From patchwork Sun Jan  7 21:03:18 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 856619
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="EI4BMAvT"; dkim-atps=neutral
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3zF9qT5N4lz9s71
	for <incoming@patchwork.ozlabs.org>;
	Mon,  8 Jan 2018 08:03:33 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 8B63387F6C;
	Sun,  7 Jan 2018 21:03:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dO8grp-OEOUA; Sun,  7 Jan 2018 21:03:27 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 8D89C87F3F;
	Sun,  7 Jan 2018 21:03:27 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 6D58A1C143E
	for <buildroot@lists.busybox.net>;
	Sun,  7 Jan 2018 21:03:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 6A71E88BD3
	for <buildroot@lists.busybox.net>;
	Sun,  7 Jan 2018 21:03:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id kdHfeiuFhcyA for <buildroot@lists.busybox.net>;
	Sun,  7 Jan 2018 21:03:25 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com
	[74.125.82.68])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 59BCB88BBC
	for <buildroot@buildroot.org>; Sun,  7 Jan 2018 21:03:25 +0000 (UTC)
Received: by mail-wm0-f68.google.com with SMTP id f140so10912366wmd.2
	for <buildroot@buildroot.org>; Sun, 07 Jan 2018 13:03:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=IPy17VknDTr7S1Sj5MpC3rZ6/D4O5cyihevJvX1Srpw=;
	b=EI4BMAvTqP8eoPPvo+857ue1ZfeS7VkhYoKK2EiVP+SeaKjdX/aPeFGmK28OUMFNYe
	h2gKF2Xa3yB/4B8eer0GsQ4NPLH0aap6n9nNjn9Gu/1rLnoIMeLXKKQRqZC7+CBNdzSU
	Sq7MasCf140uIbySp+KAF8z/xus6FtNmHtjEOZkgy/LolQUZQW8tiNQCE7G+1XDz61ZE
	CCYxVCICKY+XrWKnDn/RUrX04BvckEt7UUq3uNKHKSrYOiyAUS3W2pDYzlnihjKzg0bD
	K0S3KCsuzq2b4JxMPJaWZ9Sw+P+90FpYk030lWBAicdEUdkVT/qdjTabQGs19AOg2SC1
	jCVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=IPy17VknDTr7S1Sj5MpC3rZ6/D4O5cyihevJvX1Srpw=;
	b=eC7DLGo9Iptd1pnioRKCzOHtbTiDazZNNwcRys5nI42fUOIehORRxFzeEQRQC0QOeA
	NIUe9HSACYCqKPheF4NpID+RR3BFYiEU2fZ/zTbvygzlRfwUjBH+lM/J0RTLY9PjT/YT
	YRX3Fe1Bdr/VtXWBoRQr90H3W1X0KJTdtfl0QPyaL7V/PuyctlsOTwEJuM1LXaRjUUIr
	8nZ/iArnzFtrRRviD5xOWaoapnAY5+DBxiTAMEm11sLACaJhioDlA1oTbOvpuLWrHPKX
	36y9u9yCE7z2wC488+5Cvy3pI/9cliqSng926JxyMTbcPpfKM+jLPDdj3wDqn6u/Jcy2
	1ERw==
X-Gm-Message-State: AKGB3mIugncqfmixnN6xjwYEbW+KyUW/KX95hVbmgTwarFfx3+2TfVF+
	3iYNMsn+CcDAOF9/wYDa94g7BCCM
X-Google-Smtp-Source: 
 ACJfBot6oAjNMFMK9IHwjcditp1Sdv0Sa9RbJSpH7+HNFdgyFLf8+3pftHZ/lclI2PRlqMSYF5QXxA==
X-Received: by 10.80.145.5 with SMTP id e5mr13915625eda.76.1515359003487;
	Sun, 07 Jan 2018 13:03:23 -0800 (PST)
Received: from dell.be.48ers.dk
	(ptr-bvxwyj9hmyz9swdo3rb.18120a2.ip6.access.telenet.be.
	[2a02:1811:8c2c:ff00:ba8a:60ff:feb3:d607])
	by smtp.gmail.com with ESMTPSA id
	a52sm6705956eda.92.2018.01.07.13.03.20
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Sun, 07 Jan 2018 13:03:20 -0800 (PST)
Received: from peko by dell.be.48ers.dk with local (Exim 4.89)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1eYI6B-0003vP-Gg; Sun, 07 Jan 2018 22:03:19 +0100
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Sun,  7 Jan 2018 22:03:18 +0100
Message-Id: <20180107210318.15006-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] irssi: security bump to version 1.0.6
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.24
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Rodrigo Rebello <rprebello@gmail.com>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt):

Multiple vulnerabilities have been located in Irssi.

(a) When the channel topic is set without specifying a sender, Irssi
    may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)

    CVE-2018-5206 was assigned to this issue.

(b) When using incomplete escape codes, Irssi may access data beyond
    the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5205 was assigned to this issue.

(c) A calculation error in the completion code could cause a heap
    buffer overflow when completing certain strings. (CWE-126) Found
    by Joseph Bisch.

    CVE-2018-5208 was assigned to this issue.

(d) When using an incomplete variable argument, Irssi may access data
    beyond the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5207 was assigned to this issue.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/irssi/irssi.hash | 2 +-
 package/irssi/irssi.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/irssi/irssi.hash b/package/irssi/irssi.hash
index 0a6c3f614a..83dde00352 100644
--- a/package/irssi/irssi.hash
+++ b/package/irssi/irssi.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-sha256	c2556427e12eb06cabfed40839ac6f57eb8b1aa6365fab6dfcd331b7a04bb914  irssi-1.0.5.tar.xz
+sha256	029e884f3ebf337f7266d8ed4e1a035ca56d9f85015d74c868b488f279de8585  irssi-1.0.6.tar.xz
 # Locally calculated
 sha256	a1a27cb2ecee8d5378fbb3562f577104a445d6d66fee89286e16758305e63e2b  COPYING
diff --git a/package/irssi/irssi.mk b/package/irssi/irssi.mk
index f9450783bc..d49b5d7e46 100644
--- a/package/irssi/irssi.mk
+++ b/package/irssi/irssi.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-IRSSI_VERSION = 1.0.5
+IRSSI_VERSION = 1.0.6
 IRSSI_SOURCE = irssi-$(IRSSI_VERSION).tar.xz
 # Do not use the github helper here. The generated tarball is *NOT* the
 # same as the one uploaded by upstream for the release.