Bug 21918

Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron by Jani.

Advisory:
========================

Updated irssi packages fix security vulnerabilities:

While waiting for the channel synchronization, Irssi may incorrectly fail to
remove destroyed channels from the query list, resulting in use after free
conditions when updating the state later on (CVE-2017-15227).

When installing themes with unterminated color formatting sequences, Irssi may
access data beyond the end of the string. (CVE-2017-15228).

Certain incorrectly formatted DCC CTCP messages could cause NULL pointer
dereference (CVE-2017-15721).

In certain cases Irssi may fail to verify that a Safe channel ID is long
enough, causing reads beyond the end of the string (CVE-2017-15722).

Overlong nicks or targets may result in a NULL pointer dereference while
splitting the message (CVE-2017-15723).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15721
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15723
http://openwall.com/lists/oss-security/2017/10/22/4
========================

Updated packages in core/updates_testing:
========================
irssi-0.8.21-1.3.mga5
irssi-devel-0.8.21-1.3.mga5
irssi-perl-0.8.21-1.3.mga5
irssi-1.0.5-1.mga6
irssi-devel-1.0.5-1.mga6
irssi-perl-1.0.5-1.mga6

from SRPMS:
irssi-0.8.21-1.3.mga5.src.rpm
irssi-1.0.5-1.mga6.src.rpm

CC: (none) => cooker
Version: Cauldron => 6
Assignee: cooker => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Advisory reference...we can use the upstream URL instead of the openwall one:
https://irssi.org/security/irssi_sa_2017_10.txt

openSUSE has issued an advisory for this today (October 23):
https://lists.opensuse.org/opensuse-updates/2017-10/msg00082.html

mga6::x86_64

There does not seem to be any way to reproduce the issues connected with the CVEs.

Installed the three packages and used the commandline to invoke irssi, using the existing user configuration to connect to freenode.  Credentials passed automatically.  Joined #mageia-qa and left a short message.  Checked the /away command via /help, noting that it does not tell you how to get back.
/away -one  <message>
worked.  Experimented with commands like /reconnect and bogus commands like /unaway and /back.  Tried /away -one and that removed the away status OK.

It works fine.

CC: (none) => tarazed25

mga5::x86_64

Installed irssi-devel and that pulled in irssi and irssi-perl.
$ irssi

Connected to freenode courtesy of the config file in $HOME/.irssi.
/join #mageia-qa

Posted a message and lurked awhile.
/away -one
did not work.  Had to:
/away -one <message>
to see the Zzzz in the status bar.
/away -one 
to return to the chatroom.
/part
/quit
$

That is as far as I can push it.  It looks OK.

MGA5-32 on Asus A6000VM Xfce
No installation issues.
Tx to Lewis bug21199 Comment 10, I could connect to mageia-qa, post to it (no response received) and quit.
Seems to work OK

Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK
CC: (none) => herman.viaene

Got confirmation by e-mail from Marja that she saw my inputs. Tx.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0393.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED