See advisory: https://irssi.org/security/irssi_sa_2017_01.txt "Four vulnerabilities have been located in Irssi. (a) A NULL pointer dereference in the nickcmp function found by Joseph Bisch. (CWE-690) (b) Use after free when receiving invalid nick message (Issue #466, CWE-146) (c) Out of bounds read in certain incomplete control codes found by Joseph Bisch. (CWE-126) (d) Out of bounds read in certain incomplete character sequences found by Hanno Böck and independently by J. Bisch. (CWE-126)" There are versions 0.8.21 and 1.0.0 that fix them. Probably better to just switch to 1.0.0
<hat type="infra"> I have bumped the ebuild for irssi-0.8.21, to deploy it on infra. I did not do the 1.0.0 major bump. Had started on it before this bug was filed, because upstream had pinged infra about the bump. </hat>
ebuild irssi-0.8.21 is in portage, we can close this as "fixed"? or why not also add to version 1.0?
(In reply to tman from comment #2) > ebuild irssi-0.8.21 is in portage, we can close this as "fixed"? or why not > also add to version 1.0? v0.8.21 is sufficient to address these vulnerabilities in Gentoo. Please read https://www.gentoo.org/support/security/vulnerability-treatment-policy.html to learn more about how Gentoo treats vulnerabilities and why this bug can't be closed as resolved yet. @ Maintainer(s): Please test and mark stable: =net-irc/irssi-0.8.21
CVEs were assigned: http://www.openwall.com/lists/oss-security/2017/01/06/1
amd64 stable
Stable on alpha
Stable for PPC64.
x86 stable
sparc stable
arm stable
Stable for HPPA.
ppc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA request filed.
This issue was resolved and addressed in GLSA 201701-45 at https://security.gentoo.org/glsa/201701-45 by GLSA coordinator Thomas Deutschmann (whissi).
