"Four vulnerabilities have been located in Irssi.
(a) A NULL pointer dereference in the nickcmp function found by Joseph
(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
(c) Out of bounds read in certain incomplete control codes found by
Joseph Bisch. (CWE-126)
(d) Out of bounds read in certain incomplete character sequences found
by Hanno Böck and independently by J. Bisch. (CWE-126)"
There are versions 0.8.21 and 1.0.0 that fix them. Probably better to just switch to 1.0.0
I have bumped the ebuild for irssi-0.8.21, to deploy it on infra.
I did not do the 1.0.0 major bump.
Had started on it before this bug was filed, because upstream had pinged infra about the bump.
ebuild irssi-0.8.21 is in portage, we can close this as "fixed"? or why not also add to version 1.0?
(In reply to tman from comment #2)
> ebuild irssi-0.8.21 is in portage, we can close this as "fixed"? or why not
> also add to version 1.0?
v0.8.21 is sufficient to address these vulnerabilities in Gentoo.
Please read https://www.gentoo.org/support/security/vulnerability-treatment-policy.html to learn more about how Gentoo treats vulnerabilities and why this bug can't be closed as resolved yet.
@ Maintainer(s): Please test and mark stable: =net-irc/irssi-0.8.21
CVEs were assigned: http://www.openwall.com/lists/oss-security/2017/01/06/1
Stable on alpha
Stable for PPC64.
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201701-45 at https://security.gentoo.org/glsa/201701-45
by GLSA coordinator Thomas Deutschmann (whissi).