[Buildroot] [PATCH] irssi: security bump to version 1.0.2

Peter Korsgaard peter at korsgaard.com
Tue Mar 14 21:21:56 UTC 2017


>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at free-electrons.com> writes:

 > Hello,
 > On Tue, 14 Mar 2017 16:00:39 +0100, Peter Korsgaard wrote:
 >> Fixes CWE-416 (use after free condition during netjoin processing). No CVE
 >> assigned yet:
 >> 
 >> https://irssi.org/security/irssi_sa_2017_03.txt
 >> 
 >> Notice that the 0.8.x series is not believed to be vulnerable to this
 >> specific issue. From the advisory:
 >> 
 >> Affected versions
 >> -----------------
 >> 
 >> Irssi up to and including 1.0.1
 >> 
 >> We believe Irssi 0.8.21 and prior are not affected since a different
 >> code path causes the netjoins to be flushed prior to reaching the use
 >> after free condition.

 > So why do you have "security bump" in the commit title ? We're using
 > 0.8.21, which is not affected by the issue, so this is not a security
 > bump IMO, unless I missed something.

Well, it is both. 1.0.2 is a security fix for 1.0.1, but as we hadn't
moved to the 1.0.x series yet it isn't a pure security bump.

I saw the alert so I started working on the update, and only at the end
noticed that the issue didn't actually affect the 0.8.x series. I could
have structured it as 2 separate patches, a bump from 0.8.21 -> 1.0.1 +
a security bump to 1.0.2, but that seemed a bit silly to me.

I can reword the commit text if you have a good idea about how to
explain it?

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list