[Buildroot] [PATCH] irssi: security bump to version 1.0.2
Peter Korsgaard
peter at korsgaard.com
Tue Mar 14 21:21:56 UTC 2017
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at free-electrons.com> writes:
> Hello,
> On Tue, 14 Mar 2017 16:00:39 +0100, Peter Korsgaard wrote:
>> Fixes CWE-416 (use after free condition during netjoin processing). No CVE
>> assigned yet:
>>
>> https://irssi.org/security/irssi_sa_2017_03.txt
>>
>> Notice that the 0.8.x series is not believed to be vulnerable to this
>> specific issue. From the advisory:
>>
>> Affected versions
>> -----------------
>>
>> Irssi up to and including 1.0.1
>>
>> We believe Irssi 0.8.21 and prior are not affected since a different
>> code path causes the netjoins to be flushed prior to reaching the use
>> after free condition.
> So why do you have "security bump" in the commit title ? We're using
> 0.8.21, which is not affected by the issue, so this is not a security
> bump IMO, unless I missed something.
Well, it is both. 1.0.2 is a security fix for 1.0.1, but as we hadn't
moved to the 1.0.x series yet it isn't a pure security bump.
I saw the alert so I started working on the update, and only at the end
noticed that the issue didn't actually affect the 0.8.x series. I could
have structured it as 2 separate patches, a bump from 0.8.21 -> 1.0.1 +
a security bump to 1.0.2, but that seemed a bit silly to me.
I can reword the commit text if you have a good idea about how to
explain it?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list