Bug 20078

Summary: irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6], CVE-2017-5356)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, herman.viaene, jani.valimaa, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/711189/
Whiteboard: MGA5-32-OK mga5-64-ok advisory
Source RPM: irssi-0.8.20-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-01-05 17:05:54 CET 
CVEs have been requested for security issues fixed in irssi 0.8.21:
http://openwall.com/lists/oss-security/2017/01/05/2

Mageia 5 is also affected.
David Walser 2017-01-05 17:06:02 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-01-06 13:20:31 CET 
CVE-2017-519[3-6] assigned:
http://openwall.com/lists/oss-security/2017/01/06/1

Summary: irssi new security issues fixed upstream in 0.8.21 => irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6])

Comment 2 Jani Välimaa 2017-01-08 19:05:12 CET 
Pushed irssi 0.8.21 to core/updates_testing for mga5 and will request a freeze push for cauldron.

CC: (none) => jani.valimaa
Assignee: cooker => qa-bugs

Comment 3 David Walser 2017-01-08 21:21:37 CET 
Advisory:
========================

Updated irssi packages fix security vulnerability:

In irssi before 0.8.21, a NULL pointer dereference in the nickcmp function
(CVE-2017-5193).

In irssi before 0.8.21, use after free when receiving invalid nick message
(CVE-2017-5194).

In irssi before 0.8.21, out of bounds read in certain incomplete control codes
(CVE-2017-5195).

In irssi before 0.8.21, out of bounds read in certain incomplete character
sequences (CVE-2017-5196).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196
https://irssi.org/security/irssi_sa_2017_01.txt
https://irssi.org/2017/01/05/irssi-0.8.21-released/
========================

Updated packages in core/updates_testing:
========================
irssi-0.8.21-1.mga5
irssi-devel-0.8.21-1.mga5
irssi-perl-0.8.21-1.mga5

from irssi-0.8.21-1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2017-01-10 22:39:28 CET 
openSUSE has issued an advisory for this on January 9:
https://lists.opensuse.org/opensuse-updates/2017-01/msg00058.html

URL: (none) => https://lwn.net/Vulnerabilities/711189/

Comment 5 Herman Viaene 2017-01-11 14:01:37 CET 
MGA5-32 on Acer D620 Xfce
No installation issues
Found https://quadpoint.org/articles/irssi that got me to connect to irc.freenode.org and join #mageia-qa

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 6 Brian Rockwell 2017-01-12 15:35:14 CET 
$ uname -a
Linux localhost 4.4.39-server-1.mga5 #1 SMP Fri Dec 16 19:07:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


The following 2 packages are going to be installed:

- irssi-0.8.21-1.mga5.x86_64
- irssi-perl-0.8.21-1.mga5.x86_64

2.4MB of additional disk space will be used.


followed Herman's link above





8:14 -!- Irssi: #mageia: Total of 76 nicks [1 ops, 0 halfops, 0 voices, 75 
          normal]
08:14 -!- Channel #mageia created Fri Sep 17 11:32:10 2010
08:14 -!- Irssi: Join to #mageia was synced in 6 secs
08:15 < brian__> hi all - can you read my IM? from irssi
08:15 < marja> brian__: I can read you
08:15 < brian__> thank you marja
08:16 < marja> brian__: so you got irssi to work, and you're in #mageia
08:16 < brian__> yup
08:16 < brian__> hurray!
08:16 < marja> brian__: congrats
 [08:17] [brian__(+i)] [2:freenode/#mageia(+cn)] [Act: 1]                       
[#mageia]

CC: (none) => brtians1
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok

Brian Rockwell 2017-01-12 17:12:29 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2017-01-13 12:46:40 CET 
CVE-2017-5356 assigned for another issue fixed here:
http://openwall.com/lists/oss-security/2017/01/13/2

Advisory:
========================

Updated irssi packages fix security vulnerability:

In irssi before 0.8.21, a NULL pointer dereference in the nickcmp function
(CVE-2017-5193).

In irssi before 0.8.21, use after free when receiving invalid nick message
(CVE-2017-5194).

In irssi before 0.8.21, out of bounds read in certain incomplete control codes
(CVE-2017-5195).

In irssi before 0.8.21, out of bounds read in certain incomplete character
sequences (CVE-2017-5196).

In irssi before 0.8.21, out of bounds read when printing certain values
(CVE-2017-5356).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356
https://irssi.org/security/irssi_sa_2017_01.txt
https://irssi.org/2017/01/05/irssi-0.8.21-released/
http://openwall.com/lists/oss-security/2017/01/13/2

Summary: irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6]) => irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6], CVE-2017-5356)

Comment 8 Lewis Smith 2017-01-14 20:52:01 CET 
Advisory uploaded from Comments 3 (SRPM) and 7 (the rest).

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory

Comment 9 Mageia Robot 2017-01-14 22:05:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0018.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2017-01-16 18:53:34 CET 
(In reply to David Walser from comment #7)
> CVE-2017-5356 assigned for another issue fixed here:
> http://openwall.com/lists/oss-security/2017/01/13/2

LWN reference:
https://lwn.net/Vulnerabilities/711781/