Your message dated Sat, 24 Sep 2016 16:53:24 +0000
with message-id <[email protected]>
and subject line Re: Accepted irssi 0.8.20-2 (source amd64) into unstable
has caused the Debian Bug report #838762,
regarding irssi: information disclosure vulnerability in buf.pl (CWE-732, 
CWE-538)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
838762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838762
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: irssi
Version: 0.8.20
Severity: important
Tags: security patch upstream

Hi,

as discussed on irc, it seems irssi in Debian is still affected by
https://irssi.org/2016/09/22/buf.pl-update/

To quote from there:

---beginn---
buf.pl update available

Posted on September 22nd 2016 

An information disclosure vulnerability was found, reported and fixed in the 
buf.pl script by its author.

CWE Classification: CWE-732, CWE-538
Impact

Other users on the same machine may be able to retrieve the whole window 
contents after /UPGRADE when the buf.pl script is loaded. Furthermore, this 
dump of the windows contents is never removed afterwards.

Since buf.pl is also an Irssi core script and we recommended its use to retain 
your window content, many people could potentially be affected by this.

Remote users may be able to retrieve these contents when combined with other 
path traversal vulnerabilities in public facing services on that machine.
Detailed analysis

buf.pl restores the scrollbuffer between “/upgrade”s by writing the contents to 
a file, and reading that after the new process was spawned. Through that file, 
the contents of (private) chat conversations may leak to other users.
Mitigating facts

Careful users with a limited umask (e.g. 077) are not affected by this bug. 
However, most Linux systems default to a umask of 022, meaning that files 
written without further restricting the permissions, are readable by any user.
Affected versions

All up to 2.13
Fixed versions

buf.pl 2.20
Resolution

Update the buf.pl script with the latest version from scripts.irssi.org.

---end---

Thanks for maintaining irssi!


-- 
cheers,
        Holger

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message ---
version: 0.8.20-2
thanks

On Sat, Sep 24, 2016 at 04:43:52PM +0000, Rhonda D'Vine wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Format: 1.8
> Date: Sat, 24 Sep 2016 16:10:19 +0200
> Source: irssi
> Binary: irssi irssi-dev
> Architecture: source amd64
> Version: 0.8.20-2
> Distribution: unstable
> Urgency: high
> Maintainer: Rhonda D'Vine <[email protected]>
> Changed-By: Rhonda D'Vine <[email protected]>
> Description:
>  irssi      - terminal based IRC client
>  irssi-dev  - terminal based IRC client - development files
> Changes:
>  irssi (0.8.20-2) unstable; urgency=high
>  .
>    * New patch 23fix-buf.pl to fix an information exposure issue involved with
>      using buf.pl and /upgrade.
> Checksums-Sha1:
>  def03f586553e19592a5bfe7a0cadb4543a0feb1 1903 irssi_0.8.20-2.dsc
>  8372c1a9efb370cb6521f8bb76c38920286fbcc2 19808 irssi_0.8.20-2.debian.tar.xz
>  5836793d1294143019ba8457dd3277d1120bcb37 2926256 
> irssi-dbgsym_0.8.20-2_amd64.deb
>  685cbb6597ede7775a2e54e518059a9f26952780 423014 irssi-dev_0.8.20-2_amd64.deb
>  ab976cdf6c35fb1324eeb6a6d4214878d86abc2c 1038988 irssi_0.8.20-2_amd64.deb
> Checksums-Sha256:
>  52b348a2c581b089f6d7aeeada9fb3a17e5921aa2711393c4471ec7547dc5c72 1903 
> irssi_0.8.20-2.dsc
>  656ac9fc1d04e68359fdb6d698fbab21b00ec85e4285fc5310904601d8dad474 19808 
> irssi_0.8.20-2.debian.tar.xz
>  ea502f720f265862e4205e6d68a427dc9a469f2de1ac03d573bea786cbe881e0 2926256 
> irssi-dbgsym_0.8.20-2_amd64.deb
>  90785529dd1becf16c5b537ffff4632bdc0a9a0668ecba1b7b5727176650fadc 423014 
> irssi-dev_0.8.20-2_amd64.deb
>  d161dab036c50f0f3f5b01b3ab7a887269b6fdcd149c00ad7b6f9f3756cc85f4 1038988 
> irssi_0.8.20-2_amd64.deb
> Files:
>  c97743eabb40965e2c02cc188129bde6 1903 net optional irssi_0.8.20-2.dsc
>  71c2e999fbcbce3b8b8218ebfb652a0a 19808 net optional 
> irssi_0.8.20-2.debian.tar.xz
>  aef50ad6a29457171d16bdc66e85e0e7 2926256 debug extra 
> irssi-dbgsym_0.8.20-2_amd64.deb
>  e88f45a5a8519880519c476c9f597a29 423014 net extra 
> irssi-dev_0.8.20-2_amd64.deb
>  256a120a310d0dc4b630e5e8cb936aa3 1038988 net optional 
> irssi_0.8.20-2_amd64.deb
> 
 

-- 
cheers,
        Holger

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to