irssi: CVE-2017-9468 CVE-2017-9469

Debian Bug report logs - #864400
irssi: CVE-2017-9468 CVE-2017-9469

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: irssi: CVE-2017-9468 CVE-2017-9469

Date: Thu, 08 Jun 2017 07:28:18 +0200

Source: irssi
Version: 0.8.17-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerabilities were published for irssi.

CVE-2017-9468[0]:
| In Irssi before 1.0.3, when receiving a DCC message without source
| nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC
| servers can cause a crash.

CVE-2017-9469[1]:
| In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC
| files, it tries to find the terminating quote one byte before the
| allocated memory. Thus, remote attackers might be able to cause a
| crash.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468
[1] https://security-tracker.debian.org/tracker/CVE-2017-9469
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469
[2] https://irssi.org/security/irssi_sa_2017_06.txt
[3] https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55

Regards,
Salvatore

Message #10 received at 864400-done@bugs.debian.org (full text, mbox, reply):

From: Rhonda D'Vine <rhonda@deb.at>

To: 864400-done@bugs.debian.org

Subject: 1.0.3-1 uploaded

Date: Thu, 8 Jun 2017 16:14:34 +0200

Version: 1.0.3-1

    Hi,

 sorry, only saw this bugreport after I uploaded the package.  I got
notified by upstream already and we weren't even aware that CVEs got
assigned. :)

 My bad, will look into the BTS next time before I upload.  I plan to
push the referenced commit to stretch, jessie, and potentially also
wheezy.  It might just take me a bit.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Message #15 received at 864400-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 864400-close@bugs.debian.org

Subject: Bug#864400: fixed in irssi 1.0.2-1+deb9u1

Date: Sat, 24 Jun 2017 14:48:09 +0000

Source: irssi
Source-Version: 1.0.2-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated irssi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Jun 2017 15:21:44 +0200
Source: irssi
Binary: irssi irssi-dev
Architecture: source
Version: 1.0.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 864400
Description: 
 irssi      - terminal based IRC client
 irssi-dev  - terminal based IRC client - development files
Changes:
 irssi (1.0.2-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix dcc_request where addr is NULL (CVE-2017-9468) (Closes: #864400)
   * Fix oob read of one byte in get_file_params_count{,_resume}
     (CVE-2017-9469) (Closes: #864400)
Checksums-Sha1: 
 ee91c41113c7491f34284d1b401dad40251ae347 2093 irssi_1.0.2-1+deb9u1.dsc
 37d2e6bd58554204d142acbeff67d9aea70d7305 1027912 irssi_1.0.2.orig.tar.xz
 af02e99f1622fd7e5beea72d4176e8f80d5850cd 20168 irssi_1.0.2-1+deb9u1.debian.tar.xz
Checksums-Sha256: 
 05f42c0787592660a27ce15e3bdf0b419327e11a0a2d5bb2cac7d43c7ff00fca 2093 irssi_1.0.2-1+deb9u1.dsc
 5c1c3cc2caf103aad073fadeb000e0f8cb3b416833a7f43ceb8bd9fcf275fbe9 1027912 irssi_1.0.2.orig.tar.xz
 866aa2c098a5e4b7e6dde821447ea6fcb86ccd12e249ad5b0a3569e77ed27a1b 20168 irssi_1.0.2-1+deb9u1.debian.tar.xz
Files: 
 b1bb12c8dd0ad9b5bccfe2b7e3fbeff6 2093 net optional irssi_1.0.2-1+deb9u1.dsc
 6de949527c07f0930f0c6c95a8d8b99a 1027912 net optional irssi_1.0.2.orig.tar.xz
 097eca72020c6fcdd212d6c95440cda9 20168 net optional irssi_1.0.2-1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllFXmZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EGLwQAJzs1Ev5HZpMEQlobLnEb0EZKuz6Vw/d
xmddPy0ulCvGHyX2CQFS8Mx5sz1KNhha9e8yWBg3i9+tZwQ0rZyEnq5plTF+ByZ8
7r7y3vgxpNFLzV/qB0LEeCfGXZJkSjOvg/5elBBppETKnw3KXPDCQTBI7RAuMmKP
CXY21tB3omBwpuCJVJwy+sp15mhru9jUrinKe9qx7GRXGbzAxmHNvjfYZANOiQFi
Fn+gJqW2uKum+/QwI8TXX7KytRGU6vXhL7LDQN1sffZdI9B93+EGuK+lFlUGCIW2
Q0JOVCKc1jxZRmiyE469Cf4yej6LfS+0UHq1ILQ3meAQwl5lfn0afu7roK8KjKod
T/S1lTtcoJoswQOXPi3+h6003FDQLJW8UiIZsvV31UNNAzkum9DsgCP9nkkvnt88
hDefDcoTNVeicY/5n4+JsiJ8wQLtOmdsKsksBJ94SqMo3qfXS+fG1oQzxaVjBZGO
m1OPeNg9KufqIH71ah0njtIOLr3IZM+Smjm59lK5qZ7OXC4ORO2NEftMuV8C4YP7
Tkhu9WXmqtCxnt58N6FK/SgsVKD5PP63POw8/PfgenpdPP6SiM42o8GkzjsVA/n2
ZHQlJjQaSlmhyg+NrbsXrR4OzRPzx/ycdBfTGWQK1+8nXwPoUeheKsKJ8yUqtPub
TpPWUZgEuH2r
=joEF
-----END PGP SIGNATURE-----

Message #20 received at 864400-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 864400-close@bugs.debian.org

Subject: Bug#864400: fixed in irssi 0.8.17-1+deb8u4

Date: Sat, 24 Jun 2017 21:18:21 +0000

Source: irssi
Source-Version: 0.8.17-1+deb8u4

We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated irssi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Jun 2017 15:13:05 +0200
Source: irssi
Binary: irssi irssi-dbg irssi-dev
Architecture: source
Version: 0.8.17-1+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 864400
Description: 
 irssi      - terminal based IRC client
 irssi-dbg  - terminal based IRC client (debugging symbols)
 irssi-dev  - terminal based IRC client - development files
Changes:
 irssi (0.8.17-1+deb8u4) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix dcc_request where addr is NULL (CVE-2017-9468) (Closes: #864400)
   * Fix oob read of one byte in get_file_params_count{,_resume}
     (CVE-2017-9469) (Closes: #864400)
Checksums-Sha1: 
 72097f2a00b72f26a57778885f1300c826ee5799 2151 irssi_0.8.17-1+deb8u4.dsc
 69091fdedd800e34e98475e4bfb6d2340c3e88d7 24255 irssi_0.8.17-1+deb8u4.diff.gz
Checksums-Sha256: 
 05862e55cf35e9fc1c1751de60c7af20836ee504699d092dfee10c6c75813524 2151 irssi_0.8.17-1+deb8u4.dsc
 80bb9e97b6208f7df1bc79b9e7356731b159d95e0c72899d6ec98a0769c904c2 24255 irssi_0.8.17-1+deb8u4.diff.gz
Files: 
 3ceb3714ba0e414e39b4f62d91946fcf 2151 net optional irssi_0.8.17-1+deb8u4.dsc
 4cbc25dc50ad7c20717fb292bc4eb4e6 24255 net optional irssi_0.8.17-1+deb8u4.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllFXL1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EzYYP/2pL4GFc6e2rIRCt+SjsyocqPr624EBU
kjXdlhB6C8QZDSH1aa0tf9BcBu91Mir/OGXPu8ARcXbIOB16VtwcZfUxMgD7h49n
wvyLNZFaDucEtsjRJ8dYUqTE3mJQeQbylcxtFN0xhFIsu7xXi4loiC0IC88OEGI9
H5wQK4Zsuj0VSTmh8B1owBSac9Jt1QJTUlM/vS1CiiyJNmaxW+kUtbPn+4lk92++
VJZkhqP2T6BvslXNYXHAQ1cCRlFc6abNwLRJV2vL6mLaOx+Mscj0c6CmZt9asKh6
HiztwMhQ6emfV2womMdSX37zq+b2ZeDAG+gtmnVSKUMOeXmfg5LKFvspdauUtb8B
EWqUaDyDsQlIiC5z+YXU+9q+YpHvr3ItaOw7Du+OYoamL9L6Zu7HysGkoHUh72Zy
DzZXlcOKNk4YX/ZVLbvVkMne7sInr+gAzxpgC6rqYid/xGcHeZyvVumFrN8gbnYp
ZQTz97kGb6p3bArFQDfWw6uYNygdamkQXiQYB0B3v3SErBxWoU7HBl1cWwUUnQ1w
wk8qfGxXQrFUyEloGIL2EFPWoF8WNUP7Rd/CWKH4J7l/Dk09bmsksS/TS7odApur
cPbxrSrAxeHh6QU75EVfFg7PvI2hmRlJzEjQ3mGgeQXq4K9RFPgetYqs4/KqA9Jc
YAfh+YW5q57I
=PL6Y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.