Bug#1033785: irssi: CVE-2023-29132

2023-04-01 Thread Salvatore Bonaccorso 
On Sat, Apr 01, 2023 at 10:36:56AM +0200, Salvatore Bonaccorso wrote:
> Source: irssi
> Version: 1.4.3-1
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team 
> 
> 
> Hi,
> 
> The following vulnerability was published for irssi.
> 
> CVE-2023-29132[0]:
> | Irssi SA-2023-03 / Use after free in printing routine

Just to be clear, the following are mitigating facts:

The precondition for this issue is printing a non-formatted line during
the printing of a formatted line. This is unlikely to happen without
scripts, and is obscured by the slice allocator when using GLib before
version 2.77.

*but* I still filled it for now as RC, as the fix is very isolated,
and good to be included in bookworm already.

Regards,
Salvatore

Bug#1033785: irssi: CVE-2023-29132

2023-04-01 Thread Salvatore Bonaccorso 
Source: irssi
Version: 1.4.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for irssi.

CVE-2023-29132[0]:
| Irssi SA-2023-03 / Use after free in printing routine

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-29132
https://www.cve.org/CVERecord?id=CVE-2023-29132
[1] https://irssi.org/security/irssi_sa_2023_03.txt
[2] 
https://github.com/irssi/irssi/commit/c554a45738712219c066897b09a44d99afeb4240

Regards,
Salvatore