[Buildroot] [PATCH] irssi: security bump to version 1.0.5

Peter Korsgaard peter at korsgaard.com
Thu Oct 26 13:20:04 UTC 2017


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > (a) When installing themes with unterminated colour formatting
 >     sequences, Irssi may access data beyond the end of the
 >     string. (CWE-126) Found by Hanno Böck.

 >     CVE-2017-15228 was assigned to this issue.

 > (b) While waiting for the channel synchronisation, Irssi may
 >     incorrectly fail to remove destroyed channels from the query list,
 >     resulting in use after free conditions when updating the state
 >     later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672)

 >     CVE-2017-15227 was assigned to this issue.

 > (c) Certain incorrectly formatted DCC CTCP messages could cause NULL
 >     pointer dereference. Found by Joseph Bisch. This is a separate,
 >     but similar issue to CVE-2017-9468. (CWE-690)

 >     CVE-2017-15721 was assigned to this issue.

 > (d) Overlong nicks or targets may result in a NULL pointer dereference
 >     while splitting the message. Found by Joseph Bisch. (CWE-690)

 >     CVE-2017-15723 was assigned to this issue.

 > (e) In certain cases Irssi may fail to verify that a Safe channel ID
 >     is long enough, causing reads beyond the end of the string. Found
 >     by Joseph Bisch. (CWE-126)

 >     CVE-2017-15722 was assigned to this issue.

 > For more details, see the advisory:
 > https://irssi.org/security/irssi_sa_2017_10.txt

 > While we're at it, also add a hash for the license file.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2017.08.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list