Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631926 (CVE-2017-14727) - <net-irc/weechat-1.9.1 crash caused by the use of an uninitialized buffer.
Summary: <net-irc/weechat-1.9.1 crash caused by the use of an uninitialized buffer.
Status: RESOLVED FIXED
Alias: CVE-2017-14727
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://weechat.org/download/security/
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-24 11:54 UTC by D'juan McDonald (domhnall)
Modified: 2017-10-08 20:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-09-24 11:54:04 UTC 
from ${URL}:

Date/time conversion specifiers are expanded after replacing buffer local variables in name of log files. In some cases, this can lead to an error in function strftime and a crash caused by the use of an uninitialized buffer.
> Workaround:
Unload the logger plugin: /plugin unload logger 

Reference:
https://weechat.org/news/98/20170923-Version-1.9.1-security-release/

Patch:
https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556

@maintainer(s), after bump, please call for stabilization if needed, thank you

Daj Uan (jmbailey/mbailey_J)
Gentoo Security Padawan
Comment 1 D'juan McDonald (domhnall) 2017-09-24 12:11:13 UTC 
Adjusting the summary...
Comment 2 Tim Harder gentoo-dev 2017-09-29 23:01:31 UTC 
1.9.1 added to the tree and stabilized.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-30 03:58:45 UTC 
(In reply to Tim Harder from comment #2)
> 1.9.1 added to the tree and stabilized.

Thank you.

@Security please vote.

Gentoo Security Padawan
ChrisADR
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 20:44:23 UTC 
GLSA Vote: No