| Message ID | 20180107210318.15006-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | irssi: security bump to version 1.0.6 | expand |
Hello, On Sun, 7 Jan 2018 22:03:18 +0100, Peter Korsgaard wrote: > From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt): > > Multiple vulnerabilities have been located in Irssi. > > (a) When the channel topic is set without specifying a sender, Irssi > may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) > > CVE-2018-5206 was assigned to this issue. > > (b) When using incomplete escape codes, Irssi may access data beyond > the end of the string. (CWE-126) Found by Joseph Bisch. > > CVE-2018-5205 was assigned to this issue. > > (c) A calculation error in the completion code could cause a heap > buffer overflow when completing certain strings. (CWE-126) Found > by Joseph Bisch. > > CVE-2018-5208 was assigned to this issue. > > (d) When using an incomplete variable argument, Irssi may access data > beyond the end of the string. (CWE-126) Found by Joseph Bisch. > > CVE-2018-5207 was assigned to this issue. > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/irssi/irssi.hash | 2 +- > package/irssi/irssi.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt): > Multiple vulnerabilities have been located in Irssi. > (a) When the channel topic is set without specifying a sender, Irssi > may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) > CVE-2018-5206 was assigned to this issue. > (b) When using incomplete escape codes, Irssi may access data beyond > the end of the string. (CWE-126) Found by Joseph Bisch. > CVE-2018-5205 was assigned to this issue. > (c) A calculation error in the completion code could cause a heap > buffer overflow when completing certain strings. (CWE-126) Found > by Joseph Bisch. > CVE-2018-5208 was assigned to this issue. > (d) When using an incomplete variable argument, Irssi may access data > beyond the end of the string. (CWE-126) Found by Joseph Bisch. > CVE-2018-5207 was assigned to this issue. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.11.x, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt): > Multiple vulnerabilities have been located in Irssi. > (a) When the channel topic is set without specifying a sender, Irssi > may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) > CVE-2018-5206 was assigned to this issue. > (b) When using incomplete escape codes, Irssi may access data beyond > the end of the string. (CWE-126) Found by Joseph Bisch. > CVE-2018-5205 was assigned to this issue. > (c) A calculation error in the completion code could cause a heap > buffer overflow when completing certain strings. (CWE-126) Found > by Joseph Bisch. > CVE-2018-5208 was assigned to this issue. > (d) When using an incomplete variable argument, Irssi may access data > beyond the end of the string. (CWE-126) Found by Joseph Bisch. > CVE-2018-5207 was assigned to this issue. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.02.x, thanks.
diff --git a/package/irssi/irssi.hash b/package/irssi/irssi.hash index 0a6c3f614a..83dde00352 100644 --- a/package/irssi/irssi.hash +++ b/package/irssi/irssi.hash @@ -1,4 +1,4 @@ # Locally calculated after checking pgp signature -sha256 c2556427e12eb06cabfed40839ac6f57eb8b1aa6365fab6dfcd331b7a04bb914 irssi-1.0.5.tar.xz +sha256 029e884f3ebf337f7266d8ed4e1a035ca56d9f85015d74c868b488f279de8585 irssi-1.0.6.tar.xz # Locally calculated sha256 a1a27cb2ecee8d5378fbb3562f577104a445d6d66fee89286e16758305e63e2b COPYING diff --git a/package/irssi/irssi.mk b/package/irssi/irssi.mk index f9450783bc..d49b5d7e46 100644 --- a/package/irssi/irssi.mk +++ b/package/irssi/irssi.mk @@ -4,7 +4,7 @@ # ################################################################################ -IRSSI_VERSION = 1.0.5 +IRSSI_VERSION = 1.0.6 IRSSI_SOURCE = irssi-$(IRSSI_VERSION).tar.xz # Do not use the github helper here. The generated tarball is *NOT* the # same as the one uploaded by upstream for the release.
From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt): Multiple vulnerabilities have been located in Irssi. (a) When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer. Found by Joseph Bisch. (CWE-476) CVE-2018-5206 was assigned to this issue. (b) When using incomplete escape codes, Irssi may access data beyond the end of the string. (CWE-126) Found by Joseph Bisch. CVE-2018-5205 was assigned to this issue. (c) A calculation error in the completion code could cause a heap buffer overflow when completing certain strings. (CWE-126) Found by Joseph Bisch. CVE-2018-5208 was assigned to this issue. (d) When using an incomplete variable argument, Irssi may access data beyond the end of the string. (CWE-126) Found by Joseph Bisch. CVE-2018-5207 was assigned to this issue. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/irssi/irssi.hash | 2 +- package/irssi/irssi.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)