Bug 999199 - (CVE-2016-7044) VUL-0: CVE-2016-7044, CVE-2016-7045: irssi: heap corruption and missing boundary checks
(CVE-2016-7044)
VUL-0: CVE-2016-7044, CVE-2016-7045: irssi: heap corruption and missing bound...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Marcus Meissner
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-16 07:03 UTC by Victor Pereira
Modified: 2016-10-13 14:11 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-16 07:03:26 UTC
heap corruption and missing boundary checks
===========================================

CVE-2016-7044 [1] was assigned to bug 1
CVE-2016-7045 [2] was assigned to bug 2


Description
-----------

Gabriel Campana and Adrien Guinet from Quarkslab reported two remote
crash and heap corruption vulnerabilites in Irssi's format parsing
code.

They also provided us with proof of concept exploit code and patches
to fix those issues.


Impact
------

Remote crash and heap corruption. Remote code execution seems
difficult since only Nuls are written.


Detailed analysis
-----------------

Based on analysis Provided by Gabriel Campana and Adrien Guinet from
Quarkslab:

Bug 1

The unformat_24bit_color() function is called by format_send_to_gui()
to decode 24bit color codes into their components. The pointer is
advanced unconditionally without checking if a complete code was
supplied.

Thus, after the return of unformat_24bit_color(), ptr might be invalid
and point out of the buffer.

Bug 2

The format_send_to_gui function does not validate the length of the
string before incrementing the `ptr' pointer in all cases of a type
'4' color:

If that happens, the pointer `ptr' can be incremented twice and thus
end past the boundaries of the original `dup' buffer.


Affected versions
-----------------

Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea

Bug 1 affects only Irssis compiled with true-color enabled.
Bug 2 affects all Irssis regardless of compilation flags.


Fixed in
--------

Irssi 0.8.20


Recommended action
------------------

Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release
without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect. If the buf.pl script is loaded and symlinked into
~/.irssi/scripts/autorun, text buffer content will be saved and
restored.


Fallback action
---------------

Distributions which need to remain on Irssi 0.8.17 are strongly urged
to apply the patch and provide updated packages.


Patch
-----
https://github.com/irssi/irssi/commit/dd4507db7e9968fc14bd6a165daa9da8d6e61286


As mitigation, we suggest that updates to Irssi 0.8.20 be pushed.
0.8.20 is a maintenance release with no new features.

For those distributions which need to remain on Irssi 0.8.17, the
minimal fix should be applied. We checked that currently at least
Ubuntu 15.10, Debian stable and openSUSE 42 are on Irssi 0.8.17.

There is no easy workaround known to us.

We are attaching the following documents
- preliminary security advisory
- minimal patch for Irssi 0.8.17
- patch from Irssi 0.8.19 -> 0.8.20

Thanks,
Ailin Nemui (Nei)
on behalf of the Irssi team




From f99de3edc2f98d42f4c473b194705078858b1d7c Mon Sep 17 00:00:00 2001
From: Ailin Nemui <ailin@devio.us>
Date: Wed, 14 Sep 2016 14:52:17 +0200
Subject: [PATCH] irssi 0.8.19 -> 0.8.20

---
 ChangeLog                           | 92 ++++++++++++++++++++++++++++++++++++-
 Makefile.in                         | 10 ++--
 NEWS                                | 14 ++++++
 aclocal.m4                          |  4 +-
 configure                           | 20 ++++----
 configure.ac                        |  2 +-
 docs/help/Makefile.am               |  2 +
 docs/help/Makefile.in               |  2 +
 docs/help/away                      |  4 +-
 docs/help/hilight                   |  2 +-
 docs/help/in/Makefile.am            |  2 +
 docs/help/in/Makefile.in            |  2 +
 docs/help/in/away.in                |  4 +-
 docs/help/in/hilight.in             |  2 +-
 docs/help/in/list.in                |  6 +--
 docs/help/in/servlist.in            | 23 ++++++++++
 docs/help/in/squery.in              | 16 +++++++
 docs/help/list                      |  6 +--
 docs/help/servlist                  | 23 ++++++++++
 docs/help/squery                    | 16 +++++++
 docs/signals.txt                    |  2 +-
 irssi-config.h                      |  4 +-
 irssi-version.h                     |  4 +-
 src/core/commands.c                 |  8 ++--
 src/core/network.c                  |  6 ++-
 src/fe-common/core/fe-messages.c    |  6 +--
 src/fe-common/core/formats.c        |  5 ++
 src/fe-common/irc/fe-irc-channels.c |  9 ++--
 src/irc/core/irc-commands.c         |  6 +++
 src/irc/core/irc-servers.c          |  6 ++-
 src/irc/core/sasl.c                 |  2 +-
 31 files changed, 258 insertions(+), 52 deletions(-)
 create mode 100644 docs/help/in/servlist.in
 create mode 100644 docs/help/in/squery.in
 create mode 100644 docs/help/servlist
 create mode 100644 docs/help/squery

diff --git a/ChangeLog b/ChangeLog
index cac3f65..064a42c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,93 @@
+commit 13f4026ae0f0d5422f3163576d4c2eff8754176a
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Wed Sep 14 13:55:20 2016 +0200
+
+    tag as 0.8.20
+
+commit 9de7a9b3284b06631a47609a83e608cfe0541de1
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Wed Sep 14 13:44:51 2016 +0200
+
+    Merge branch 'quarkslab'
+
+commit 52fedeaf0229e27f9d86b72b23f16120c92c1fea
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Wed Sep 14 13:34:39 2016 +0200
+
+    Update NEWS for 0.8.20
+
+commit 7455ad51d43ad925a613ff90e3b6d3c866b2fe7b
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Sat Apr 30 10:19:57 2016 +0200
+
+    Merge pull request #477 from dennisschagt/master
+    
+    Correct error/typo "You"->"Your" in help message
+
+commit 2c5856d832c9cc7f2a995e9017b4436d752c68c3
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Thu Apr 7 12:33:03 2016 +0200
+
+    Merge pull request #467 from dequis/EAI_SYSTEM
+    
+    net_gethosterror: Handle EAI_SYSTEM ("System error") properly
+
+commit 8cbf5f28f2028fd6fc58232c76f67ab574ecab11
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Tue Mar 29 22:45:47 2016 +0200
+
+    Merge pull request #461 from ailin-nemui/fix_squery
+    
+    Revert "Removed the obsolete SQUERY and SERVLIST commands"
+
+commit e68817f82bc9dde71bb28975cee7ed70cc98ff30
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Tue Jul 12 16:11:04 2016 +0200
+
+    Merge pull request #515 from LemonBoy/signal-proto
+    
+    Correct the prototype for the 'message private' signal.
+
+commit 6b212be112e33a536d08f31abf186a699ee8da51
+Author: dx <dx@dxzone.com.ar>
+Date:   Sun Jul 17 12:37:57 2016 -0300
+
+    Merge pull request #518 from vague666/hilight_help
+    
+    Wrong order in the arguments in /hilight example, -mask doesn't take …
+
+commit 3c29b4440841e867fe804ec5351884d90d9d8bcf
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Thu Aug 25 04:24:07 2016 +0200
+
+    Merge pull request #529 from ailin-nemui/issue500
+    
+    fix nick->host == NULL crash
+
+commit 31c0a9d7e8368e8cfa10356bd9dbc1f9024d9c70
+Author: LemonBoy <LemonBoy@users.noreply.github.com>
+Date:   Sun Sep 4 12:11:02 2016 +0200
+
+    Merge pull request #533 from dequis/statusmess
+    
+    Set the default STATUSMSG to @ instead of @+ if it's missing
+
+commit 750e3249038409607b0a57d21e21612e546539ed
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Wed Jun 1 22:56:26 2016 +0200
+
+    Merge pull request #484 from LemonBoy/sasl-misc-adj
+    
+    Correct the name of the emitted signal.
+
+commit 97e9347ee704bdcd790002f2629cf6cea3e2bf40
+Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
+Date:   Tue Jun 7 02:47:57 2016 +0200
+
+    Merge pull request #485 from ailin-nemui/bdo826525
+    
+    Do not crash on OPTCHAN when item has no server
+
 commit c43831574187cdb2323d123702aa687af24664d8
 Author: ailin-nemui <ailin-nemui@users.noreply.github.com>
 Date:   Wed Mar 23 00:08:24 2016 +0100
@@ -2130,7 +2220,7 @@ Date:   Sun Jun 14 10:42:41 2015 -0300
     Merge branch 'master' into irssiproxy
     
     Conflicts:
-    	src/irc/proxy/listen.c
+            src/irc/proxy/listen.c
 
 commit 6fcafc599350737d0d14f3c863af594efc391124
 Author: Geert Hauwaerts <geert@hauwaerts.be>
diff --git a/Makefile.in b/Makefile.in
index feea660..413e7f9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -208,7 +208,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/irssi-config.h.in \
 	$(top_srcdir)/src/perl/textui/Makefile.PL.in \
 	$(top_srcdir)/src/perl/ui/Makefile.PL.in AUTHORS COPYING \
 	ChangeLog INSTALL NEWS TODO acconfig.h build-aux/compile \
-	build-aux/config.guess build-aux/config.sub \
+	build-aux/config.guess build-aux/config.sub build-aux/depcomp \
 	build-aux/install-sh build-aux/ltmain.sh build-aux/missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
@@ -730,7 +730,7 @@ distdir: $(DISTFILES)
 	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
 	|| chmod -R a+r "$(distdir)"
 dist-gzip: distdir
-	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz
 	$(am__post_remove_distdir)
 
 dist-bzip2: distdir
@@ -756,7 +756,7 @@ dist-shar: distdir
 	@echo WARNING: "Support for shar distribution archives is" \
 	               "deprecated." >&2
 	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
-	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+	shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz
 	$(am__post_remove_distdir)
 
 dist-zip: distdir
@@ -774,7 +774,7 @@ dist dist-all:
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lz*) \
@@ -784,7 +784,7 @@ distcheck: dist
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
diff --git a/NEWS b/NEWS
index 65aab5e..265827b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,17 @@
+v0.8.20 2016-09-16  The Irssi team <staff@irssi.org>
+	- Correct the name of an emitted sasl signal (#484)
+	- Correct the prototype for the 'message private' signal (#515)
+	- Corrections in away and hilight help text (#477, #518)
+	- /squery and /servlist commands have been restored.
+	- Where Irssi would previously only report "System error" on connect,
+	  it will now try harder to retrieve the system error message.
+	- Fixed issue with +channels not working properly (#533)
+	- Fixed crash in optchan when item has no server (#485)
+	- Fixed random remote crash in the nicklist handling (#529)
+	- Fixed remote crash due to incorrect bounds checking on
+	  formats, reported by Gabriel Campana and Adrien Guinet from
+	  Quarkslab.
+
 v0.8.19 2016-03-23  The Irssi team <staff@irssi.org>
 	- Fixed regression when joining and parting channels on IRCnet (#435)
 	- Fixed SASL EXTERNAL (#432)
diff --git a/aclocal.m4 b/aclocal.m4
index c06c310..72637a2 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -21,7 +21,7 @@ If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically 'autoreconf'.])])
 
 dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-dnl serial 11 (pkg-config-0.29)
+dnl serial 11 (pkg-config-0.29.1)
 dnl
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
@@ -63,7 +63,7 @@ dnl
 dnl See the "Since" comment for each macro you use to see what version
 dnl of the macros you require.
 m4_defun([PKG_PREREQ],
-[m4_define([PKG_MACROS_VERSION], [0.29])
+[m4_define([PKG_MACROS_VERSION], [0.29.1])
 m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
     [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
 ])dnl PKG_PREREQ
diff --git a/configure b/configure
index db1ce74..cc498be 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for irssi 0.8.19.
+# Generated by GNU Autoconf 2.69 for irssi 0.8.20.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='irssi'
 PACKAGE_TARNAME='irssi'
-PACKAGE_VERSION='0.8.19'
-PACKAGE_STRING='irssi 0.8.19'
+PACKAGE_VERSION='0.8.20'
+PACKAGE_STRING='irssi 0.8.20'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1384,7 +1384,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures irssi 0.8.19 to adapt to many kinds of systems.
+\`configure' configures irssi 0.8.20 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1454,7 +1454,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of irssi 0.8.19:";;
+     short | recursive ) echo "Configuration of irssi 0.8.20:";;
    esac
   cat <<\_ACEOF
 
@@ -1598,7 +1598,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-irssi configure 0.8.19
+irssi configure 0.8.20
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2200,7 +2200,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by irssi $as_me 0.8.19, which was
+It was created by irssi $as_me 0.8.20, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3069,7 +3069,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='irssi'
- VERSION='0.8.19'
+ VERSION='0.8.20'
 
 
 # Some tools Automake needs.
@@ -15812,7 +15812,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by irssi $as_me 0.8.19, which was
+This file was extended by irssi $as_me 0.8.20, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -15878,7 +15878,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-irssi config.status 0.8.19
+irssi config.status 0.8.20
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index b25e728..458c8aa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT(irssi, 0.8.19)
+AC_INIT(irssi, 0.8.20)
 AC_CONFIG_SRCDIR([src])
 AC_CONFIG_AUX_DIR(build-aux)
 AC_PREREQ(2.50)
diff --git a/docs/help/Makefile.am b/docs/help/Makefile.am
index 85f286e..e9a45c0 100644
--- a/docs/help/Makefile.am
+++ b/docs/help/Makefile.am
@@ -85,8 +85,10 @@ help_DATA = \
 	script \
 	scrollback \
 	server \
+	servlist \
 	set \
 	silence \
+	squery \
 	squit \
 	stats \
 	statusbar \
diff --git a/docs/help/Makefile.in b/docs/help/Makefile.in
index e25d881..2251e49 100644
--- a/docs/help/Makefile.in
+++ b/docs/help/Makefile.in
@@ -448,8 +448,10 @@ help_DATA = \
 	script \
 	scrollback \
 	server \
+	servlist \
 	set \
 	silence \
+	squery \
 	squit \
 	stats \
 	statusbar \
diff --git a/docs/help/away b/docs/help/away
index 9ee7ef2..cbf2e7f 100644
--- a/docs/help/away
+++ b/docs/help/away
@@ -8,8 +8,8 @@ AWAY %|[-one | -all] [<reason>]
    -one:    Marks yourself as away on the active server.
    -all:    Marks yourself as away on all the servers you are connected to.
 
-   You away message; if no argument is given, your away status will be removed.
-   
+   Your away message; if no argument is given, your away status will be removed.
+
 %9Description:%9
 
     Marks yourself as 'away'; this method is used to inform people that you
diff --git a/docs/help/hilight b/docs/help/hilight
index cd7cd9e..8dc104f 100644
--- a/docs/help/hilight
+++ b/docs/help/hilight
@@ -31,7 +31,7 @@ HILIGHT %|[-nick | -word | -line] [-mask | -full | -regexp] [-color <color>] [-a
     /HILIGHT
     /HILIGHT mike
     /HILIGHT -regexp mi+ke+
-    /HILIGHT -mask bob!*@*.irssi.org -color %%G
+    /HILIGHT -mask -color %%G bob!*@*.irssi.org
     /HILIGHT -full -color %%G -actcolor %%Y redbull
 
 %9References:%9
diff --git a/docs/help/in/Makefile.am b/docs/help/in/Makefile.am
index 8604f53..e1f7759 100644
--- a/docs/help/in/Makefile.am
+++ b/docs/help/in/Makefile.am
@@ -84,8 +84,10 @@ EXTRA_DIST = \
 	script.in \
 	scrollback.in \
 	server.in \
+	servlist.in \
 	set.in \
 	silence.in \
+	squery.in \
 	squit.in \
 	stats.in \
 	statusbar.in \
diff --git a/docs/help/in/Makefile.in b/docs/help/in/Makefile.in
index 4b58f19..418ce1a 100644
--- a/docs/help/in/Makefile.in
+++ b/docs/help/in/Makefile.in
@@ -358,8 +358,10 @@ EXTRA_DIST = \
 	script.in \
 	scrollback.in \
 	server.in \
+	servlist.in \
 	set.in \
 	silence.in \
+	squery.in \
 	squit.in \
 	stats.in \
 	statusbar.in \
diff --git a/docs/help/in/away.in b/docs/help/in/away.in
index e0cf368..75bc46c 100644
--- a/docs/help/in/away.in
+++ b/docs/help/in/away.in
@@ -8,8 +8,8 @@
    -one:    Marks yourself as away on the active server.
    -all:    Marks yourself as away on all the servers you are connected to.
 
-   You away message; if no argument is given, your away status will be removed.
-   
+   Your away message; if no argument is given, your away status will be removed.
+
 %9Description:%9
 
     Marks yourself as 'away'; this method is used to inform people that you
diff --git a/docs/help/in/hilight.in b/docs/help/in/hilight.in
index fabbc2e..cd91560 100644
--- a/docs/help/in/hilight.in
+++ b/docs/help/in/hilight.in
@@ -31,7 +31,7 @@
     /HILIGHT
     /HILIGHT mike
     /HILIGHT -regexp mi+ke+
-    /HILIGHT -mask bob!*@*.irssi.org -color %%G
+    /HILIGHT -mask -color %%G bob!*@*.irssi.org
     /HILIGHT -full -color %%G -actcolor %%Y redbull
 
 %9References:%9
diff --git a/docs/help/in/list.in b/docs/help/in/list.in
index 33f05e8..b796eed 100644
--- a/docs/help/in/list.in
+++ b/docs/help/in/list.in
@@ -25,10 +25,10 @@
 %9Remarks:%9
 
     Not all networks support server-side filtering and may provide a network
-    service instead; on IRCnet, you may use the ALIS service:
+    service or service bot instead; on IRCnet, you may use the List service:
 
-    /QUOTE SQUERY ALIS :HELP
+    /SQUERY List HELP
     /MSG ALIS HELP
 
-%9See also:%9 QUOTE, STATS, WHOIS
+%9See also:%9 STATS, SQUERY, WHOIS
 
diff --git a/docs/help/in/servlist.in b/docs/help/in/servlist.in
new file mode 100644
index 0000000..0a0d025
--- /dev/null
+++ b/docs/help/in/servlist.in
@@ -0,0 +1,23 @@
+
+%9Syntax:%9
+
+@SYNTAX:servlist@
+
+%9Parameters:%9
+
+    <mask> limits the output to the services which names matches
+           the mask.
+    <type> limits the output to the services of the specified type.
+
+%9Description:%9
+
+    List the network services currently present on the
+    IRC network.
+
+%9Examples:%9
+
+    /SERVLIST *@javairc.*
+    /SERVLIST * 0xD000
+
+%9See also:%9 SQUERY
+
diff --git a/docs/help/in/squery.in b/docs/help/in/squery.in
new file mode 100644
index 0000000..59ee800
--- /dev/null
+++ b/docs/help/in/squery.in
@@ -0,0 +1,16 @@
+
+%9Syntax:%9
+
+@SYNTAX:squery@
+
+%9Parameters:%9
+
+    <service> - Service nickname or full hostmask of service to query.
+    <message> - Message to send to the service.
+
+%9Description:%9
+
+    /SQUERY sends a query to the specified service.
+
+%9See also:%9 SERVLIST, LIST, MSG
+
diff --git a/docs/help/list b/docs/help/list
index 4c5edd4..09e70d2 100644
--- a/docs/help/list
+++ b/docs/help/list
@@ -25,10 +25,10 @@ LIST %|[-yes] [<channel>]
 %9Remarks:%9
 
     Not all networks support server-side filtering and may provide a network
-    service instead; on IRCnet, you may use the ALIS service:
+    service or service bot instead; on IRCnet, you may use the List service:
 
-    /QUOTE SQUERY ALIS :HELP
+    /SQUERY List HELP
     /MSG ALIS HELP
 
-%9See also:%9 QUOTE, STATS, WHOIS
+%9See also:%9 STATS, SQUERY, WHOIS
 
diff --git a/docs/help/servlist b/docs/help/servlist
new file mode 100644
index 0000000..a02d229
--- /dev/null
+++ b/docs/help/servlist
@@ -0,0 +1,23 @@
+
+%9Syntax:%9
+
+SERVLIST %|[<mask> [<type>]]
+
+%9Parameters:%9
+
+    <mask> limits the output to the services which names matches
+           the mask.
+    <type> limits the output to the services of the specified type.
+
+%9Description:%9
+
+    List the network services currently present on the
+    IRC network.
+
+%9Examples:%9
+
+    /SERVLIST *@javairc.*
+    /SERVLIST * 0xD000
+
+%9See also:%9 SQUERY
+
diff --git a/docs/help/squery b/docs/help/squery
new file mode 100644
index 0000000..bb5498e
--- /dev/null
+++ b/docs/help/squery
@@ -0,0 +1,16 @@
+
+%9Syntax:%9
+
+SQUERY %|<service> [<message>]
+
+%9Parameters:%9
+
+    <service> - Service nickname or full hostmask of service to query.
+    <message> - Message to send to the service.
+
+%9Description:%9
+
+    /SQUERY sends a query to the specified service.
+
+%9See also:%9 SERVLIST, LIST, MSG
+
diff --git a/docs/signals.txt b/docs/signals.txt
index 8b71fd9..5e03d90 100644
--- a/docs/signals.txt
+++ b/docs/signals.txt
@@ -260,7 +260,7 @@ fe-exec.c:
 
 fe-messages.c:
  "message public", SERVER_REC, char *msg, char *nick, char *address, char *target
- "message private", SERVER_REC, char *msg, char *nick, char *address
+ "message private", SERVER_REC, char *msg, char *nick, char *address, char *target
  "message own_public", SERVER_REC, char *msg, char *target
  "message own_private", SERVER_REC, char *msg, char *target, char *orig_target
  "message join", SERVER_REC, char *channel, char *nick, char *address
diff --git a/irssi-config.h b/irssi-config.h
index bdba123..adcf9d2 100644
--- a/irssi-config.h
+++ b/irssi-config.h
@@ -108,7 +108,7 @@
 #define PACKAGE_NAME "irssi"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "irssi 0.8.19"
+#define PACKAGE_STRING "irssi 0.8.20"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "irssi"
@@ -117,7 +117,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.8.19"
+#define PACKAGE_VERSION "0.8.20"
 
 /* The size of `int', as computed by sizeof. */
 #define SIZEOF_INT 4
diff --git a/irssi-version.h b/irssi-version.h
index 334d67c..bc8a38c 100644
--- a/irssi-version.h
+++ b/irssi-version.h
@@ -1,2 +1,2 @@
-#define IRSSI_VERSION_DATE 20160323
-#define IRSSI_VERSION_TIME 8
+#define IRSSI_VERSION_DATE 20160914
+#define IRSSI_VERSION_TIME 1355
diff --git a/src/core/commands.c b/src/core/commands.c
index 88d1208..607baf7 100644
--- a/src/core/commands.c
+++ b/src/core/commands.c
@@ -666,7 +666,7 @@ get_optional_channel(WI_ITEM_REC *active_item, char **data, int require_name)
 	const char *ret;
 	char *tmp, *origtmp, *channel;
 
-	if (active_item == NULL) {
+	if (active_item == NULL || active_item->server == NULL) {
                 /* no active channel in window, channel required */
 		return cmd_get_param(data);
 	}
@@ -674,11 +674,13 @@ get_optional_channel(WI_ITEM_REC *active_item, char **data, int require_name)
 	origtmp = tmp = g_strdup(*data);
 	channel = cmd_get_param(&tmp);
 
-	if (g_strcmp0(channel, "*") == 0 && !require_name) {
+	if (g_strcmp0(channel, "*") == 0 && IS_CHANNEL(active_item) &&
+	    !require_name) {
                 /* "*" means active channel */
 		cmd_get_param(data);
 		ret = window_item_get_target(active_item);
-	} else if (!server_ischannel(active_item->server, channel)) {
+	} else if (IS_CHANNEL(active_item) &&
+		   !server_ischannel(active_item->server, channel)) {
                 /* we don't have channel parameter - use active channel */
 		ret = window_item_get_target(active_item);
 	} else {
diff --git a/src/core/network.c b/src/core/network.c
index 0751aa9..c3ad4e2 100644
--- a/src/core/network.c
+++ b/src/core/network.c
@@ -585,7 +585,11 @@ const char *net_gethosterror(int error)
 #ifdef HAVE_IPV6
 	g_return_val_if_fail(error != 0, NULL);
 
-	return gai_strerror(error);
+	if (error == EAI_SYSTEM) {
+		return strerror(errno);
+	} else {
+		return gai_strerror(error);
+	}
 #else
 	switch (error) {
 	case HOST_NOT_FOUND:
diff --git a/src/fe-common/core/fe-messages.c b/src/fe-common/core/fe-messages.c
index 3240fd1..8ad8375 100644
--- a/src/fe-common/core/fe-messages.c
+++ b/src/fe-common/core/fe-messages.c
@@ -602,9 +602,6 @@ static void sig_nicklist_new(CHANNEL_REC *channel, NICK_REC *nick)
 	char *nickhost, *p;
 	int n;
 
-	if (nick->host == NULL)
-                return;
-
 	firstnick = g_hash_table_lookup(channel->nicks, nick->nick);
 	if (firstnick->next == NULL)
 		return;
@@ -617,6 +614,9 @@ static void sig_nicklist_new(CHANNEL_REC *channel, NICK_REC *nick)
                         return; /* nope, we have it */
 	}
 
+	if (nick->host == NULL)
+                return;
+
 	/* identical nick already exists, have to change it somehow.. */
 	p = strchr(nick->host, '@');
 	if (p == NULL) p = nick->host; else p++;
diff --git a/src/fe-common/core/formats.c b/src/fe-common/core/formats.c
index ccf4839..d9a5120 100644
--- a/src/fe-common/core/formats.c
+++ b/src/fe-common/core/formats.c
@@ -131,6 +131,8 @@ void unformat_24bit_color(char **ptr, int off, int *fgcolor, int *bgcolor, int *
 	unsigned char rgbx[4];
 	unsigned int i;
 	for (i = 0; i < 4; ++i) {
+		if ((*ptr)[i + off] == '\0')
+			return;
 		rgbx[i] = (*ptr)[i + off];
 	}
 	rgbx[3] -= 0x20;
@@ -1357,6 +1359,9 @@ void format_send_to_gui(TEXT_DEST_REC *dest, const char *text)
 					bgcolor = *ptr==(char)0xff ? -1 : *ptr-'0';
 				}
 			}
+			if (*ptr == '\0')
+				break;
+
 			ptr++;
 			break;
 		case 6:
diff --git a/src/fe-common/irc/fe-irc-channels.c b/src/fe-common/irc/fe-irc-channels.c
index a2737fc..0ec3000 100644
--- a/src/fe-common/irc/fe-irc-channels.c
+++ b/src/fe-common/irc/fe-irc-channels.c
@@ -41,7 +41,7 @@ int fe_channel_is_opchannel(IRC_SERVER_REC *server, const char *target)
 
 	statusmsg = g_hash_table_lookup(server->isupport, "statusmsg");
 	if (statusmsg == NULL)
-		statusmsg = "@+";
+		statusmsg = "@";
 
 	return strchr(statusmsg, *target) != NULL;
 }
@@ -61,12 +61,9 @@ const char *fe_channel_skip_prefix(IRC_SERVER_REC *server, const char *target)
 	statusmsg = g_hash_table_lookup(server->isupport, "statusmsg");
 
 	/* Hack: for bahamut 1.4 which sends neither STATUSMSG nor
-	 * WALLCHOPS in 005, accept @#chan and @+#chan (but not +#chan) */
-	if (statusmsg == NULL && *target != '@')
-		return target;
-
+	 * WALLCHOPS in 005 */
 	if (statusmsg == NULL)
-		statusmsg = "@+";
+		statusmsg = "@";
 
 	/* Strip the leading statusmsg prefixes */
 	while (strchr(statusmsg, *target) != NULL) {
diff --git a/src/irc/core/irc-commands.c b/src/irc/core/irc-commands.c
index 6baf2f6..32ee884 100644
--- a/src/irc/core/irc-commands.c
+++ b/src/irc/core/irc-commands.c
@@ -1018,11 +1018,15 @@ void irc_commands_init(void)
 	command_bind_irc("trace", NULL, (SIGNAL_FUNC) command_self);
 	/* SYNTAX: VERSION [<server>|<nick>] */
 	command_bind_irc("version", NULL, (SIGNAL_FUNC) command_self);
+	/* SYNTAX: SERVLIST [<mask> [<type>]] */
+	command_bind_irc("servlist", NULL, (SIGNAL_FUNC) command_self);
 	/* SYNTAX: SILENCE [[+|-]<nick!user@host>]
 	           SILENCE [<nick>] */
 	command_bind_irc("silence", NULL, (SIGNAL_FUNC) command_self);
 	command_bind_irc("unsilence", NULL, (SIGNAL_FUNC) cmd_unsilence);
 	command_bind_irc("sconnect", NULL, (SIGNAL_FUNC) cmd_sconnect);
+	/* SYNTAX: SQUERY <service> [<message>] */
+	command_bind_irc("squery", NULL, (SIGNAL_FUNC) command_2self);
 	/* SYNTAX: DIE */
 	command_bind_irc("die", NULL, (SIGNAL_FUNC) command_self);
 	/* SYNTAX: HASH */
@@ -1091,9 +1095,11 @@ void irc_commands_deinit(void)
 	command_unbind("time", (SIGNAL_FUNC) command_self);
 	command_unbind("trace", (SIGNAL_FUNC) command_self);
 	command_unbind("version", (SIGNAL_FUNC) command_self);
+	command_unbind("servlist", (SIGNAL_FUNC) command_self);
 	command_unbind("silence", (SIGNAL_FUNC) command_self);
 	command_unbind("unsilence", (SIGNAL_FUNC) cmd_unsilence);
 	command_unbind("sconnect", (SIGNAL_FUNC) cmd_sconnect);
+	command_unbind("squery", (SIGNAL_FUNC) command_2self);
 	command_unbind("die", (SIGNAL_FUNC) command_self);
 	command_unbind("hash", (SIGNAL_FUNC) command_self);
 	command_unbind("oper", (SIGNAL_FUNC) cmd_oper);
diff --git a/src/irc/core/irc-servers.c b/src/irc/core/irc-servers.c
index 1df95f7..f905a86 100644
--- a/src/irc/core/irc-servers.c
+++ b/src/irc/core/irc-servers.c
@@ -89,8 +89,10 @@ static int ischannel_func(SERVER_REC *server, const char *data)
 		chantypes = "#&!+"; /* normal, local, secure, modeless */
 
 	statusmsg = g_hash_table_lookup(irc_server->isupport, "statusmsg");
-	if (statusmsg != NULL)
-		data += strspn(data, statusmsg);
+	if (statusmsg == NULL)
+		statusmsg = "@";
+
+	data += strspn(data, statusmsg);
 
 	/* strchr(3) considers the trailing NUL as part of the string, make sure
 	 * we didn't advance too much. */
diff --git a/src/irc/core/sasl.c b/src/irc/core/sasl.c
index b74b6a8..f080ae5 100644
--- a/src/irc/core/sasl.c
+++ b/src/irc/core/sasl.c
@@ -71,7 +71,7 @@ static void sasl_fail(IRC_SERVER_REC *server, const char *data, const char *from
 
 	params = event_get_params(data, 2, NULL, &error);
 
-	signal_emit("server sasl fail", 2, server, error);
+	signal_emit("server sasl failure", 2, server, error);
 
 	/* Terminate the negotiation */
 	cap_finish_negotiation(server);
-- 
2.9.3


commit ff58e970e7f86badfffebdc8a1b7a0389dfce27b
Author: Ailin Nemui <ailin@z30a.localdomain>
Date:   Thu Sep 15 16:11:53 2016 +0200

    Patches for heap corruption and missing bounds check
    
    By Gabriel Campana and Adrien Guinet from Quarkslab.

diff --git a/src/fe-common/core/formats.c b/src/fe-common/core/formats.c
index 375b00e..aaf5890 100644
--- a/src/fe-common/core/formats.c
+++ b/src/fe-common/core/formats.c
@@ -131,6 +131,8 @@ void unformat_24bit_color(char **ptr, int off, int *fgcolor, int *bgcolor, int *
 	unsigned char rgbx[4];
 	unsigned int i;
 	for (i = 0; i < 4; ++i) {
+		if ((*ptr)[i + off] == '\0')
+			return;
 		rgbx[i] = (*ptr)[i + off];
 	}
 	rgbx[3] -= 0x20;
@@ -1354,6 +1356,9 @@ void format_send_to_gui(TEXT_DEST_REC *dest, const char *text)
 					bgcolor = *ptr==(char)0xff ? -1 : *ptr-'0';
 				}
 			}
+			if (*ptr == '\0')
+				break;
+
 			ptr++;
 			break;
 		case 6:
Comment 3 Swamp Workflow Management 2016-09-16 22:00:13 UTC
bugbot adjusting priority
Comment 4 Marcus Meissner 2016-09-21 20:19:26 UTC
now public
Comment 5 Marcus Meissner 2016-09-21 20:20:38 UTC
http://irssi.org/security/irssi_sa_2016.txt

heap corruption and missing boundary checks
===========================================
CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122

CVE-2016-7044 [1] was assigned to bug 1
CVE-2016-7045 [2] was assigned to bug 2


Description
-----------

Gabriel Campana and Adrien Guinet from Quarkslab reported two remote
crash and heap corruption vulnerabilites in Irssi's format parsing
code.

They also provided us with proof of concept exploit code and patches
to fix those issues.


Impact
------

Remote crash and heap corruption. Remote code execution seems
difficult since only Nuls are written.


Detailed analysis
-----------------

Based on analysis Provided by Gabriel Campana and Adrien Guinet from
Quarkslab:

Bug 1

The unformat_24bit_color() function is called by format_send_to_gui()
to decode 24bit color codes into their components. The pointer is
advanced unconditionally without checking if a complete code was
supplied.

Thus, after the return of unformat_24bit_color(), ptr might be invalid
and point out of the buffer.

Bug 2

The format_send_to_gui() function does not validate the length of the
string before incrementing the `ptr' pointer in all cases.

If that happens, the pointer `ptr' can be incremented twice and thus
end past the boundaries of the original `dup' buffer.


Affected versions
-----------------

Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea

Bug 1 affects only Irssis compiled with true-color enabled.
Bug 2 affects all Irssis regardless of compilation flags.


Fixed in
--------

Irssi 0.8.20


Recommended action
------------------

Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release
without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect. If the buf.pl script is loaded and symlinked into
~/.irssi/scripts/autorun, text buffer content will be saved and
restored.


Fallback action
---------------

Distributions which need to remain on Irssi 0.8.17 are strongly urged
to apply the patch and provide updated packages.

Those who cannot upgrade right now, but with Perl support enabled in
their Irssi, can load the following script and add it to
~/.irssi/scripts/autorun as a first aid to mitigating these issues: 

https://irssi.org/security/sa_patch.pl


Patch
-----

https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b


References
----------
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045
Comment 6 Bernhard Wiedemann 2016-09-21 22:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (999199) was mentioned in
https://build.opensuse.org/request/show/429372 Factory / irssi
Comment 7 Marcus Meissner 2016-10-06 11:43:59 UTC
i just bumped the version to 0.8.20 on 13.2, leap 42.1 and backports.
Comment 8 Swamp Workflow Management 2016-10-13 14:09:19 UTC
openSUSE-SU-2016:2524-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001215,999199
CVE References: CVE-2016-7044,CVE-2016-7045,CVE-2016-7553
Sources used:
openSUSE Leap 42.1 (src):    irssi-0.8.20-6.1
openSUSE 13.2 (src):    irssi-0.8.20-3.4.1