ArchLinux: 201701-14: irssi: multiple issues
Summary
- CVE-2017-5193 (denial of service)
A NULL pointer dereference has been discovered in the nickcmp function
leading to application crash.
- CVE-2017-5194 (arbitrary code execution)
A use after free vulnerability has been discovered when receiving an
invalid nick message potentially leading to arbitrary code execution.
- CVE-2017-5195 (denial of service)
An out of bounds read has been discovered in certain incomplete control
codes leading to application crash.
- CVE-2017-5196 (denial of service)
An out of bounds read has been discovered in certain incomplete
character sequences leading to application crash.
Resolution
Upgrade to 0.8.21-1.
# pacman -Syu "irssi>=0.8.21-1"
The problems have been fixed upstream in version 0.8.21.
References
https://irssi.org/security/irssi_sa_2017_01.txt https://www.openwall.com/lists/oss-security/2017/01/05/2 https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d https://security.archlinux.org/CVE-2017-5193 https://security.archlinux.org/CVE-2017-5194 https://security.archlinux.org/CVE-2017-5195 https://security.archlinux.org/CVE-2017-5196
Workaround
None.