Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 604772 (CVE-2017-5193, CVE-2017-5194, CVE-2017-5195, CVE-2017-5196) - <net-irc/irssi-0.8.21: multiple vulnerabilities (CVE-2017-{5193,5194,9195,9196})
Summary: <net-irc/irssi-0.8.21: multiple vulnerabilities (CVE-2017-{5193,5194,9195,9196})
Alias: CVE-2017-5193, CVE-2017-5194, CVE-2017-5195, CVE-2017-5196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve cleanup]
Depends on:
Reported: 2017-01-05 17:40 UTC by Hanno Böck
Modified: 2017-01-19 19:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-01-05 17:40:54 UTC
See advisory:

"Four vulnerabilities have been located in Irssi.

(a) A NULL pointer dereference in the nickcmp function found by Joseph
    Bisch. (CWE-690)

(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)

(c) Out of bounds read in certain incomplete control codes found by
    Joseph Bisch. (CWE-126)

(d) Out of bounds read in certain incomplete character sequences found
    by Hanno Böck and independently by J. Bisch. (CWE-126)"

There are versions 0.8.21 and 1.0.0 that fix them. Probably better to just switch to 1.0.0
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-01-05 17:44:42 UTC
<hat type="infra">
I have bumped the ebuild for irssi-0.8.21, to deploy it on infra.
I did not do the 1.0.0 major bump.

Had started on it before this bug was filed, because upstream had pinged infra about the bump.
Comment 2 tman 2017-01-06 00:45:12 UTC
ebuild irssi-0.8.21  is in portage, we can close this as "fixed"? or why not also add to version 1.0?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-06 04:26:21 UTC
(In reply to tman from comment #2)
> ebuild irssi-0.8.21  is in portage, we can close this as "fixed"? or why not
> also add to version 1.0?

v0.8.21 is sufficient to address these vulnerabilities in Gentoo.

Please read to learn more about how Gentoo treats vulnerabilities and why this bug can't be closed as resolved yet.

@ Maintainer(s): Please test and mark stable: =net-irc/irssi-0.8.21
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-06 12:27:15 UTC
CVEs were assigned:
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-01-06 13:15:39 UTC
amd64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-06 13:36:41 UTC
Stable on alpha
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-10 09:56:56 UTC
Stable for PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-10 15:26:08 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-11 10:54:03 UTC
sparc stable
Comment 10 Markus Meier gentoo-dev 2017-01-13 16:59:00 UTC
arm stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 23:48:41 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-15 16:06:52 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-17 14:41:42 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 08:22:06 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:16:33 UTC
This issue was resolved and addressed in
 GLSA 201701-45 at
by GLSA coordinator Thomas Deutschmann (whissi).