Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 688944 (CVE-2019-13045) - <net-irc/irssi-1.2.1: Use after free when sending SASL login to the server
Summary: <net-irc/irssi-1.2.1: Use after free when sending SASL login to the server
Status: RESOLVED FIXED
Alias: CVE-2019-13045
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://irssi.org/security/irssi_sa_2...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-29 15:34 UTC by Jeroen Roovers (RETIRED)
Modified: 2019-07-25 17:45 UTC (History)
3 users (show)

See Also:
Package list:
net-irc/irssi-1.2.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-06-29 15:34:51 UTC
IRSSI-SA-2019-06 Irssi Security Advisory [1]
============================================
CVE-2019-13045

Description
-----------

(a) Use after free when sending SASL login to the server found by
    ilbelkyr. (CWE-416, CWE-825)

    CVE-2019-13045 [2] was assigned to this issue.


Impact
------

May affect the stability of Irssi. SASL logins may fail, especially
during (manual and automated) reconnect.


Affected versions
-----------------

(a) Irssi 0.8.18 and later


Fixed in
--------

Irssi 1.0.8, 1.1.3, 1.2.1


Recommended action
------------------

Upgrade to the latest Irssi. We've published maintenance releases,
without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.


Mitigating facts
----------------

Users who have not configured SASL, are not affected by this issue.



References
----------

[1] https://irssi.org/security/irssi_sa_2019_06.txt
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13045
Comment 1 Larry the Git Cow gentoo-dev 2019-06-30 04:06:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8abedfbc9aa8cb11907e5d6788d3870ba1455a92

commit 8abedfbc9aa8cb11907e5d6788d3870ba1455a92
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2019-06-30 03:55:48 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2019-06-30 04:06:15 +0000

    net-irc/irssi: Version bump, security bug #688944
    
    Bug: https://bugs.gentoo.org/688944
    Package-Manager: Portage-2.3.66, Repoman-2.3.11
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-irc/irssi/Manifest           |  1 +
 net-irc/irssi/irssi-1.2.1.ebuild | 65 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
Comment 2 Matt Turner gentoo-dev 2019-07-07 20:34:13 UTC
cc arches?
Comment 3 Matt Turner gentoo-dev 2019-07-14 20:23:28 UTC
Not sure what happened to our three maintainers. Cc'ing arches.
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-15 13:14:40 UTC
amd64 stable
Comment 5 Rolf Eike Beer archtester 2019-07-15 19:23:03 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-07-17 15:25:30 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-07-18 09:59:00 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-07-18 10:02:51 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-07-18 11:45:25 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-07-18 13:10:26 UTC
alpha stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-07-21 08:27:27 UTC
hppa stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-07-25 17:44:24 UTC
arm stable