Debian Bug report logs -
#850403
irssi: CVE-2017-5193 CVE-2017-5194 CVE-2017-5195 CVE-2017-5196
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 6 Jan 2017 06:33:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version irssi/0.8.17-1
Fixed in versions irssi/0.8.21-1, irssi/0.8.17-1+deb8u3
Done: Rhonda D'Vine <rhonda@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#850403; Package src:irssi.
(Fri, 06 Jan 2017 06:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rhonda D'Vine <rhonda@debian.org>.
(Fri, 06 Jan 2017 06:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: irssi
Version: 0.8.17-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi
(I know you are perfectly awaere of it, just to have a reference in the
BTS)
Multiple vulnerabilities have beeen fixed in irssi. Details in
http://www.openwall.com/lists/oss-security/2017/01/05/2 (no CVEs yet
assigned),
https://irssi.org/security/irssi_sa_2017_01.txt
https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
As previously mentioned by Moritz, those though do not warrant a DSA,
but might be fixed via an upcoming point release (Prefeably the next
one if possible, but timeframe is now tight).
Regards,
Salvatore
Changed Bug title to 'irssi: CVE-2017-5193 CVE-2017-5194 CVE-2017-5195 CVE-2017-5196' from 'irssi: multiple vulnerabilities'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Jan 2017 09:15:08 GMT) (full text, mbox, link).
Reply sent
to Rhonda D'Vine <rhonda@debian.org>:
You have taken responsibility.
(Sat, 07 Jan 2017 12:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Jan 2017 12:51:09 GMT) (full text, mbox, link).
Message #12 received at 850403-close@bugs.debian.org (full text, mbox, reply):
Source: irssi
Source-Version: 0.8.21-1
We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850403@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rhonda D'Vine <rhonda@debian.org> (supplier of updated irssi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 05 Jan 2017 10:26:08 +0100
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 0.8.21-1
Distribution: unstable
Urgency: medium
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Rhonda D'Vine <rhonda@debian.org>
Description:
irssi - terminal based IRC client
irssi-dev - terminal based IRC client - development files
Closes: 850403
Changes:
irssi (0.8.21-1) unstable; urgency=medium
.
* New upstream security release (Closes: #850403):
- CVE-2017-5193: NULL pointer dereference in the nickcmp function
- CVE-2017-5194: Use-after-freee when receiving invalid nick message
- CVE-2017-5195: Out-of-bounds read in certain incomplete control codes
- CVE-2017-5196: Out-of-bounds read in certain incomplete character
sequences
* Remove patch 23fix-buf.pl which is included in upstream release.
* Set PACKAGE_VERSION for configure as suggested by upstream.
Checksums-Sha1:
ec1fe3f0b11be01196dda913eeb4b503e0917193 1917 irssi_0.8.21-1.dsc
f25bc5a2ef7ebcac71d822cc395706df732fd5ad 1007524 irssi_0.8.21.orig.tar.xz
5eb7da4bb2cebff1d8ffd8e3c188bb2ec9e64ac8 18588 irssi_0.8.21-1.debian.tar.xz
d0c9d9f37c8e952e0429eaf1ffdcc6406dd05506 2899998 irssi-dbgsym_0.8.21-1_amd64.deb
ea48bb51f0a75690629bac5eaaf5be612d1a57e7 423446 irssi-dev_0.8.21-1_amd64.deb
ecea3924fb6e13108ab1a683722f2e4cb6c4ee9d 5961 irssi_0.8.21-1_amd64.buildinfo
04f81b4f316d458f85bd203f80c462a0161355ee 1039176 irssi_0.8.21-1_amd64.deb
Checksums-Sha256:
d554909b275babc7b1576d31c455eab5435477f483d43dd8157e2a77cd53173c 1917 irssi_0.8.21-1.dsc
e433063b8714dcf17438126902c9a9d5c97944b3185ecd0fc5ae25c4959bf35a 1007524 irssi_0.8.21.orig.tar.xz
0c60a2e009362c42f5ed3c4a3009ffa84ce6d1f7bc27594fb49f89384116f91b 18588 irssi_0.8.21-1.debian.tar.xz
76bec59547b4d96cdc4a3e6401de7b62781fd0ad7bc92a65f6a5a614bee49940 2899998 irssi-dbgsym_0.8.21-1_amd64.deb
920b3e39b33531885a946ea3f312d2e3cc9b093480c1782f14eae075192739d6 423446 irssi-dev_0.8.21-1_amd64.deb
6a3d4b6046c97f1c7b0c93615cc7fb84858418c8632a1ef6e2cfcf01256cead6 5961 irssi_0.8.21-1_amd64.buildinfo
28380dee2be25d1f6be100a0548547763110adb14519fa6cb9882a706e127ab7 1039176 irssi_0.8.21-1_amd64.deb
Files:
cb84d916a666e30d2284155ed5fc9f50 1917 net optional irssi_0.8.21-1.dsc
b820760c3b4f3b0c24abe4db82b6366a 1007524 net optional irssi_0.8.21.orig.tar.xz
7d8a03a4e77316ef8ee03782520a36ad 18588 net optional irssi_0.8.21-1.debian.tar.xz
b1c9517c6d0a0b607882cf69bafbc184 2899998 debug extra irssi-dbgsym_0.8.21-1_amd64.deb
61504e8be9ddeef576800c12920613ca 423446 net extra irssi-dev_0.8.21-1_amd64.deb
184dddc8d704647b72c9be079d225d88 5961 net optional irssi_0.8.21-1_amd64.buildinfo
92c90947676022c5402852971aaaa8d9 1039176 net optional irssi_0.8.21-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAlhw3vcACgkQ3ugEPuF+
uzAhUg/9HK47nIRFNvzzk35iaRcIL4WSF3G79+t2MKgcfkQSFyaex/UsuNEiFnQS
ZrL9viDXaU/7R7B/3ZQDoPeyZemRblFFsHP7HhAgiLH2q16IRTQroHm5mNyrC13i
WytHXiZfP915jYihb4vpNSUztNhZEZ60jRXpBJhD0jsaI30diGnlJQIhbC+jLLgY
/9nPsyddOWxoenmZjx/skAP0nkW8yA3v1eB92dmCwUkvrLLBSSmabpbslp2i1EKN
imDJS7dglFB/hTkzx2sGLhxixBFZ/PLxCkhkEu53KtIRnj6sRv+GZem31UmFfFo0
SEmc/NTjGwUMpIVDgyOFzaaiYyABWFwu8sicWuFaNlZMVXwzLRm911+HYw5HV73Q
OUgFnIpvr8zpLBLyRA9k8//feiiKOqu095CvzcbDp+jzruhQvC55uGCJ4RdygFeT
AAQr/F2xn0hf/mD765hvZga5kL/2KMK2HPI6xSimTnLuPZFMEfXAWhynW9UI1wA7
x1mDL03MVB5Dx4AgwNcZqUc1fki0TgIRAoV2Z5T4U9PFxUKj6O/w0VjA7CyHUOzQ
pI5kewHKKmjAdnptuWfnmHI7esvbrLDFkNWV4tJdynkS3vXmhJYyHB5Yq8LaIoLj
nHRIY4wUwmn/QQEGAmb2KoLOxKh+gVGcrCM7x6rdxRair8V0V70=
=/3Gg
-----END PGP SIGNATURE-----
Reply sent
to Rhonda D'Vine <rhonda@debian.org>:
You have taken responsibility.
(Sat, 07 Jan 2017 21:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Jan 2017 21:36:05 GMT) (full text, mbox, link).
Message #17 received at 850403-close@bugs.debian.org (full text, mbox, reply):
Source: irssi
Source-Version: 0.8.17-1+deb8u3
We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850403@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rhonda D'Vine <rhonda@debian.org> (supplier of updated irssi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 07 Jan 2017 15:54:02 +0100
Source: irssi
Binary: irssi irssi-dbg irssi-dev
Architecture: source amd64
Version: 0.8.17-1+deb8u3
Distribution: jessie
Urgency: low
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Rhonda D'Vine <rhonda@debian.org>
Description:
irssi - terminal based IRC client
irssi-dbg - terminal based IRC client (debugging symbols)
irssi-dev - terminal based IRC client - development files
Closes: 850403
Changes:
irssi (0.8.17-1+deb8u3) jessie; urgency=low
.
* New patch 24security-fixes pulled from upstream commit 6c6c42e3d1b4
(besides the one issue in src/fe-text/term-terminfo.c which is 0.8.18
onward only), closes: #850403:
- CVE-2017-5193: NULL pointer dereference in the nickcmp function
- CVE-2017-5194: Use-after-freee when receiving invalid nick message
- CVE-2017-5195: Out-of-bounds read in certain incomplete control codes
* Set PACKAGE_VERSION for configure as suggested by upstream.
Checksums-Sha1:
6d5ba905164c414eb90a0a6ae370e82a274e3e7b 1996 irssi_0.8.17-1+deb8u3.dsc
feddda0d45d6706a2da92bd2612c9a20c237b0bd 1460897 irssi_0.8.17.orig.tar.gz
e898511f2dacd05c167ffa7796eb6969b46a4076 23238 irssi_0.8.17-1+deb8u3.diff.gz
df59c59236b0ae281ad098ff85a4a3686ce43c46 973906 irssi_0.8.17-1+deb8u3_amd64.deb
0b49c1c0161cbec8dcd01be2edf01070d4c0ccbe 2691248 irssi-dbg_0.8.17-1+deb8u3_amd64.deb
84d2e473b7149ef3ef2a7e7691e95cc974064787 389202 irssi-dev_0.8.17-1+deb8u3_amd64.deb
Checksums-Sha256:
40bc3962856ed092bc538ff8b1091b4f96e6e36f5ea2be0aea66438d1af26f9d 1996 irssi_0.8.17-1+deb8u3.dsc
0ae01f76797fb6d6b8e0f2268b39c7afb90ac62658ec754c82acfc344b8203e9 1460897 irssi_0.8.17.orig.tar.gz
6f86f36f69239fe909820ea8445732a20df1180dba16b8e3da1d21e31a5d209e 23238 irssi_0.8.17-1+deb8u3.diff.gz
4b1aad834c8cfe8421562875d035b4ee7d0f6c927f442b0d00e218e846997198 973906 irssi_0.8.17-1+deb8u3_amd64.deb
bb6122b59c98264d107ab46f9cff68f9ec0722cbdadf02c1c89c41a2a9c9ee5f 2691248 irssi-dbg_0.8.17-1+deb8u3_amd64.deb
f6b96955ef3a6222214ad2dc702c997375a6ba76ac9d314af25d47f4c72ecc40 389202 irssi-dev_0.8.17-1+deb8u3_amd64.deb
Files:
cd9e6b589cf6488cd466b21eec9a7e2c 1996 net optional irssi_0.8.17-1+deb8u3.dsc
00cde2ba7ba37af9e3df451f430ecdea 1460897 net optional irssi_0.8.17.orig.tar.gz
6261ce42cd1333d7e5574405b061a268 23238 net optional irssi_0.8.17-1+deb8u3.diff.gz
1469573d9df8a6f696fa272abb5cc2fa 973906 net optional irssi_0.8.17-1+deb8u3_amd64.deb
ccede8585f5b17f58468c3098412faac 2691248 debug extra irssi-dbg_0.8.17-1+deb8u3_amd64.deb
6c07cf3da8ddafaecc991a9aec991636 389202 net extra irssi-dev_0.8.17-1+deb8u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAlhxB74ACgkQ3ugEPuF+
uzA0dA/8DwChOD8Oe+zmjmPyt0VbtS2LlTE86cbsI/lud9Uvy8amAf9cYAuY/juT
XA1MyFy5I3VIvXW/XOCsxCB7SQx06Bf4TEM5fBLcmTUiXNbZ0ZpS+oZY7m6ELmcq
PqfzhcSowSfib30KRnG6el75kEjjO4A/TMWJ+ugritCs18tW9bdILEyY9bnKBblq
jKtK7y8Qjmnrwnia7uMnLvhopBponViZS/mSGdkzDLhjexvfWQoe/ZEjksJgh5I1
rgf/6rCk8NkUMZ71CWPFkg83W8BCsGeS7B5LOf2fSIyjf3i7UV97kjBxO2h06KZ1
R6DWHZQdM5xqYvWN9Oh6xepRImMU9WtltfVm1XcluQunvW+eqv7jbX3uVs7khjsp
GGZPrH2S7W5MBMaBqkcNFIM0nXvDDrApx/ethPM+6s1aukG5cECocmjKTSlu1ZMB
vTw1jo37fa3zkGB3IH0s5Y/2JKzVbGWoqzQuQbznTcdb7Jt4WUJ9DwOB46XwFmtZ
XU9/Ni8/FmmzcyVdCsWYCeNKCPbwQIMkjLq0Opan3TGQIMQzFTZTE9DwFwEDDrwI
iY5knwta9t0esGy8/PvqG5UxdU477nIRIr+dky3MFSYDZAhe2J2foZaxMz9qXB68
f3vypAXeHpdqryv+Uhq92Z5tY21ubObGUkOijNABnA+vWnL3z/g=
=p8Lc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Feb 2017 07:25:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:45:03 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon