Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643704 (CVE-2018-5205, CVE-2018-5206, CVE-2018-5207, CVE-2018-5208) - <net-irc/irssi-1.0.6: Multiple Vulnerabilities
Summary: <net-irc/irssi-1.0.6: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-5205, CVE-2018-5206, CVE-2018-5207, CVE-2018-5208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-15227, CVE-2017-15228, CVE-2017-15721, CVE-2017-15722, CVE-2017-15723
  Show dependency tree
 
Reported: 2018-01-06 14:24 UTC by Agostino Sarubbo
Modified: 2018-04-22 21:12 UTC (History)
3 users (show)

See Also:
Package list:
=net-irc/irssi-1.0.6
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-01-06 14:24:22 UTC
From ${URL} :

IRSSI-SA-2018-01 Irssi Security Advisory [1]
============================================
CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207

Description
-----------

Multiple vulnerabilities have been located in Irssi.

(a) When the channel topic is set without specifying a sender, Irssi
    may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)

    CVE-2018-5206 was assigned to this issue.

(b) When using incomplete escape codes, Irssi may access data beyond
    the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5205 was assigned to this issue.

(c) A calculation error in the completion code could cause a heap
    buffer overflow when completing certain strings. (CWE-126) Found
    by Joseph Bisch.

    CVE-2018-5208 was assigned to this issue.

(d) When using an incomplete variable argument, Irssi may access data
    beyond the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5207 was assigned to this issue.


Impact
------

May affect the stability of Irssi.


Affected versions
-----------------

(a,b,c,d) All Irssi versions that we observed.


Fixed in
--------

Irssi 1.0.6


Recommended action
------------------

Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the
1.0 series, without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.


Mitigating facts
----------------

(a) requires a broken ircd or control over the ircd

(b,d) requires user to install malicious or broken files or enter
      affected commands


Patch
-----
https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.
6.diff



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2018-01-06 17:59:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e03ef011d7411135e22c5b8ad163d3edeba52d47

commit e03ef011d7411135e22c5b8ad163d3edeba52d47
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2018-01-06 17:56:07 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2018-01-06 17:59:09 +0000

    net-irc/irssi: version bump.
    
    Bug: https://bugs.gentoo.org/643704
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 net-irc/irssi/Manifest           |  1 +
 net-irc/irssi/irssi-1.0.6.ebuild | 54 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)}
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-07 22:27:42 UTC
@maintainer, ready for stable?
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-07 22:32:21 UTC
@arches, please stabilize.  maintainer concurs via irc.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-07 23:19:25 UTC
amd64 stable
Comment 5 Thomas Deutschmann gentoo-dev 2018-01-08 22:51:43 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-09 08:10:57 UTC
ppc/ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-10 22:25:16 UTC
hppa stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-10 22:34:17 UTC
ia64 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-17 20:00:48 UTC
GLSA vote: no
Comment 10 Markus Meier gentoo-dev 2018-02-05 21:23:17 UTC
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-04 08:17:32 UTC
Stable on alpha.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-22 23:34:18 UTC
@maintainers, please clean the vulnerable versions.