Debian Bug report logs -
#867598
irssi: CVE-2017-10965 CVE-2017-10966
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 7 Jul 2017 17:15:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version irssi/0.8.17-1
Fixed in versions irssi/1.0.4-1, irssi/1.0.2-1+deb9u2
Done: Rhonda D'Vine <rhonda@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#867598; Package src:irssi.
(Fri, 07 Jul 2017 17:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rhonda D'Vine <rhonda@debian.org>.
(Fri, 07 Jul 2017 17:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: irssi
Version: 0.8.17-1
Severity: important
Tags: upstream patch security fixed-upstream
Hi,
the following vulnerabilities were published for irssi.
CVE-2017-10965[0]:
| An issue was discovered in Irssi before 1.0.4. When receiving messages
| with invalid time stamps, Irssi would try to dereference a NULL
| pointer.
CVE-2017-10966[1]:
| An issue was discovered in Irssi before 1.0.4. While updating the
| internal nick list, Irssi could incorrectly use the GHashTable
| interface and free the nick while updating it. This would then result
| in use-after-free conditions on each access of the hash table.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
[1] https://security-tracker.debian.org/tracker/CVE-2017-10966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966
[2] https://irssi.org/security/irssi_sa_2017_07.txt
[3] https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291
Regards,
Salvatore
Reply sent
to Rhonda D'Vine <rhonda@debian.org>:
You have taken responsibility.
(Wed, 12 Jul 2017 06:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 12 Jul 2017 06:39:03 GMT) (full text, mbox, link).
Message #10 received at 867598-close@bugs.debian.org (full text, mbox, reply):
Source: irssi
Source-Version: 1.0.4-1
We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867598@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rhonda D'Vine <rhonda@debian.org> (supplier of updated irssi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Jul 2017 07:17:19 +0200
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 1.0.4-1
Distribution: unstable
Urgency: high
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Rhonda D'Vine <rhonda@debian.org>
Description:
irssi - terminal based IRC client
irssi-dev - terminal based IRC client - development files
Closes: 867598
Changes:
irssi (1.0.4-1) unstable; urgency=high
.
* New upstream bugfix release (closes: #867598):
- Fix null pointer dereference when parsing invalid timestamp.
Reported by Brian 'geeknik' Carpenter. [CVE-2017-10965]
- Fix use-after-free condition when removing nicks from the internal
nicklist. Reported by Brian 'geeknik' Carpenter. [CVE-2017-10966]
- Fix incorrect string comparison in DCC file names.
- Fix regression in Irssi 1.0.3 where it would claim "Invalid time '-1'".
- Fix a bug when using \n to separate lines with expand_escapes.
- Retain screen output on improper exit, to better see any error
messages.
- Minor help update.
Checksums-Sha1:
0d270947eccb9d4b6d8948da22dea90f07c6b785 1910 irssi_1.0.4-1.dsc
8e5567f7dc6f872aa3d04a04f62b7a376fd99cc2 1030956 irssi_1.0.4.orig.tar.xz
86f40d4e5a6dd9273dfa1531ac7c0e6fa519bdea 19536 irssi_1.0.4-1.debian.tar.xz
c28eaf4d04292caa80f292281c5cd0858bfbf287 2931962 irssi-dbgsym_1.0.4-1_amd64.deb
6ce7f2bb3347ec0061197fccf7a401d3843ffd20 451478 irssi-dev_1.0.4-1_amd64.deb
9e911c12775ccce6651984e1b22237253fd694c0 6686 irssi_1.0.4-1_amd64.buildinfo
fc1dc05b3d48fd35a13bf0e3965fe64c170763c0 1078046 irssi_1.0.4-1_amd64.deb
Checksums-Sha256:
8fec098c12cadf6b23609784234e08a46670cf3829dfee1285a6a42bcb13f208 1910 irssi_1.0.4-1.dsc
b85c07dbafe178213eccdc69f5f8f0ac024dea01c67244668f91ec1c06b986ca 1030956 irssi_1.0.4.orig.tar.xz
3a27cce0ee948a17ce9fda401e4ed6f5c959b663c8205d22f63a216d33ce6154 19536 irssi_1.0.4-1.debian.tar.xz
747c2147a5d584f8656823d5390ba2e21c494784bb8d9e3e793dccf4210d6140 2931962 irssi-dbgsym_1.0.4-1_amd64.deb
3b36e3c6d2d821f22bf35560246fa28762ea48769308cc0d91589e2abf270331 451478 irssi-dev_1.0.4-1_amd64.deb
de2227f2f6555be5495b308c7bab419ebf5cb345c6ba244be3348bc045275ff9 6686 irssi_1.0.4-1_amd64.buildinfo
e7c4faccd4f74e7b8082b5f01a6063537fc05fb3895e215b65697737c15afd1f 1078046 irssi_1.0.4-1_amd64.deb
Files:
8a527672737f8defbcbadcfcf2bc27d1 1910 net optional irssi_1.0.4-1.dsc
46d4ac2a7ab472e5dc800e5d7bd9a879 1030956 net optional irssi_1.0.4.orig.tar.xz
f3f3dc8534347ba866345f662b75b616 19536 net optional irssi_1.0.4-1.debian.tar.xz
d2bce1c4c43fb00e68f78ddf3f363b92 2931962 debug extra irssi-dbgsym_1.0.4-1_amd64.deb
9da485395a47b5d2113b418624dc1aca 451478 net extra irssi-dev_1.0.4-1_amd64.deb
d964e9972fe3daf88eb98363659e2cf3 6686 net optional irssi_1.0.4-1_amd64.buildinfo
fc239d758e97e91e28b01a4f127f2a17 1078046 net optional irssi_1.0.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAlllvccACgkQ3ugEPuF+
uzD6WRAAneFE3/xb0raIuimwTM4kWFeacAGfNdELrrgokMXCkbtVff/e8mwurpiM
3NaHJc33ONmIrUln/EeCvtBq2cNOXotvlmCRB8JheayTwPSkcffOBAaCovs8awAA
Tdkj9NdrvqqaeaT6/lZBxBpx50xqzm4880APofFwZnLQ8O81pWOlt7pMcskJuqFW
LNlOk8wr1BlLFetDCiMbGdOskB6cik8GA2LwMJ1yy5s1/wpvYgcojpv/XQrMqYG7
9DdzbRa6YBqYfkljhdWWuFbF40yoTy3+Si9J48cJezGPIYcw0C0KwWeA7W3Qg1CK
1UpKlX+3V7dHVsCTRO8EvbXFKJjvR3s/KSQShwn/JazRLM/mhrJ2WMy/jpwohdoR
53k9NsCG0c1ctjj0ekg0MdfJ/nzT/d1427CAQ1CQuhgmA42mWzursPJ37oum2FsC
aaPIcFkWf2P4KRgJxzmUmlK3zmzFQIcK/QlKKBbmdsm+l0zPwhSVKSzcjzVjkgZi
fDvvndNC5GRf1odBvWxZzKM272L5sl1t4NPd5T67/idVsfh4aq8nq8NpXizbVsVw
LEqY9gfy2ZGE58WZJZ/5RsbzbEJT1yc0HRT+7AY6zSsUiKUi77LAqEGvFnOZRFqw
JTjj2KaBFaTzTqlh4TvSizJJSLMNT9Xnbvp6I4VP832vmVKRSEQ=
=3pS9
-----END PGP SIGNATURE-----
Reply sent
to Rhonda D'Vine <rhonda@debian.org>:
You have taken responsibility.
(Sun, 06 Aug 2017 12:33:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 06 Aug 2017 12:33:19 GMT) (full text, mbox, link).
Message #15 received at 867598-close@bugs.debian.org (full text, mbox, reply):
Source: irssi
Source-Version: 1.0.2-1+deb9u2
We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867598@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rhonda D'Vine <rhonda@debian.org> (supplier of updated irssi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 03 Aug 2017 15:59:51 -0400
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 1.0.2-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Rhonda D'Vine <rhonda@debian.org>
Description:
irssi - terminal based IRC client
irssi-dev - terminal based IRC client - development files
Closes: 867598
Changes:
irssi (1.0.2-1+deb9u2) stretch; urgency=high
.
* Security related update pulling upstream 5e26325317 (closes: 867598):
- Fix null pointer dereference (CVE-2017-10965)
- Fix use-after-free condition for nicklist (CVE-2017-10966)
Checksums-Sha1:
adb9bb0dd1bba31c21457147e140516c9560b127 1938 irssi_1.0.2-1+deb9u2.dsc
ff9c8d829431eba09e401ac4885ab651069a0a7f 20944 irssi_1.0.2-1+deb9u2.debian.tar.xz
8b376a9d7ce53bdef3be852d9a106e6b4c7d7abb 2943402 irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb
87c281ff45a38929e0d7fe097417e9b839f91fa5 449468 irssi-dev_1.0.2-1+deb9u2_amd64.deb
4f8dd3fc55c4365f07a6f67c0d2f09b9a758d23f 6873 irssi_1.0.2-1+deb9u2_amd64.buildinfo
c721728ad6e280c87cf07b93642babff124a6dda 1075880 irssi_1.0.2-1+deb9u2_amd64.deb
Checksums-Sha256:
094de63b3e9bce8fc3fc185717cc55ed5647c6b3113dca85134c7eb00950fdd1 1938 irssi_1.0.2-1+deb9u2.dsc
56b90c5a4d4d37c28e1930df2e444f3e83b7f6a601701ba7d4cc8e63ea4e8c3a 20944 irssi_1.0.2-1+deb9u2.debian.tar.xz
01569712ea1bb69decceb49b855f28757ca6ca1f189c8f563dd14693cb7e0e71 2943402 irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb
d962ae1814ede60e3201f7e38592807986d39e13e503321ef302648dc1472d66 449468 irssi-dev_1.0.2-1+deb9u2_amd64.deb
030a42ae1bec084484f1e9ae166bfaeb4494160a122e1da9d6b3c36e3b86d677 6873 irssi_1.0.2-1+deb9u2_amd64.buildinfo
b34038e8428654a03011f3abe55cbc0e8d07a15670aaf33a5fe8732e81eab475 1075880 irssi_1.0.2-1+deb9u2_amd64.deb
Files:
af33e66af4333672ed9c2efec46670c2 1938 net optional irssi_1.0.2-1+deb9u2.dsc
c2201fb282d6382dc140f4671ca38bec 20944 net optional irssi_1.0.2-1+deb9u2.debian.tar.xz
f23e4d19747dfdc5ff253bb58b5e446d 2943402 debug extra irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb
6942922f5fcc1a4225e2e5a1100ad892 449468 net extra irssi-dev_1.0.2-1+deb9u2_amd64.deb
6c5530654c7327b0f281e405074f8b9c 6873 net optional irssi_1.0.2-1+deb9u2_amd64.buildinfo
45135836024ee46d025055a23def9377 1075880 net optional irssi_1.0.2-1+deb9u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAlmF3B4ACgkQ3ugEPuF+
uzDvzQ/9FeSpieDJ5S4GhvDFnV9LUBkHCul8l19RuRs84oMiuojBKmJrby9I4Ak+
oznxorHAk1C3fImC1+YyFriUyuquSVWhDtHgytbGtoZ8SjivjFO+sAt0eAGP+zkz
OPcWcU27S3RZqL403xuzNHb3RC/1FWJGMignt4PkeTFBX80kiaqqmhfUnaMCzvTj
8+pxzpZBw75DqX18b+TAZydvBn6J5J/vSxkuvyRHRsJuUNJxhYyqEZDsLScOVi1I
xBeW9t4yh7ebxGqc+rgEXoUzAe3QMyWaizslF54TcYc5nYZBzNmHRP/r1qH55gQ/
YajiWz2aTW4Vv3gmZCupcRkiw1z8fuJXGHUynPgZvPklwLNu9ygp/5wFudcLOC/t
h/grbJ8w+wTb14m6fMnZJ/fkV3yHQDP973pKoR578Enazq8jb1hYUDYCHef810BV
NpD5VTILd2h42cA36a3RO65hgGr+qmLhHZW8uteMCG7lcuEuUFTkTezo/tyY2yo7
1ngPwtz0OQLn2p8AFWwV1CU1pSg9lztUUifqj6dOSz0qKH96aKnWVRD2hSaT3YP5
37tZTX0l0ucXetTQvekyfvYIS0SPTB1rmKmI5WKDNE2Pm9pHD+AMbGItIZgY1aQY
46H1ID41Xj4JpXQOk1/cd8f8v3V6dhX/Qf8oITz44eCCnVPaVS8=
=EwUS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Sep 2017 07:33:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:02:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon