Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 604772 (CVE-2017-5193, CVE-2017-5194, CVE-2017-5195, CVE-2017-5196) - <net-irc/irssi-0.8.21: multiple vulnerabilities (CVE-2017-{5193,5194,9195,9196})
Summary: <net-irc/irssi-0.8.21: multiple vulnerabilities (CVE-2017-{5193,5194,9195,9196})
Status: RESOLVED FIXED
Alias: CVE-2017-5193, CVE-2017-5194, CVE-2017-5195, CVE-2017-5196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://irssi.org/security/irssi_sa_2...
Whiteboard: B2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-05 17:40 UTC by Hanno Böck
Modified: 2017-01-19 19:16 UTC (History)
2 users (show)

See Also:
Package list:
=net-irc/irssi-0.8.21
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-01-05 17:40:54 UTC
See advisory:
https://irssi.org/security/irssi_sa_2017_01.txt

"Four vulnerabilities have been located in Irssi.

(a) A NULL pointer dereference in the nickcmp function found by Joseph
    Bisch. (CWE-690)

(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)

(c) Out of bounds read in certain incomplete control codes found by
    Joseph Bisch. (CWE-126)

(d) Out of bounds read in certain incomplete character sequences found
    by Hanno Böck and independently by J. Bisch. (CWE-126)"

There are versions 0.8.21 and 1.0.0 that fix them. Probably better to just switch to 1.0.0
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-01-05 17:44:42 UTC
<hat type="infra">
I have bumped the ebuild for irssi-0.8.21, to deploy it on infra.
I did not do the 1.0.0 major bump.

Had started on it before this bug was filed, because upstream had pinged infra about the bump.
</hat>
Comment 2 tman 2017-01-06 00:45:12 UTC
ebuild irssi-0.8.21  is in portage, we can close this as "fixed"? or why not also add to version 1.0?
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-01-06 04:26:21 UTC
(In reply to tman from comment #2)
> ebuild irssi-0.8.21  is in portage, we can close this as "fixed"? or why not
> also add to version 1.0?

v0.8.21 is sufficient to address these vulnerabilities in Gentoo.

Please read https://www.gentoo.org/support/security/vulnerability-treatment-policy.html to learn more about how Gentoo treats vulnerabilities and why this bug can't be closed as resolved yet.





@ Maintainer(s): Please test and mark stable: =net-irc/irssi-0.8.21
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-06 12:27:15 UTC
CVEs were assigned: http://www.openwall.com/lists/oss-security/2017/01/06/1
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-06 13:15:39 UTC
amd64 stable
Comment 6 Tobias Klausmann gentoo-dev 2017-01-06 13:36:41 UTC
Stable on alpha
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-10 09:56:56 UTC
Stable for PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-10 15:26:08 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-11 10:54:03 UTC
sparc stable
Comment 10 Markus Meier gentoo-dev 2017-01-13 16:59:00 UTC
arm stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 23:48:41 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-15 16:06:52 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-17 14:41:42 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-18 08:22:06 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:16:33 UTC
This issue was resolved and addressed in
 GLSA 201701-45 at https://security.gentoo.org/glsa/201701-45
by GLSA coordinator Thomas Deutschmann (whissi).