72 ----------------------------
 net-irc/irssi/irssi-1.0.2.ebuild             | 60 -----------------------
 net-irc/irssi/irssi-1.0.3.ebuild             | 55 ---------------------
 5 files changed, 211 deletions(-)}

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2017-10-20 01:48:57 UTC

GLSA Vote: No