Debian: DSA-4016-1: irssi security update

    Date03 Nov 2017
    CategoryDebian
    72
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in Irssi, a terminal based IRC client. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-4016-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                     Salvatore Bonaccorso
    November 03, 2017                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : irssi
    CVE ID         : CVE-2017-10965 CVE-2017-10966 CVE-2017-15227 CVE-2017-15228
                     CVE-2017-15721 CVE-2017-15722 CVE-2017-15723
    Debian Bug     : 867598 879521
    
    Multiple vulnerabilities have been discovered in Irssi, a terminal based
    IRC client. The Common Vulnerabilities and Exposures project identifies
    the following problems:
    
    CVE-2017-10965
    
        Brian 'geeknik' Carpenter of Geeknik Labs discovered that Irssi does
        not properly handle receiving messages with invalid time stamps. A
        malicious IRC server can take advantage of this flaw to cause Irssi
        to crash, resulting in a denial of service.
    
    CVE-2017-10966
    
        Brian 'geeknik' Carpenter of Geeknik Labs discovered that Irssi is
        susceptible to a use-after-free flaw triggered while updating the
        internal nick list. A malicious IRC server can take advantage of
        this flaw to cause Irssi to crash, resulting in a denial of service.
    
    CVE-2017-15227
    
        Joseph Bisch discovered that while waiting for the channel
        synchronisation, Irssi may incorrectly fail to remove destroyed
        channels from the query list, resulting in use after free conditions
        when updating the state later on. A malicious IRC server can take
        advantage of this flaw to cause Irssi to crash, resulting in a
        denial of service.
    
    CVE-2017-15228
    
        Hanno Boeck reported that Irssi does not properly handle installing
        themes with unterminated colour formatting sequences, leading to a
        denial of service if a user is tricked into installing a specially
        crafted theme.
    
    CVE-2017-15721
    
        Joseph Bisch discovered that Irssi does not properly handle
        incorrectly formatted DCC CTCP messages. A malicious IRC server can
        take advantage of this flaw to cause Irssi to crash, resulting in a
        denial of service.
    
    CVE-2017-15722
    
        Joseph Bisch discovered that Irssi does not properly verify Safe
        channel IDs. A malicious IRC server can take advantage of this flaw
        to cause Irssi to crash, resulting in a denial of service.
    
    CVE-2017-15723
    
        Joseph Bisch reported that Irssi does not properly handle overlong
        nicks or targets resulting in a NULL pointer dereference when
        splitting the message and leading to a denial of service.
    
    For the oldstable distribution (jessie), these problems have been fixed
    in version 0.8.17-1+deb8u5.
    
    For the stable distribution (stretch), these problems have been fixed in
    version 1.0.2-1+deb9u3. CVE-2017-10965 and CVE-2017-10966 were already
    fixed in an earlier point release.
    
    We recommend that you upgrade your irssi packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.