[manjaro-security] [arch-security] [ASA-201710-30] irssi: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Sun Oct 22 21:46:59 CEST 2017
Arch Linux Security Advisory ASA-201710-30
==========================================
Severity: High
Date : 2017-10-22
CVE-ID : CVE-2017-15227 CVE-2017-15228 CVE-2017-15721 CVE-2017-15722
CVE-2017-15723
Package : irssi
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-461
Summary
=======
The package irssi before version 1.0.5-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Resolution
==========
Upgrade to 1.0.5-1.
# pacman -Syu "irssi>=1.0.5-1"
The problems have been fixed upstream in version 1.0.5.
Workaround
==========
None.
Description
===========
- CVE-2017-15227 (arbitrary code execution)
While waiting for the channel synchronization, Irssi < 1.0.5 may
incorrectly fail to remove destroyed channels from the query list,
resulting in use-after-free conditions when updating the state later
on. To be exploited, this issue requires a broken IRCd or control over
the IRCd.
- CVE-2017-15228 (denial of service)
When installing themes with unterminated colour formatting sequences,
Irssi < 1.0.5 may access data beyond the end of the string.
- CVE-2017-15721 (denial of service)
Certain incorrectly formatted DCC CTCP messages could cause NULL-
pointer dereference in Irssi < 1.0.5. This is a separate, but similar
issue to CVE-2017-9468. To be exploited, this issue requires a broken
IRCd or control over the IRCd.
- CVE-2017-15722 (denial of service)
In certain cases Irssi may fail to verify that a Safe channel ID is
long enough, causing reads beyond the end of the string. To be
exploited, this issue requires a broken IRCd or control over the IRCd.
- CVE-2017-15723 (denial of service)
Overlong nicks or targets may result in a NULL-pointer dereference in
Irssi >= 0.8.17 and < 1.0.5 while splitting the message. Most IRC
servers typically have length limits in place that would prevent this
issue.
Impact
======
A remote attacker can cause a denial of service by sending crafted IRC
messages, or tricking the user into installing a crafted theme. A
remote attacker in control of the IRCd to which the user is connected,
or in position of man-in-the-middle, might be able to execute arbitrary
code on the affected host.
References
==========
https://irssi.org/security/irssi_sa_2017_10.txt
https://github.com/irssi/irssi/commit/49ace3251b79a9e97c6e4d0bc640f9143dc71b90
https://github.com/irssi/irssi/commit/2edd816e7db13b4ac0b20df9bf7fe55ee7718215
https://github.com/irssi/irssi/commit/00c80cb6fcca40cfc421fe3fc181115ac4907191
https://github.com/irssi/irssi/commit/9f0dc4766c7aa80e34aa2cde94323fb49971abdf
https://github.com/irssi/irssi/commit/45dfe2ba3889c5dc23a9bea3214f158cc651a043
https://github.com/irssi/irssi/commit/0840eaec7bf56740029aae614e393f8cf76f6946
https://security.archlinux.org/CVE-2017-15227
https://security.archlinux.org/CVE-2017-15228
https://security.archlinux.org/CVE-2017-15721
https://security.archlinux.org/CVE-2017-15722
https://security.archlinux.org/CVE-2017-15723
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20171022/f221e5b9/attachment.sig>
More information about the manjaro-security
mailing list