ArchLinux: 201609-20: irssi: arbitrary code execution
Summary
The format_send_to_gui() function does not validate the length of the string
before incrementing the `ptr' pointer in all cases.
If that happens, the pointer `ptr' can be incremented twice and thus end past
the boundaries of the original `dup' buffer.
Remote code execution might be difficult since only Nuls are written.
Resolution
Upgrade to 0.8.20-1.
# pacman -Syu "irssi>=0.8.20-1"
The problem has been fixed upstream in version 0.8.20.
References
https://irssi.org/security/irssi_sa_2016.txt https://www.openwall.com/lists/oss-security/2016/09/21/11 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045
Workaround
None.