Debian Bug report logs -
#838762
irssi: CVE-2016-7553: information disclosure vulnerability in buf.pl
Reported by: Holger Levsen <holger@layer-acht.org>
Date: Sat, 24 Sep 2016 13:27:05 UTC
Severity: important
Tags: patch, security, upstream
Found in versions irssi/0.8.15-5, irssi/0.8.20-1
Fixed in version 0.8.20-2
Done: Rhonda D'Vine <rhonda@deb.at>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#838762; Package irssi.
(Sat, 24 Sep 2016 13:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rhonda D'Vine <rhonda@debian.org>.
(Sat, 24 Sep 2016 13:27:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: irssi
Version: 0.8.20
Severity: important
Tags: security patch upstream
Hi,
as discussed on irc, it seems irssi in Debian is still affected by
https://irssi.org/2016/09/22/buf.pl-update/
To quote from there:
---beginn---
buf.pl update available
Posted on September 22nd 2016
An information disclosure vulnerability was found, reported and fixed in the buf.pl script by its author.
CWE Classification: CWE-732, CWE-538
Impact
Other users on the same machine may be able to retrieve the whole window contents after /UPGRADE when the buf.pl script is loaded. Furthermore, this dump of the windows contents is never removed afterwards.
Since buf.pl is also an Irssi core script and we recommended its use to retain your window content, many people could potentially be affected by this.
Remote users may be able to retrieve these contents when combined with other path traversal vulnerabilities in public facing services on that machine.
Detailed analysis
buf.pl restores the scrollbuffer between “/upgrade”s by writing the contents to a file, and reading that after the new process was spawned. Through that file, the contents of (private) chat conversations may leak to other users.
Mitigating facts
Careful users with a limited umask (e.g. 077) are not affected by this bug. However, most Linux systems default to a umask of 022, meaning that files written without further restricting the permissions, are readable by any user.
Affected versions
All up to 2.13
Fixed versions
buf.pl 2.20
Resolution
Update the buf.pl script with the latest version from scripts.irssi.org.
---end---
Thanks for maintaining irssi!
--
cheers,
Holger
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'irssi: information disclosure vulnerability in buf.pl (CWE-732, CWE-538)' from 'irssi: information disclosure vulnerabilit in buf.pl (CWE-732, CWE-538)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Sep 2016 13:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#838762; Package irssi.
(Sat, 24 Sep 2016 13:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org>.
(Sat, 24 Sep 2016 13:51:02 GMT) (full text, mbox, link).
Message #12 received at 838762@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
this issue also seems to be known as https://security-tracker.debian.org/tracker/TEMP-0838762-63158A
--
cheers,
Holger
[signature.asc (application/pgp-signature, inline)]
No longer marked as found in versions 0.8.20.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Sep 2016 13:57:02 GMT) (full text, mbox, link).
Marked as found in versions irssi/0.8.20-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Sep 2016 13:57:03 GMT) (full text, mbox, link).
Reply sent
to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility.
(Sat, 24 Sep 2016 16:57:03 GMT) (full text, mbox, link).
Notification sent
to Holger Levsen <holger@layer-acht.org>:
Bug acknowledged by developer.
(Sat, 24 Sep 2016 16:57:03 GMT) (full text, mbox, link).
Message #21 received at 838762-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
version: 0.8.20-2
thanks
On Sat, Sep 24, 2016 at 04:43:52PM +0000, Rhonda D'Vine wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Sat, 24 Sep 2016 16:10:19 +0200
> Source: irssi
> Binary: irssi irssi-dev
> Architecture: source amd64
> Version: 0.8.20-2
> Distribution: unstable
> Urgency: high
> Maintainer: Rhonda D'Vine <rhonda@debian.org>
> Changed-By: Rhonda D'Vine <rhonda@debian.org>
> Description:
> irssi - terminal based IRC client
> irssi-dev - terminal based IRC client - development files
> Changes:
> irssi (0.8.20-2) unstable; urgency=high
> .
> * New patch 23fix-buf.pl to fix an information exposure issue involved with
> using buf.pl and /upgrade.
> Checksums-Sha1:
> def03f586553e19592a5bfe7a0cadb4543a0feb1 1903 irssi_0.8.20-2.dsc
> 8372c1a9efb370cb6521f8bb76c38920286fbcc2 19808 irssi_0.8.20-2.debian.tar.xz
> 5836793d1294143019ba8457dd3277d1120bcb37 2926256 irssi-dbgsym_0.8.20-2_amd64.deb
> 685cbb6597ede7775a2e54e518059a9f26952780 423014 irssi-dev_0.8.20-2_amd64.deb
> ab976cdf6c35fb1324eeb6a6d4214878d86abc2c 1038988 irssi_0.8.20-2_amd64.deb
> Checksums-Sha256:
> 52b348a2c581b089f6d7aeeada9fb3a17e5921aa2711393c4471ec7547dc5c72 1903 irssi_0.8.20-2.dsc
> 656ac9fc1d04e68359fdb6d698fbab21b00ec85e4285fc5310904601d8dad474 19808 irssi_0.8.20-2.debian.tar.xz
> ea502f720f265862e4205e6d68a427dc9a469f2de1ac03d573bea786cbe881e0 2926256 irssi-dbgsym_0.8.20-2_amd64.deb
> 90785529dd1becf16c5b537ffff4632bdc0a9a0668ecba1b7b5727176650fadc 423014 irssi-dev_0.8.20-2_amd64.deb
> d161dab036c50f0f3f5b01b3ab7a887269b6fdcd149c00ad7b6f9f3756cc85f4 1038988 irssi_0.8.20-2_amd64.deb
> Files:
> c97743eabb40965e2c02cc188129bde6 1903 net optional irssi_0.8.20-2.dsc
> 71c2e999fbcbce3b8b8218ebfb652a0a 19808 net optional irssi_0.8.20-2.debian.tar.xz
> aef50ad6a29457171d16bdc66e85e0e7 2926256 debug extra irssi-dbgsym_0.8.20-2_amd64.deb
> e88f45a5a8519880519c476c9f597a29 423014 net extra irssi-dev_0.8.20-2_amd64.deb
> 256a120a310d0dc4b630e5e8cb936aa3 1038988 net optional irssi_0.8.20-2_amd64.deb
>
--
cheers,
Holger
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Rhonda D'Vine <rhonda@deb.at>:
You have taken responsibility.
(Sat, 24 Sep 2016 17:21:03 GMT) (full text, mbox, link).
Notification sent
to Holger Levsen <holger@layer-acht.org>:
Bug acknowledged by developer.
(Sat, 24 Sep 2016 17:21:03 GMT) (full text, mbox, link).
Message #26 received at 838762-done@bugs.debian.org (full text, mbox, reply):
Version: 0.8.20-2
Hi,
forgot to add the closes to the changelog:
* New patch 23fix-buf.pl to fix an information exposure issue involved
with using buf.pl and /upgrade.
Thanks,
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
Marked as found in versions irssi/0.8.15-5.
Request was from Rhonda D'Vine <rhonda@debian.org>
to control@bugs.debian.org.
(Sat, 24 Sep 2016 17:33:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#838762; Package irssi.
(Mon, 26 Sep 2016 05:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org>.
(Mon, 26 Sep 2016 05:51:03 GMT) (full text, mbox, link).
Message #33 received at 838762@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 irssi: CVE-2016-7553: information disclosure vulnerability in buf.pl
This issue got assigend CVE-2016-7553 in
http://www.openwall.com/lists/oss-security/2016/09/26/4
Regards,
Salvatore
Changed Bug title to 'irssi: CVE-2016-7553: information disclosure vulnerability in buf.pl' from 'irssi: information disclosure vulnerability in buf.pl (CWE-732, CWE-538)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 838762-submit@bugs.debian.org.
(Mon, 26 Sep 2016 05:51:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 28 Oct 2016 07:30:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:54:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon