From ${URL} : An information disclosure vulnerability was found in the buf.pl core script for irssi. Other users on the same machine may be able to retrieve the whole window contents after /UPGRADE when the buf.pl script is loaded. Furthermore, this dump of the windows contents is never removed afterwards. External References: https://irssi.org/2016/09/22/buf.pl-update/ Upstream fix: https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a References: http://seclists.org/oss-sec/2016/q3/605 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I've just added 0.8.20-r1 to the tree, including the fix. I have forward-ported all the keywords, as only architecture-independent perl code has been changed. - The shipped script is not in use by default - The script stores the world-readable scrollbuffer file in ~/.irssi - If it does not exist, irssi creates the ~/.irssi directory with mode 0700 (since at least commit c95034c6de1bf72536595e1e3431d8ec64b9880e from 2000-04-26) I consider this a low-risk issue.
Fixed since https://gitweb.gentoo.org/repo/gentoo.git/commit/net-irc/irssi?id=c90ead2db6c8dfde6519ae6e3b5b99bf6c0ad6aa Cleanup via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-irc/irssi?id=bd1a5b6ba37078f293db6c80e2ee9daf717affa3 @ Security: Please vote!
GLSA Vote: No
