[manjaro-security] [arch-security] [ASA-201710-30] irssi: multiple issues

Remi Gacogne rgacogne at archlinux.org
Sun Oct 22 21:46:59 CEST 2017


Arch Linux Security Advisory ASA-201710-30
==========================================

Severity: High
Date    : 2017-10-22
CVE-ID  : CVE-2017-15227 CVE-2017-15228 CVE-2017-15721 CVE-2017-15722
          CVE-2017-15723
Package : irssi
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-461

Summary
=======

The package irssi before version 1.0.5-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 1.0.5-1.

# pacman -Syu "irssi>=1.0.5-1"

The problems have been fixed upstream in version 1.0.5.

Workaround
==========

None.

Description
===========

- CVE-2017-15227 (arbitrary code execution)

While waiting for the channel synchronization, Irssi < 1.0.5 may
incorrectly fail to remove destroyed channels from the query list,
resulting in use-after-free conditions when updating the state later
on. To be exploited, this issue requires a broken IRCd or control over
the IRCd.

- CVE-2017-15228 (denial of service)

When installing themes with unterminated colour formatting sequences,
Irssi < 1.0.5 may access data beyond the end of the string.

- CVE-2017-15721 (denial of service)

Certain incorrectly formatted DCC CTCP messages could cause NULL-
pointer dereference in Irssi < 1.0.5. This is a separate, but similar
issue to CVE-2017-9468. To be exploited, this issue requires a broken
IRCd or control over the IRCd.

- CVE-2017-15722 (denial of service)

In certain cases Irssi may fail to verify that a Safe channel ID is
long enough, causing reads beyond the end of the string. To be
exploited, this issue requires a broken IRCd or control over the IRCd.

- CVE-2017-15723 (denial of service)

Overlong nicks or targets may result in a NULL-pointer dereference in
Irssi >= 0.8.17 and < 1.0.5 while splitting the message. Most IRC
servers typically have length limits in place that would prevent this
issue.

Impact
======

A remote attacker can cause a denial of service by sending crafted IRC
messages, or tricking the user into installing a crafted theme. A
remote attacker in control of the IRCd to which the user is connected,
or in position of man-in-the-middle, might be able to execute arbitrary
code on the affected host.

References
==========

https://irssi.org/security/irssi_sa_2017_10.txt
https://github.com/irssi/irssi/commit/49ace3251b79a9e97c6e4d0bc640f9143dc71b90
https://github.com/irssi/irssi/commit/2edd816e7db13b4ac0b20df9bf7fe55ee7718215
https://github.com/irssi/irssi/commit/00c80cb6fcca40cfc421fe3fc181115ac4907191
https://github.com/irssi/irssi/commit/9f0dc4766c7aa80e34aa2cde94323fb49971abdf
https://github.com/irssi/irssi/commit/45dfe2ba3889c5dc23a9bea3214f158cc651a043
https://github.com/irssi/irssi/commit/0840eaec7bf56740029aae614e393f8cf76f6946
https://security.archlinux.org/CVE-2017-15227
https://security.archlinux.org/CVE-2017-15228
https://security.archlinux.org/CVE-2017-15721
https://security.archlinux.org/CVE-2017-15722
https://security.archlinux.org/CVE-2017-15723

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20171022/f221e5b9/attachment.sig>


More information about the manjaro-security mailing list