Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643704 (CVE-2018-5205, CVE-2018-5206, CVE-2018-5207, CVE-2018-5208) - <net-irc/irssi-1.0.6: Multiple Vulnerabilities
Summary: <net-irc/irssi-1.0.6: Multiple Vulnerabilities
Alias: CVE-2018-5205, CVE-2018-5206, CVE-2018-5207, CVE-2018-5208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2017-15227, CVE-2017-15228, CVE-2017-15721, CVE-2017-15722, CVE-2017-15723
  Show dependency tree
Reported: 2018-01-06 14:24 UTC by Agostino Sarubbo
Modified: 2018-04-22 21:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-01-06 14:24:22 UTC
From ${URL} :

IRSSI-SA-2018-01 Irssi Security Advisory [1]
CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207


Multiple vulnerabilities have been located in Irssi.

(a) When the channel topic is set without specifying a sender, Irssi
    may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)

    CVE-2018-5206 was assigned to this issue.

(b) When using incomplete escape codes, Irssi may access data beyond
    the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5205 was assigned to this issue.

(c) A calculation error in the completion code could cause a heap
    buffer overflow when completing certain strings. (CWE-126) Found
    by Joseph Bisch.

    CVE-2018-5208 was assigned to this issue.

(d) When using an incomplete variable argument, Irssi may access data
    beyond the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5207 was assigned to this issue.


May affect the stability of Irssi.

Affected versions

(a,b,c,d) All Irssi versions that we observed.

Fixed in

Irssi 1.0.6

Recommended action

Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the
1.0 series, without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require

Mitigating facts

(a) requires a broken ircd or control over the ircd

(b,d) requires user to install malicious or broken files or enter
      affected commands


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2018-01-06 17:59:16 UTC
The bug has been referenced in the following commit(s):

commit e03ef011d7411135e22c5b8ad163d3edeba52d47
Author:     Patrice Clement <>
AuthorDate: 2018-01-06 17:56:07 +0000
Commit:     Patrice Clement <>
CommitDate: 2018-01-06 17:59:09 +0000

    net-irc/irssi: version bump.
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 net-irc/irssi/Manifest           |  1 +
 net-irc/irssi/irssi-1.0.6.ebuild | 54 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)}
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-01-07 22:27:42 UTC
@maintainer, ready for stable?
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-01-07 22:32:21 UTC
@arches, please stabilize.  maintainer concurs via irc.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-07 23:19:25 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-08 22:51:43 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-09 08:10:57 UTC
ppc/ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-10 22:25:16 UTC
hppa stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-10 22:34:17 UTC
ia64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-17 20:00:48 UTC
GLSA vote: no
Comment 10 Markus Meier gentoo-dev 2018-02-05 21:23:17 UTC
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-04 08:17:32 UTC
Stable on alpha.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-03-22 23:34:18 UTC
@maintainers, please clean the vulnerable versions.