Bugzilla – Bug 1074958
VUL-0: irssi: 1.0.6: CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207
Last modified: 2018-01-09 23:39:32 UTC
Irssi 1.0.6: CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 From: Ailin Nemui <ailin.nemui () gmail com> Date: Sat, 06 Jan 2018 15:13:38 +0100 IRSSI-SA-2018-01 Irssi Security Advisory [1] ============================================ CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207 Description ----------- Multiple vulnerabilities have been located in Irssi. (a) When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) CVE-2018-5206 was assigned to this issue. (b) When using incomplete escape codes, Irssi may access data beyond the end of the string. (CWE-126) Found by Joseph Bisch. CVE-2018-5205 was assigned to this issue. (c) A calculation error in the completion code could cause a heap buffer overflow when completing certain strings. (CWE-126) Found by Joseph Bisch. CVE-2018-5208 was assigned to this issue. (d) When using an incomplete variable argument, Irssi may access data beyond the end of the string. (CWE-126) Found by Joseph Bisch. CVE-2018-5207 was assigned to this issue. Impact ------ May affect the stability of Irssi. Affected versions ----------------- (a,b,c,d) All Irssi versions that we observed. Fixed in -------- Irssi 1.0.6 Recommended action ------------------ Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the 1.0 series, without any new features. After installing the updated packages, one can issue the /upgrade command to load the new binary. TLS connections will require /reconnect. Mitigating facts ---------------- (a) requires a broken ircd or control over the ircd (b,d) requires user to install malicious or broken files or enter affected commands Patch ----- https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0. 6.diff References ---------- [1] https://irssi.org/security/irssi_sa_2018_01.txt
I opened https://build.opensuse.org/request/show/562176
done
openSUSE-SU-2018:0057-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1074958 CVE References: CVE-2018-5205,CVE-2018-5206,CVE-2018-5207,CVE-2018-5208 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): irssi-1.0.6-36.1
openSUSE-SU-2018:0058-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1074958 CVE References: CVE-2018-5205,CVE-2018-5206,CVE-2018-5207,CVE-2018-5208 Sources used: openSUSE Leap 42.3 (src): irssi-1.0.6-21.1 openSUSE Leap 42.2 (src): irssi-1.0.6-14.18.1