Your message dated Mon, 06 Nov 2017 16:20:53 +0000
with message-id <e1ebk8r-0000xf...@fasolo.debian.org>
and subject line Bug#879521: fixed in irssi 1.0.5-1
has caused the Debian Bug report #879521,
regarding irssi: multiple vulnerabilities fixed in irssi 1.0.5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
879521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: irssi
Severity: grave
Tags: security
Justification: user security hole
Hi,
irssi 1.0.5 has been released, fixing multiple vulnerabilities
(a) When installing themes with unterminated colour formatting
sequences, Irssi may access data beyond the end of the
string. (CWE-126) Found by Hanno Böck.
CVE-2017-15228 was assigned to this issue.
(b) While waiting for the channel synchronisation, Irssi may
incorrectly fail to remove destroyed channels from the query list,
resulting in use after free conditions when updating the state
later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672)
CVE-2017-15227 was assigned to this issue.
(c) Certain incorrectly formatted DCC CTCP messages could cause NULL
pointer dereference. Found by Joseph Bisch. This is a separate,
but similar issue to CVE-2017-9468. (CWE-690)
CVE-2017-15721 was assigned to this issue.
(d) Overlong nicks or targets may result in a NULL pointer dereference
while splitting the message. Found by Joseph Bisch. (CWE-690)
CVE-2017-15723 was assigned to this issue.
(e) In certain cases Irssi may fail to verify that a Safe channel ID
is long enough, causing reads beyond the end of the string. Found
by Joseph Bisch. (CWE-126)
CVE-2017-15722 was assigned to this issue.
Can you prepare updates for sid, stretch and jessie (please coordinate with
security team at t...@security.debian.org for the latter two)? Please add CVE
numbers to the changelog so we can track them easily.
Regards,
--
Yves-Alexis
Debian security team
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500,
'oldstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: irssi
Source-Version: 1.0.5-1
We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rhonda D'Vine <rho...@debian.org> (supplier of updated irssi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 06 Nov 2017 16:24:38 +0100
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 1.0.5-1
Distribution: unstable
Urgency: high
Maintainer: Rhonda D'Vine <rho...@debian.org>
Changed-By: Rhonda D'Vine <rho...@debian.org>
Description:
irssi - terminal based IRC client
irssi-dev - terminal based IRC client - development files
Closes: 879521
Changes:
irssi (1.0.5-1) unstable; urgency=high
.
* New upstream bugfix release (closes: #879521):
- Fix missing -sasl_method '' in /NETWORK.
- Fix incorrect restoration of term state when hitting SUSP
inside screen.
- Fix out of bounds read when compressing colour
sequences. Found by Hanno Böck. [CVE-2017-15228]
- Fix use after free condition during a race condition when
waiting on channel sync during a rejoin [CVE-2017-15227]
- Fix null pointer dereference when parsing certain malformed
CTCP DCC messages. [CVE-2017-15721]
- Fix crash due to null pointer dereference when failing to
split messages due to overlong nick or target. [CVE-2017-15723]
- Fix out of bounds read when trying to skip a safe channel ID
without verifying that the ID is long enough. [CVE-2017-15722]
- Fix return of random memory when inet_ntop failed.
- Minor statusbar help update.
* Remove deprecated --with autotools_dev call to dh.
* Bump Standards-Version to 4.1.1.
* Change priority of irssi-dev from deprecated extra to optional.
* Use pkg-info.mk in debian/rules instead of calling dpkg-parsechangelog
directly.
Checksums-Sha1:
b56b9aaa3574c322b6ed64c77ecd2f2d64253277 2151 irssi_1.0.5-1.dsc
13893183e596c4022d98724ad403328a74056cd7 1032308 irssi_1.0.5.orig.tar.xz
d40d9648e92fe9a52dd34b566780684235accd9c 195 irssi_1.0.5.orig.tar.xz.asc
d2dbb435bccda3ae71426618714d94b6bf4a428a 19884 irssi_1.0.5-1.debian.tar.xz
c870c8de8f6adf83eae38ad0aa7fd8b661baa5c9 2963896 irssi-dbgsym_1.0.5-1_amd64.deb
778b6b2ecc4887e710868c37d5270f7f741a63b7 452136 irssi-dev_1.0.5-1_amd64.deb
5c866e8a7b78a835c65e649467c8655661519745 7159 irssi_1.0.5-1_amd64.buildinfo
0d5df3a17683a5d42b510c2916ed28dbbfd65407 1083528 irssi_1.0.5-1_amd64.deb
Checksums-Sha256:
3ca30faa5f73f3b52e8b2bbb80b4cd2b726f58d880bd66102fca82c79d8a15f9 2151
irssi_1.0.5-1.dsc
c2556427e12eb06cabfed40839ac6f57eb8b1aa6365fab6dfcd331b7a04bb914 1032308
irssi_1.0.5.orig.tar.xz
876f23ecbb27956d5f5f0fb2dab4035d75a4f23e64c7c4d84436a5e62b8460b1 195
irssi_1.0.5.orig.tar.xz.asc
3478e90572fb92f2601ca96fc6c99d7b5a262e3bcf9fd8ff25ef1e1d049a1bb5 19884
irssi_1.0.5-1.debian.tar.xz
6bb23ee3dfe32e374cec3d31c1243774895d513a8194693a65a850a9943e64b3 2963896
irssi-dbgsym_1.0.5-1_amd64.deb
74f2f60e52dd58f6e354e677d6716bdd676c5e680a8a2ca9fa2161e3078abca1 452136
irssi-dev_1.0.5-1_amd64.deb
17b09e70b4374e5bf6e850c7046f0ad143b20f1397dda21737edbb36e8fa5f04 7159
irssi_1.0.5-1_amd64.buildinfo
1dbce44cc76b20db1a8ce06905223ffd055e59c59bb9522f072ffbe388bc074d 1083528
irssi_1.0.5-1_amd64.deb
Files:
23049c3c5c839d39eb3e0759f43f932f 2151 net optional irssi_1.0.5-1.dsc
21357ac5e9970fa0c79ca971a9a01270 1032308 net optional irssi_1.0.5.orig.tar.xz
df7eef66faf0620d0b26decf3ddaf43d 195 net optional irssi_1.0.5.orig.tar.xz.asc
b19a4a9d848dfb9782bec430da4b43d7 19884 net optional irssi_1.0.5-1.debian.tar.xz
4aa6ddb64ee9562680ea867b6c1013f5 2963896 debug optional
irssi-dbgsym_1.0.5-1_amd64.deb
590907ea3401003795878c0e4c15065e 452136 net optional
irssi-dev_1.0.5-1_amd64.deb
4076739ce9ef711be22959ebf416305b 7159 net optional
irssi_1.0.5-1_amd64.buildinfo
371c4021692bef64da5926e053c5cb91 1083528 net optional irssi_1.0.5-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAloAhksACgkQ3ugEPuF+
uzCAIw/+IWN3gQZ/XFrWDVpiU+ktWqhRDuQKHgbO39NTWlUMK0rbCgyhNrMu/ePo
k9omZ4jM3nznjH8kT6KfYW2+fcq+vKRucyd0FJoA/9mzV8HOKkQwe5xMJBHwzf18
hg/eIm+BBNzoyGsY6iYOQVOfaCoa0Wl/fh5Ggk3dat2yLBHlcdMPpETkuzXXrWmi
vAIEQ7d/JLLiEYYiUU6qoFAvVfwHA4PV7M9W9g87aWnEaNsAN7Dx+1iEU90lzKCS
cGZnm85nX6m7S6GVov3cSO9KsY4aLblM9RQvRVi7bXVzxUTCraHvrQW85b/1VMQR
D7ZON6CBlC1q9kE31peRmFuDS6083ZfXnDF+F/sUXSszsAJ1bTl3jfXrgUk6SiN9
T1nbU7G1kSYkHvWYFoHBnG5xq8l/jJQGVO1MJiKSI2JCzyjRleoKhPY89WTchHFu
tHXQLbzTb6dZC8qfl4iM5EPjEtcQFsq5ZCCIci7khGv8adGKMlXZMePaQJN3THzG
KGCOx6GXpwYTa/rGajXTxreh8aTttzrN+BIUmbtczXuUQiBnmrfn5/arbb9qsB7u
Kx3kR31qCfiRKAnhWiayG/tNprf3O9aDCQ1dYjN7DbKQFTcaKPXC8zE8mhmG47rm
mKC0akgBGcBlEgn4xoTzcp1Nfh2V476Epdx7qgFhJaALViAoCfg=
=y/lP
-----END PGP SIGNATURE-----
--- End Message ---
