[Buildroot] [PATCH] irssi: security bump to version 1.0.5
Peter Korsgaard
peter at korsgaard.com
Thu Oct 26 13:20:04 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> (a) When installing themes with unterminated colour formatting
> sequences, Irssi may access data beyond the end of the
> string. (CWE-126) Found by Hanno Böck.
> CVE-2017-15228 was assigned to this issue.
> (b) While waiting for the channel synchronisation, Irssi may
> incorrectly fail to remove destroyed channels from the query list,
> resulting in use after free conditions when updating the state
> later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672)
> CVE-2017-15227 was assigned to this issue.
> (c) Certain incorrectly formatted DCC CTCP messages could cause NULL
> pointer dereference. Found by Joseph Bisch. This is a separate,
> but similar issue to CVE-2017-9468. (CWE-690)
> CVE-2017-15721 was assigned to this issue.
> (d) Overlong nicks or targets may result in a NULL pointer dereference
> while splitting the message. Found by Joseph Bisch. (CWE-690)
> CVE-2017-15723 was assigned to this issue.
> (e) In certain cases Irssi may fail to verify that a Safe channel ID
> is long enough, causing reads beyond the end of the string. Found
> by Joseph Bisch. (CWE-126)
> CVE-2017-15722 was assigned to this issue.
> For more details, see the advisory:
> https://irssi.org/security/irssi_sa_2017_10.txt
> While we're at it, also add a hash for the license file.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2017.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list